BianLian C&C domain name

2 min readJan 25, 2022

You might want to read my prior articles on Android/BianLian first: unpacking, payload, fake server.

There was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the C&C?
Having worked on the samples for several days, I noticed they weren’t always heading to the same website: hxxp://rheacollier31532[.]website, hxxp://shanehook85484[.]website etc.

So, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an asset?

Answer: the active C&C is returned by a malicious GitHub user account. The account name unfortunately varies from one sample to another:

The json page actually contains a Base64-encoded JSON object with the C&C’s URL:

$ curl
$ echo "eyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUiXX0K" | base64 -d

How does the code work?

  1. At first, the code sets a Property with a decrypted admin URL.

2. Actually, as the shared preferences file has no C&C yet, this will actually return a dummy C&C

3. The real C&C is retrieved from the init procedure

I have renamed methods for better readability. The original name of the method is

4. The code retrieves the “domains” parameter of the JSON

5. Finally, the code sets the URL in the shared preferences.

The code reads the “domains” part of the JSON object (readUrl), removes the trailing / if necessary, and finally writes the URL down in its configuration. The original name of this method is

Conclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C&C name.

— the Crypto Girl




Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.