Tracking Android/Joker payloads with Medusa, static analysis (and patience)

Medusa

use http_communications/uri_logger
use encryption/cipher_1
use code_loading/dump_dyndex
use code_loading/load_class
I use URI hooks (http_communications/uri_logger) in Medusa and see the malware calls those URLs. Android/Joker is known to use URLs such as xxx[.]aliyuncs.com.
Bingo! The look4.oss-ap[..]aliyuncs.com URL is encrypted. The decryption hooks, encryption/cipher_1, with shows the decrypted value.
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/audience_network.dex
[+] Dumped /data/user/0/com.designemoji.keyboard/files/audience_network.dex to dump_1
loadClass: com.designemoji.keyboard.EnableActivity
loadClass: com.facebook.ads.internal.dynamicloading.DynamicLoaderImpl
...
PathClassLoader(f,p) called: /data/user/0/com.designemoji.keyboard/cache/nuff
[+] Dumped /data/user/0/com.designemoji.keyboard/cache/nuff to dump_2
loadClass: seek
...
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/seek
[+] Dumped /data/user/0/com.designemoji.keyboard/files/seek to dump_3
DexClassLoader called: /data/user/0/com.designemoji.keyboard/files/Yang
[+] Dumped /data/user/0/com.designemoji.keyboard/files/Yang to dump_4
loadClass: com.xjuys
loadClass: com.android.installreferrer.api.InstallReferrerClient

Loading nuff (payload 1)

## Cipher
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 25 line=b'.method private b()Ljavax/crypto/Cipher;\n'
- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a/a/a.smali no= 63 line=b' invoke-static {v0, v1}, Ljavax/crypto/Cipher;->getInstance(Ljava/lang/String;Ljava/lang/String;)Ljavax/crypto/Cipher;\n'
Decrypted=https://look4[.]oss-ap-southeast-5[.]aliyuncs.com/designemoji
Decrypted=getClassLoader
Decrypted=loadClass
Decrypted=seek
Decrypted=melody
Code loading the JAR with getClassLoader, then invokes a method named melody()

Static analysis of nuff (payload 1)

Code of payload 1. Download URL for payload 2 — we also see that class cantus, method bustle is called.

Static analysis of payload 2

Payload 2 is loading … Payload 3

Static analysis of payload 3

Connect to remote URL and download payload 4.

Summary

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.