Unpacking an Android malware with Dexcalibur and JEB

This is the Android malware we are going to analyze. A phishing SMS is known as “smishing”. Dec 4, 2020

The sample is packed

<application android:allowBackup=”true”  android:icon=”@mipmap/ic_launcher” android:label=”TousAntiCovid”  android:name=”tuna.obvious.trust.NRuUxBnCsMhKmHjAbPxLqMdBpSmOaQzLaXpNqHwHrMhAbRzKiXfTz”  android:roundIcon=”@mipmap/ic_launcher_round”  android:supportsRtl=”true”  android:theme=”@android:style/Theme.Translucent.NoTitleBar”  android:usesCleartextTraffic=”true”><activity android:name="dad.calm.invest.KSfDnRiNpEoOsTdLcMhOyFtJdPzPhJbGhIuFiGxGpJlDsJr" android:screenOrientation="1"/>
<service android:exported="false" android:label="hgqkxlqj" android:name="dad.calm.invest.ffajxodmncsk" android:permission="android.permission.BIND_NOTIFICATION_LISTENER_SERVICE">
...

Where is the second DEX?

In Dexcalibur, we search for code using DexClassLoader using “calleed.name:”. We spot 2 references in the first DEX’s namespace. Both are in tuna.obvious.trust.XOiFqQlOuCjFxOyLkSn.coinknife.
Live reverse engineering of the packed sample using JEB Decompiler
the DEX is contained in wJDeTjC.json. Unfortunately, it is encrypted.

Unpacking with Dexcalibur

Click on the blue “Probe” button to add a hook for coinknife method.
Our custom hook (white) got called. Interesting, we see it was called with a file named /data/user/0/tuna.obvious.trust/app_DynamicOptDex/wJDeTjC.json
We have successfully unpacked the malware. Here, JEB is decompiling the “main” activity of the second DEX.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store