1
00:00:00,120 --> 00:00:06,660
In this video, we will analyze another application named Code for HK Dort HBK.

2
00:00:07,110 --> 00:00:11,850
So let's start first by decoding this app, then decompiled iGate.

3
00:00:14,590 --> 00:00:15,850
Well, open the terminal.

4
00:00:17,870 --> 00:00:19,040
Let's close that.

5
00:00:22,670 --> 00:00:27,710
And we'll run the ASPCA Tool D, then the name of the file.

6
00:00:32,400 --> 00:00:39,030
If you list, you'll be able to see that there is a new folder or directly created.

7
00:00:39,600 --> 00:00:43,800
Now I will use the decks to Joy Command.

8
00:00:46,790 --> 00:00:51,930
In order to decompiled the HBK.

9
00:01:00,050 --> 00:01:00,800
Another list.

10
00:01:00,830 --> 00:01:04,930
And here we go, you'll be able to see the joy and the directive.

11
00:01:05,090 --> 00:01:11,380
So we will start by analyzing the manifest SML file.

12
00:01:13,880 --> 00:01:15,110
Double click on that.

13
00:01:16,790 --> 00:01:18,140
Go to the directory.

14
00:01:20,530 --> 00:01:24,260
And double click on the manifesto to XM file.

15
00:01:27,060 --> 00:01:35,100
As we did earlier in the Georgian that you video, it's obvious here that we have dangerous permissions

16
00:01:35,130 --> 00:01:43,770
like modify audio settings, change network states, receive as Hamas read us, Hamas, Reen, 3D phone

17
00:01:43,770 --> 00:01:44,220
state.

18
00:01:44,940 --> 00:01:49,050
And as you can see, all the remaining permissions are really dangerous.

19
00:01:49,530 --> 00:01:54,060
Let's go down to see the activity tag.

20
00:01:54,180 --> 00:02:00,510
And this is the main class that is initiating the application.

21
00:02:00,510 --> 00:02:07,170
We'll see that later in the cool reception going below.

22
00:02:07,260 --> 00:02:17,460
We are able to see some receivers defined in a tag fixed time record receiver and form receiver, as

23
00:02:17,460 --> 00:02:23,640
well as some intense filters to change the phone state and create new outgoing calls.

24
00:02:23,640 --> 00:02:31,230
So obviously this application is intending to do many malicious activities.

25
00:02:31,560 --> 00:02:32,490
We'll go back.

26
00:02:33,750 --> 00:02:35,910
We'll open Jaquie first.

27
00:02:45,350 --> 00:02:47,300
Then we'll open the jar file.

28
00:02:49,670 --> 00:02:50,750
Let me close those.

29
00:02:54,140 --> 00:03:00,350
In the jar file, I'll expand the calm then the V one, I think.

30
00:03:01,220 --> 00:03:01,530
Yeah.

31
00:03:01,730 --> 00:03:07,760
This is the main activity class in where the application is being initialized.

32
00:03:09,350 --> 00:03:11,780
Let's do some random keyword search.

33
00:03:11,810 --> 00:03:20,240
As you can see here, we can spot like some access to the SD card and creating or this is really spooky

34
00:03:20,240 --> 00:03:20,560
here.

35
00:03:20,600 --> 00:03:26,190
It's creating a temporary HBK in the SD card.

36
00:03:26,210 --> 00:03:28,520
We'll see that any while.

37
00:03:30,440 --> 00:03:33,490
So this is obviously very malicious.

38
00:03:33,500 --> 00:03:36,440
Like wants to initiate the application.

39
00:03:37,250 --> 00:03:37,970
It is.

40
00:03:39,190 --> 00:03:45,100
Opening cue, cue that SML and creating a new file in the SD card.

41
00:03:45,160 --> 00:03:47,440
And moving this SML file.

42
00:03:49,610 --> 00:03:55,320
To the SD card, obviously renaming it to APEC.

43
00:03:55,520 --> 00:04:02,480
So here we can see that the queue queue as an AP key concealed under an Ximo file.

44
00:04:02,870 --> 00:04:04,130
We'll see where's that located?

45
00:04:04,880 --> 00:04:06,650
Let's do random search here.

46
00:04:07,040 --> 00:04:07,730
Open that.

47
00:04:13,080 --> 00:04:18,570
Let's start by searching for HTP location, client class.

48
00:04:21,680 --> 00:04:23,590
So let's open that file first.

49
00:04:30,010 --> 00:04:41,230
The first thing that caught my attention is the is utilizing Baijiu services, Baidu is a Chinese Internet

50
00:04:41,230 --> 00:04:47,080
company here, declaration of some client location variables.

51
00:04:48,750 --> 00:04:57,960
So obviously here we're getting the location of the client and storing it on by do location services,

52
00:04:58,320 --> 00:04:59,610
as it's obvious here.

53
00:05:01,230 --> 00:05:04,710
So this is the HTP requests.

54
00:05:08,010 --> 00:05:10,860
So this is one of the channels, HTP channels.

55
00:05:10,950 --> 00:05:15,810
The application is establishing that says will search for another thing here.

56
00:05:15,840 --> 00:05:20,460
That might be of an interest, which is so Eskil and uppercase.

57
00:05:20,970 --> 00:05:23,130
There is a class called by dual location.

58
00:05:30,250 --> 00:05:33,600
I'll open the you want the clip as well.

59
00:05:35,520 --> 00:05:38,880
So I've opened these two and the F dot class.

60
00:05:39,430 --> 00:05:46,890
There is a declaration for an escort flight database, which is a local relational database on the Android

61
00:05:46,890 --> 00:05:50,400
device, obviously storing the location of the user.

62
00:05:51,060 --> 00:05:52,770
This is what I can see from the first site.

63
00:05:54,300 --> 00:06:00,600
If you go to the seed of class file again utilizing the Eskil light database.

64
00:06:05,950 --> 00:06:06,920
It's not obvious here.

65
00:06:07,060 --> 00:06:10,720
What is the author trying to write and that?

66
00:06:10,750 --> 00:06:14,140
But probably the location of the user.

67
00:06:14,530 --> 00:06:18,820
Again, let school and perform another keyword search.

68
00:06:19,600 --> 00:06:21,400
This time is address.

69
00:06:24,150 --> 00:06:28,390
So we have to see the glass and I class.

70
00:06:29,400 --> 00:06:31,650
Let's see what address is being used.

71
00:06:32,730 --> 00:06:37,380
So here obviously passing Assamese data.

72
00:06:42,380 --> 00:06:49,790
Again, as you can see, many malicious activities being performed by this application lets me close

73
00:06:49,790 --> 00:06:53,730
that here, open the code for each key.

74
00:06:54,440 --> 00:07:04,530
Again, go to the main folder on the assets, if I remember, was the Ximo file.

75
00:07:04,550 --> 00:07:12,170
So if we click on that said two hundred kilobyte, ximo file doesn't make sense.

76
00:07:12,230 --> 00:07:13,470
It's a big Ximo file.

77
00:07:13,520 --> 00:07:20,510
So if we name it, as we've seen in the application, it's an AP case file and reimage to AP K.

78
00:07:21,530 --> 00:07:22,850
And here we go.

79
00:07:23,450 --> 00:07:24,770
She double click on that.

80
00:07:25,190 --> 00:07:28,970
Okay, so let's run again.

81
00:07:29,060 --> 00:07:30,530
The AP K will file.

82
00:07:32,330 --> 00:07:33,170
In this terminal.

83
00:07:34,980 --> 00:07:35,890
I'll decode.

84
00:07:38,020 --> 00:07:40,280
The QQQ, the KPK.

85
00:07:40,790 --> 00:07:41,950
Let's see what's in there.

86
00:07:46,100 --> 00:07:46,760
And as well.

87
00:07:47,510 --> 00:07:48,380
Decompiled it.

88
00:08:00,880 --> 00:08:08,650
Perfect thoughts that we'll open the Q qad kay and open, as you can see, it is an AP gay application.

89
00:08:08,980 --> 00:08:16,600
What the author is doing is that it is hiding the malicious application in the resources of the mobile

90
00:08:16,600 --> 00:08:17,860
app on their assets.

91
00:08:18,250 --> 00:08:26,410
And then when the main application starts skipping that to the SD acquired of the user renaming it and

92
00:08:26,770 --> 00:08:32,230
there you go, you have a malicious application hidden in another application now on the SD card.

93
00:08:32,530 --> 00:08:37,450
So let's open the manifest example again from the first site.

94
00:08:37,510 --> 00:08:40,960
I can spot many malicious activities.

95
00:08:48,480 --> 00:08:51,270
Again, dangerous and tense for the former states.

96
00:08:52,120 --> 00:09:01,530
And you are going calls similarly using baijiu, location services, checking the words complete of

97
00:09:01,530 --> 00:09:03,200
the application.

98
00:09:03,210 --> 00:09:06,960
So again, it's of looks like a very malicious Xome file.

99
00:09:07,790 --> 00:09:08,700
I'll close that.

100
00:09:09,930 --> 00:09:12,960
Let's score again here to be assets.

101
00:09:12,990 --> 00:09:15,260
Let's see what's in that conflict, Dot.

102
00:09:16,680 --> 00:09:24,630
So here you can see again, probably or obviously, these are the eyepiece of the command and control

103
00:09:24,630 --> 00:09:25,350
center.

104
00:09:25,440 --> 00:09:33,660
This is the IP and this is the port number that the malicious application is communicating with.

105
00:09:34,620 --> 00:09:38,730
Let's continue with our analysis for this malicious application.

106
00:09:39,420 --> 00:09:40,860
Now we'll open the jar file.

107
00:09:42,770 --> 00:09:44,220
I'll open J.D. Gooey.

108
00:09:53,680 --> 00:09:54,880
And move the file here.

109
00:09:55,660 --> 00:09:56,890
It's open that come.

110
00:10:04,600 --> 00:10:09,570
So here we have by new services, Google Services and V1.

111
00:10:09,790 --> 00:10:11,650
Let's expand the V1.

112
00:10:14,910 --> 00:10:18,240
From the name of some classes, it looks very malicious.

113
00:10:18,720 --> 00:10:23,400
Let's open the main activity detecting leaked the light objects.

114
00:10:24,120 --> 00:10:28,920
Let's go to the phone receiver class here.

115
00:10:30,120 --> 00:10:37,080
Obviously, this is the purpose of that is to monitor the phone can initiate new ongoing calls.

116
00:10:42,410 --> 00:10:43,850
This quarter, checks talked.

117
00:10:48,310 --> 00:10:50,410
Commented here, the heart beat.

118
00:10:52,250 --> 00:10:54,470
Checking if the system is alive.

119
00:10:55,580 --> 00:10:57,860
Let's go here to the stream receiver.

120
00:11:04,120 --> 00:11:07,300
Establishing connection with external entities.

121
00:11:07,330 --> 00:11:13,330
And here is another IP address, fisheye IP address.

122
00:11:14,680 --> 00:11:20,590
This is opening the conflict, the DOT file that we've seen earlier to get the IP on the port.

123
00:11:20,620 --> 00:11:21,070
No.

124
00:11:24,350 --> 00:11:28,790
The rest is commented, it's open to a class.

125
00:11:29,480 --> 00:11:31,110
Nothing interesting.

126
00:11:38,680 --> 00:11:40,490
The UCLASS might look interesting.

127
00:11:44,420 --> 00:11:48,260
Again, dealing with data streams and streams.

128
00:11:52,480 --> 00:11:53,860
Nothing of interest here.

129
00:11:56,780 --> 00:11:59,650
Take a class again, nothing of interest.

130
00:12:18,010 --> 00:12:18,910
Hear the heartbeat.

131
00:12:18,940 --> 00:12:21,430
Actually, he's checking the power of the system.

132
00:12:22,360 --> 00:12:26,680
Getting the current activities on the system.

133
00:12:38,880 --> 00:12:40,290
And the phone receiver.

134
00:12:42,330 --> 00:12:44,460
These are the recordings.

135
00:12:44,790 --> 00:12:49,800
Obviously, this application is recording calls with the current timestamp.

136
00:12:51,330 --> 00:12:57,870
I don't think we need to do more analysis for that, because obviously the intent behind it is obvious.