0
1
00:00:08,460 --> 00:00:11,880
So now we have our simplocker malware.
1

2
00:00:11,880 --> 00:00:18,240
We saw the results after running on a public sandbox but what we want to do is analyze the APK and see
2

3
00:00:18,240 --> 00:00:22,170
if we can obtain any useful information from this APK..
3

4
00:00:22,230 --> 00:00:29,870
And ideally this information can be used to decrypt our files that are encrypted on our emulator. At
4

5
00:00:29,870 --> 00:00:31,320
this point on your emulator.
5

6
00:00:31,320 --> 00:00:34,810
You should have the encrypted files  First,
6

7
00:00:34,820 --> 00:00:38,260
If you remember we had a tool called JDGUI.
7

8
00:00:38,450 --> 00:00:46,060
We had placed this in downloads but before we run JDGUI let's run Enjarify which is a tool that
8

9
00:00:46,060 --> 00:00:54,280
we need to run against the APK to be able to upload the jar file to J.DGUI so to do that we go
9

10
00:00:54,280 --> 00:01:06,180
to user local enjarify and here we have the script and enjarify.sh and we're going to run it against
10

11
00:01:06,180 --> 00:01:07,710
the simplocker.apk
11

12
00:01:10,480 --> 00:01:17,400
So this might take some time, it seems like there are quite a few classes in this app.
12

13
00:01:17,770 --> 00:01:24,730
So here we're converting the APK into a jar file so then we can import the jar file into JDGUI.
13

14
00:01:29,500 --> 00:01:36,800
In the meantime let's run JGUi so Java minus jar JDGUI.
14

15
00:01:36,900 --> 00:01:37,560
There we go.
15

16
00:01:38,730 --> 00:01:46,840
And over here once we see that enjarify file is complete we just need to import that jar file that
16

17
00:01:46,840 --> 00:01:53,930
was generated so if we had to go back into our folder here we'll see that it generated a file.
17

18
00:01:59,570 --> 00:02:00,010
OK.
18

19
00:02:00,040 --> 00:02:03,160
Now we'll just import this jar and there you have it.
19

20
00:02:03,220 --> 00:02:10,970
You have your source code just like with bytecodeviewer. Actually byte code viewer uses JDGUI as
20

21
00:02:10,970 --> 00:02:15,140
a Java decompiler in the background among other Decompilers.
21

22
00:02:17,860 --> 00:02:23,740
So one thing you may notice here is that we are running in JDGUI and not in bytecodeviewer.
22

23
00:02:23,920 --> 00:02:30,340
This is because there is an issue with this specific APK so if you try to run this APK in bytecodeviewer
23

24
00:02:30,340 --> 00:02:37,490
or actually you try to run APK tool on this APK you will receive errors.
24

25
00:02:37,530 --> 00:02:45,340
This happens occasionally with APKtool i.e. receiving errors when running APKtpol, usually it just
25

26
00:02:45,340 --> 00:02:50,860
requires an upgrade of the APKtool version because it would have some bug or some unsupported code.
26

27
00:02:52,170 --> 00:02:54,070
In some cases like in this case,
27

28
00:02:54,150 --> 00:03:00,960
I suspect it has to do with the special characters so it could be that they have some Ukrainian or Russian
28

29
00:03:00,960 --> 00:03:07,740
or Chinese characters in the application because of this APK tool which uses job in the background
29

30
00:03:07,830 --> 00:03:11,410
is causing the app to crash.
30

31
00:03:11,430 --> 00:03:12,830
There are ways to fix this.
31

32
00:03:12,840 --> 00:03:15,320
It's usually on a case by case basis.
32

33
00:03:15,480 --> 00:03:20,420
To be honest it's not really worth investigating for this specific case because it's a bit out of scope.
33

34
00:03:21,870 --> 00:03:26,780
What we want over here is to obtain Java source code which we can try with JDGUI
34

35
00:03:26,820 --> 00:03:28,230
And in this case it works.
35

36
00:03:30,070 --> 00:03:30,400
OK.
36

37
00:03:30,410 --> 00:03:35,670
So that's just a side note, so here you see that there are different packages.
37

38
00:03:35,760 --> 00:03:41,910
But if you remember in the automated analysis we saw that there's a package called org dot symplocker
38

39
00:03:42,300 --> 00:03:46,320
which is where we have a lot of the main code.
39

40
00:03:46,380 --> 00:03:51,440
So for example here there is the main class which launches the main service.
40

41
00:03:51,930 --> 00:03:57,430
And then you can follow the main service and you can see that for example here they are starting a tour
41

42
00:03:57,450 --> 00:04:03,640
connection or they're checking if there is a tour connection and then starting at we're not going to
42

43
00:04:03,640 --> 00:04:08,230
go through all of the code but this is where you could get some useful information if you had the time
43

44
00:04:08,230 --> 00:04:08,860
to go through it.
44

45
00:04:10,420 --> 00:04:15,850
So for example when you see that it opens a Tor connection you might assume that maybe it's connecting
45

46
00:04:15,850 --> 00:04:23,260
to a command and control server then using dynamic analysis say through objection we could hook on to
46

47
00:04:23,260 --> 00:04:28,900
specific calls we identified here and see if any data is being sent from the server to our application
47

48
00:04:32,350 --> 00:04:34,210
but we're not going to go through this right now.
48

49
00:04:34,210 --> 00:04:38,980
We're just trying to look at the code and trying to see if there's anything useful over here for decryption
49

50
00:04:40,620 --> 00:04:41,540
so let's have a look.
50

51
00:04:42,690 --> 00:04:49,350
Here is quite an interesting class actually this class is called Constants and as you can see in Constants
51

52
00:04:49,350 --> 00:04:54,360
you have some interesting data listed very clearly.
52

53
00:04:54,580 --> 00:04:57,170
For example here you have the admin url.
53

54
00:04:57,250 --> 00:05:05,410
So it shows what is probably the command and control server they left it statically defined and in clear.
54

55
00:05:05,430 --> 00:05:06,800
Here we are quite lucky.
55

56
00:05:06,810 --> 00:05:09,590
But this is not always the case.
56

57
00:05:09,870 --> 00:05:13,310
This is actual malware that was locking people's devices.
57

58
00:05:13,320 --> 00:05:19,940
So this kind of information is actually found in malware but here's the most important thing we have
58

59
00:05:20,000 --> 00:05:25,180
the cipher password which is extremely useful if we know what it's encrypting with.
59

60
00:05:25,190 --> 00:05:30,540
Hopefully we can decrypt using the same cipher keys. OK.
60

61
00:05:30,540 --> 00:05:37,410
And here's something interesting as well we can see what file types are being encrypted, extensions to
61

62
00:05:37,410 --> 00:05:38,410
encrypt.
62

63
00:05:38,430 --> 00:05:45,210
So these are the extensions that are being encrypted and in our example picture we saw that it actually
63

64
00:05:45,210 --> 00:05:50,000
was encrypting the JPEG and renaming it as JPEG dot ENC.
64

65
00:05:50,010 --> 00:05:56,210
So that kind of matches with what we saw when we ran it on our device. OK.
65

66
00:05:56,220 --> 00:06:00,840
Let's see over here there's a file called AES script.
66

67
00:06:01,230 --> 00:06:04,140
Here we can see that they have a function called decrypt
67

68
00:06:12,100 --> 00:06:13,080
and there we go.
68

69
00:06:13,090 --> 00:06:18,130
We don't even have to do the work we don't even have to try to understand what the encryption part is
69

70
00:06:18,130 --> 00:06:25,290
doing and try to reverse it because they are actually kind enough to offer us the decrypt function which
70

71
00:06:25,290 --> 00:06:30,660
in the next step we'll try to copy and paste this code into Android Studio and see if we can produce
71

72
00:06:30,660 --> 00:06:33,330
our own decryption tool.
72

73
00:06:33,340 --> 00:06:36,000
So this is quite important for us.
73

74
00:06:36,070 --> 00:06:38,260
We saw what the cipher key is.
74

75
00:06:38,260 --> 00:06:40,750
We saw that they're providing a decryption method.
75

76
00:06:41,350 --> 00:06:47,410
So now we can start thinking of maybe creating our own Android app that parses through all the files
76

77
00:06:47,410 --> 00:06:55,840
that have been encrypted and run this decrypt method on top of it passing the cipher key as a parameter.
77

78
00:06:56,070 --> 00:06:59,400
Here we can see the files to encrypt being used.
78

79
00:06:59,520 --> 00:07:03,480
So OK it seems that there is a file encrypt your class.
79

80
00:07:03,480 --> 00:07:06,970
They have a method that gets all the file names.
80

81
00:07:07,230 --> 00:07:13,210
Here there is a recursive function where they're passing through all the files where they want to encrypt.
81

82
00:07:13,560 --> 00:07:20,310
Then they have an encrypt function which goes through all the files to encrypt runs AES script.
82

83
00:07:20,340 --> 00:07:23,130
With this cypherkey and encrypts all the files.
83

84
00:07:26,500 --> 00:07:30,990
So here we can see that our assumption of what the ransomware was doing was correct.
84

85
00:07:31,450 --> 00:07:38,420
And we can see the key being used so just over here with a quick analysis of some very clearly named
85

86
00:07:38,420 --> 00:07:43,460
functions and classes we can see that there is a command and control server.
86

87
00:07:43,670 --> 00:07:45,890
We found what the server is.
87

88
00:07:45,890 --> 00:07:49,410
We see that it received some commands from the server.
88

89
00:07:49,430 --> 00:07:51,870
We see that there is an encryption class.
89

90
00:07:52,010 --> 00:07:57,010
We see that the encryption class being used is AES even better than that.
90

91
00:07:57,020 --> 00:07:59,420
We have the cipher key that is being used.
91

92
00:07:59,420 --> 00:08:04,910
So again we have a lot of information here hopefully using all this information we obtained from just
92

93
00:08:04,910 --> 00:08:06,140
static analysis,
93

94
00:08:06,170 --> 00:08:11,870
we'll be able to decrypt our demo pictures and in the case of an actual malware you'll be able to restore
94

95
00:08:11,870 --> 00:08:13,880
your system by decrypting the files.