Friday, June 7, 2013

[Reverse Engineering] Android - Backdoor.AndroidOS.Obad.a

Reversing Backdoor.AndroidOS.Obad.a


So were going a little off track on this one, we will take a look at the NEW Android Trojan called "Backdoor.AndroidOS.Obad.a"

Kaspersky Article on Backdoor.AndroidOS.Obad.a: http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan


The tools we will attempt to use:
  1. apktool
  2. dex2jar
  3. jd-gui

MD5:
E1064BFD836E4C895B569B2DE4700284

Lets start reversing it shall we.


To start we will extract the files from the .apk file:

Lets look at that directory now.

$ tree
.
├── AndroidManifest.xml
├── apktool.yml
├── res
│   ├── drawable
│   │   └── lcolooo.png
│   ├── layout
│   │   └── occcclc.xml
│   ├── values
│   │   ├── public.xml
│   │   └── strings.xml
│   └── xml
│       └── ccclocc.xml
└── smali
    └── com
        └── android
            ├── internal
            │   └── telephony
            │       ├── IExtendedNetworkService$oCIlCll.smali
            │       └── IExtendedNetworkService.smali
            └── system
                └── admin
                    ├── CClIOcc.smali
                    ├── cCloIOCC.smali
                    ├── CcOCoIcO.smali
                    ├── cCOIcIlo.smali
                    ├── cCoIOIOo.smali
                    ├── CCOIoll.smali
                    ├── CIcIoICo.smali
                    ├── CICoICCo.smali
                    ├── cIcoIIl.smali
                    ├── CIlOCClc.smali
                    ├── cIoCcIo.smali
                    ├── COcCccl.smali
                    ├── CoccOIo$oCIlCll.smali
                    ├── CoccOIo.smali
                    ├── COOlOIl.smali
                    ├── cOoOCCo.smali
                    ├── CoooOIIO.smali
                    ├── CoOOoOo.smali
                    ├── IcCcCOIC.smali
                    ├── ICcIIlo.smali
                    ├── ICclCcoC.smali
                    ├── IccOlCc.smali
                    ├── ICICcOCo.smali
                    ├── IcIOoOC.smali
                    ├── ICOColc.smali
                    ├── ICOIoCl.smali
                    ├── IlIIlCI.smali
                    ├── IololoI.smali
                    ├── IOOICOcI.smali
                    ├── lcclOlO.smali
                    ├── lCICoIO.smali
                    ├── lclOOCl.smali
                    ├── lIcoclC.smali
                    ├── lOCIOICC.smali
                    ├── lOClOOI.smali
                    ├── loOcccoC.smali
                    ├── loooIlo.smali
                    ├── MainService.smali
                    ├── OCICooCI.smali
                    ├── OcIcoOlc.smali
                    ├── oCIlCll$CIcIoICo.smali
                    ├── oCIlCll$oCIlCll.smali
                    ├── oCIlCll$oIlclcIc.smali
                    ├── oCIlCll.smali
                    ├── OCllCoO.smali
                    ├── OcOCclc.smali
                    ├── OCOcCOll.smali
                    ├── oICClCI.smali
                    ├── oIlclcIc.smali
                    ├── oIOccOcl.smali
                    ├── oIOocIlo.smali
                    ├── OlCCcIl.smali
                    ├── olcCIIC.smali
                    ├── ollIIIc.smali
                    └── OOIlIcCc.smali

12 directories, 64 files
Ok so now we can see some of the resources and we have the .smali files.
We can use the xml and yml files to gather some basic info about the app.
Some of you are probably wondering what smali files are.... ill explain.

The smali files are the disassembly of the Java Virtual Machine (JVM).  In the grand scheme of things these smali files give us a really accurate picture of what the code does.You just have to be able to read them, which can be time consuming.

For the sake of this tutorial we will not go into that now, but we will attempt to get the java src code or do the best we can and look at the smali files in another post.

To attempt to get the java src we will use dex2jar on the apk file:




In the above screenshot we can see that there are some errors. This is because the authors of the malware found a bug in dex2jar and used it to prevent the conversion of Dalvik bytecode into Java bytecode.  dex2jar is a popular tool to convert the bytcode into a jar file that we can then use jd-gui to read the java output.

The full output of the failed convertion is shown below:
$ ./dex2jar.sh ~/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284
1 [main] INFO com.googlecode.dex2jar.v3.Main - version:0.0.7.11-SNAPSHOT
7 [main] INFO com.googlecode.dex2jar.v3.Main - dex2jar /home/android/Documents/malware/AndroidOBada/E1064BFD836E4C895B569B2DE4700284 -> E1064BFD836E4C895B569B2DE4700284_dex2jar.jar
295 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[5],name:[Lcom/android/system/admin/CIcIoICo;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[6],name:[Lcom/android/system/admin/IcCcCOIC;]
296 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[11],name:[Lcom/android/system/admin/ollIIIc;]
461 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[12],name:[Lcom/android/system/admin/CClIOcc;]
462 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[14],name:[Lcom/android/system/admin/OOIlIcCc;]
503 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[15],name:[Lcom/android/system/admin/cIoCcIo;]
504 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[16],name:[Lcom/android/system/admin/oIOccOcl;]
505 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[18],name:[Lcom/android/system/admin/lCICoIO;]
625 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[19],name:[Lcom/android/system/admin/olcCIIC;]
626 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[22],name:[Lcom/android/system/admin/OlCCcIl;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[23],name:[Lcom/android/system/admin/cCOIcIlo;]
824 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[24],name:[Lcom/android/system/admin/CIlOCClc;]
825 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[29],name:[Lcom/android/system/admin/lOClOOI;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lOClOOI;.oCIlCll(Ljava/io/File;)Ljava/lang/String;]
1091 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 1
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:199)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[30],name:[Lcom/android/system/admin/lOCIOICC;]
1092 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[33],name:[Lcom/android/system/admin/lclOOCl;]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/lclOOCl;.oCIlCll(Ljava/lang/String;Ljava/io/File;)Z]
1242 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 0
    at java.util.Vector.get(Vector.java:694)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.merge(TypeDetectTransformer.java:890)
    at com.googlecode.dex2jar.optimize.TypeDetectTransformer.transform(TypeDetectTransformer.java:238)
    at com.googlecode.dex2jar.v3.V3MethodAdapter.visitEnd(V3MethodAdapter.java:168)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:547)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[35],name:[Lcom/android/system/admin/ICOIoCl;]
1246 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[36],name:[Lcom/android/system/admin/CoOOoOo;]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/CoOOoOo;.<init>()V]
1247 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[39],name:[Lcom/android/system/admin/CoooOIIO;]
2257 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[42],name:[Lcom/android/system/admin/ICICcOCo;]
2403 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[46],name:[Lcom/android/system/admin/IccOlCc;]
2493 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[49],name:[Lcom/android/system/admin/oIOocIlo;]
2542 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[51],name:[Lcom/android/system/admin/cCloIOCC;]
2609 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:315)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[52],name:[Lcom/android/system/admin/IololoI;]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. while accept method:[Lcom/android/system/admin/IololoI;.<init>()V]
2610 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - ... ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitMethod(V3ClassAdapter.java:210)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptMethod(DexFileReader.java:493)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:319)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - dex2jar got an Exception, but will continue.
3059 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - . while accept class id:[56],name:[Lcom/android/system/admin/loooIlo;]
3060 [main] ERROR com.googlecode.dex2jar.reader.DexFileReader - .. ROOT cause:
java.lang.NullPointerException
    at org.objectweb.asm.Item.set(Item.java:203)
    at org.objectweb.asm.ClassWriter.newClassItem(ClassWriter.java:944)
    at org.objectweb.asm.ClassWriter.newClass(ClassWriter.java:964)
    at org.objectweb.asm.ClassWriter.visitOuterClass(ClassWriter.java:620)
    at org.objectweb.asm.ClassAdapter.visitOuterClass(ClassAdapter.java:75)
    at com.googlecode.dex2jar.asm.TypeNameAdapter.visitOuterClass(TypeNameAdapter.java:129)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.build(V3ClassAdapter.java:161)
    at com.googlecode.dex2jar.v3.V3ClassAdapter.visitField(V3ClassAdapter.java:205)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptField(DexFileReader.java:456)
    at com.googlecode.dex2jar.reader.DexFileReader.acceptClass(DexFileReader.java:310)
    at com.googlecode.dex2jar.reader.DexFileReader.accept(DexFileReader.java:205)
    at com.googlecode.dex2jar.v3.Main.doData(Main.java:52)
    at com.googlecode.dex2jar.v3.Main.doFile(Main.java:85)
    at com.googlecode.dex2jar.v3.Main.main(Main.java:113)
3068 [main] INFO com.googlecode.dex2jar.v3.Main - Done.

Lets take a look at the jar file that was created.

We open it in jd-gui to see the "source" code:
Above we can see the files that we have in java format, however if you notice there is an error in the java code itself.  Following the error is the bytecode.  This is what the malware authors wanted, to make it harder for us to analyze their code.

Almost every file has an error in the conversion.
Some more screenshots of other files:




That is all for this post, in the next post we will dig deeper and use some other analysis and reversing techniques and we will see what we can find.

Who knows maybe we will be able to find the Android exploit the Kaspersky article mentions, that would be fun.

1 comment:

  1. Are you searching for the best reverse engineering service in Alberta? Then you can contact Onsite 3D. Because they provide the best reverse engineering at the most popular. Best reverse engineering Calgary, Alberta

    ReplyDelete