~Dissecting Malware
// f0wL's Blog about malware analysis and reverse engineering
~Dissecting Malware
Jamba Superdeal: Helo Sir, you want to buy mask? - Corona Safety Mask SMS Scam

As if there wasn't enough pain and suffering in the world already because of COVID-19 some criminals still try to piggyback on the fear of others. A quick look at an Andorid SMS "Worm".

Since the current COVID-19 outbreak is getting masively taken advantage of by various cybercriminals I thought it would be a good opportunity to try out Android reverse engineering. Let's dive right in:


Webpage


The following dynamic part of this analysis was done in VirtualBox with the most recent Version of Android-x86. For those playing along at home: The Setup is really simple (as Live Booting is sufficient). Just remember to crank up the Video Memory, change the Graphics Controler to VBoxVGA and enable 3D Acceleration as otherwise the VM will only boot to a command prompt.

Installation


During the installation process there are no permissions to be granted to it.

Installation


Before finishing the installation there is a Google Play Protect warning already. I'm not sure if this is a signature based detection or actually based on the expected behaviour while parsing the package. I'll install it anyway.

Google Play Protect


After opening "Corona Safety Mask" for the first time it will ask for the permission to access the user's address book.

Contacts Permissions


And secondly it requires the permission to send SMS messages as well. This should be a red flag to users in general if the request is made without any notice as to why this permission is required (e.g. a second factor authentication). Scams like this can get very expensive for the user which is probably also one of the major goals of this malware.

SMS Permissions


Below you can see the main (and only) view of the app. Questionable content, more typos... red flags everywhere, but some people might just be desperate enough to fall for it.

App


For static analysis of the apk File I'll be using jadx-GUI. Below you can find the Github Repository.


It works very well for my purposes here and it even has a dark mode 😎

Jadx Decompiler


Upon tapping the "Get Safety Mask" button in the app it will direct you to a second website called Masksbox which might be part of a larger scam setup.

Weblink


When I visited the page this morning it was displaying this downtime message. A quick check via archive.org didn't return a recent snapshot of the page.

Masksbox down


A few hours later the website was back up with a partialy configured Wordpress CMS. The Navbar makes it quite obvious that the page is still being built.


Masksbox


Of course there can't be a malware sample without at least one funny typo. Here we can also see that the app is using the EasyPermissions wrapper library to handle contacts and SMS functionality.

Permissions Typo


This section of the code is responsible for reading the contents of the victims address book and writing them to a list.

Reading Contacts


Depending on the size of the contacts list it will either start at a random index and work its way up if there are over 100 contacts in the list or it will just send a SMS to all contacts if there are less than 100 in the list.

Webpage


Lastly we can take a look at the signature of the APK. It was signed with the CN "Hemant Prajapat", but that is a fake name for sure. Other than that there's not much interesting info to get from this.

APK Signing


And that's it! In times like this it is especially important to keep your means of communication safe, so better be extra careful. Stay home, stay safe (on the interwebs) and most importantly: stay healthy (applies to you and your devices).

IOCs

CoronaSafetyMask

CoronaSafetyMask.apk --> SHA256: 8a87cfe676d177061c0b3cbb9bdde4cabee0f1af369bbf8e2d9088294ba9d3b1
                         SSDEEP: 24576:KjQEzqDqCXaTJwv2AbxMHKR+ZCGPEmD8oJxmLaRyiLQuZgvNwN:wqDjaNcdRNw8+xm2RFEuZgvNk

URLs

hxxp://coronasafetymask[.]tk
hxxp://masksbox[.]com



Why would you even bother?! - JavaLocker

Today we'll take a look at a windows ransomware built with Java. As you might have guessed this will get ugly and is therefore not for the faint of heart.

Hey there, yeah it has been a while. I've been quite busy with university stuff for the past weeks, so I'm trying to get back into the analysis/blogging thing. I've been looking for interesting/"innovative" samples that differ from the common tricks and techniques. It was unavoidable that I would have to look at a ransomware strain written in the most beautiful programming language there is sooner or later: Java. Let's get it over with. This strain...

Read More
The Opposite of Fileless Malware - NodeJS Ransomware

This one is a few days old already but still worth a look. Have I mentioned that I hate Javascript?

This is not the first time that someone built a Ransomware Strain with NodeJS (check out this article about Ransom32 and let's not forget about Nodersok), but it's not an everyday sight either. This Malware Sample was first discovered by Xavier Mertens in a post to the SANS ISC Forum here. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of...

Read More
Not so nice after all - Afrodita Ransomware

A new Ransomware strain spread by malicious Office documents targeted at Croatian systems - let's check it out

This strain was first discovered by Korben Dallas on Twitter on the 9th of January. As I already mentioned the Malware is delivered via a Malspam/Maldoc attack crafted for Users / Companies from Croatia. Researchers that were involved in the initial analysis: @KorbenD_Intel, @James_inthe_box, @Malwageddon, @pollo290987 and I (@f0wlsec). Thank you for your contributions! @James_inthe_box @malwrhunterteam @Malwageddon 69450923d812f3696e8280508b636955 XLS 12/60 VT scan detections....

Read More
"Nice decorating. Let me guess, Satan?" - Dot / MZP Ransomware

Happy new year y'all. And with it there's new Ransomware to analyze, so come along for the ride :D

Dot "MZP" Ransomware @ AnyRun | VirusTotal | HybridAnalysis --> sha256 bebf5c12e35029e21c9cca1da53eb43e893f9521435a246ea991bcced2fabe67 This sample was first discovered by AmigoA and AkhmendTaia on the 31st of December 2019. AV Detections and Ransomnote contents didn't seem to match any previously present strain. The Note is delivered via a .txt File with a strange numeric victim ID and only one contact email address. The extension appended to encrypted Files seems to...

Read More
Setting up a Malware Exchange for 36C3 with Viper

Since my original project for 36c3 (something with chinese gear and coreboot) didn't really work out in time I had an even better idea: Setting up a Malware Sample Exchange

After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time. To host this project at the MysteryHack Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC...

Read More
I literally can't think of a fitting pun - MrDec Ransomware

I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Read More
Another one for the collection - Mespinoza (Pysa) Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

Read More
A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Read More
A B C, easy as один, два, три - Lockbit (ABCD) Ransomware

Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

Read More
  • 1
  • 2

About me

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

https://sandbox.lol

An automated analysis platform based on the Cuckoo Sandbox. Feel free to drop your samples!

Receive Updates

ATOM

"Security is #1 priority"

Key OpenPGP Key