|Dealing with obfuscated malware like Gustuff|
This post focuses on Android malware samples that are obfuscated and appear somewhat like shown below:
The class names, method names and the code content barely makes any sense. I stumbled across a great article by Fortinet that talks about samples like these, I will highlight how I went about extracting the de-obfuscated jar file as I followed the article.
The malware that I used was recently tweeted by @Joe4security - https://twitter.com/joe4security/status/1135890959672254464
Package name: com.ycisplc.hvmoqgrigmdh
I installed the malware on an emulator and before starting the app I started logcat with a filter for the package name of the current malware. This will just show me activity relevant to this malware sample:
But when I navigated to the relevant folders there is no sign of the .jar file:
So our objective is to grab this .jar file before the malware deletes it. This .jar file will contain the de-obfuscated content that can reveal the code.
Strace the delete function
Frida is very useful for malware research for Android. The basic steps in getting Frida up and running can be seen on one of my older entries here.
In the current scenario we can use Frida to byass the function that deletes the .jar file. So the first order of the day is to find the function that does the deletion work. We can use Strace for this purpose.
Strace can be used to see the system calls made by a process and our aim is to see what function deletes the jar file. With a string of commands we can instruct our app to execute while Strace captures the relevant information and dumps it to a file locally:
So our motive next is to override this function using Frida.
Frida to bypass the deleting function
The un-deleted jar file
Few moments later we finally see the unlinkat function intercepted and upon examining the install folder of the malware we can see the .jar and .dex files in the app_files folder:
Loading up the jar file we can now examine the un-obfuscated code:
A very detailed analysis of this strain of malware can be seen by Cisco Talos, its a great read !
To test this technique, use the sample mentioned in the Fortinet blog and use the blog for assistance. Happy hunting !