Dealing with obfuscated malware like Gustuff
This post focuses on Android malware samples that are obfuscated and appear somewhat like shown below:

The class names, method names and the code content barely makes any sense. I stumbled across a great article by Fortinet that talks about samples like these, I will highlight how I went about extracting the de-obfuscated jar file as I followed the article.

The malware that I used was recently tweeted by @Joe4security -

Md5: ef8493089deecbef6e459434ec7fee0b
Sha256: da815165a474d869c8b2eb7aa288f728caa2a9195d81249acfee5db1a749e271
Package name: com.ycisplc.hvmoqgrigmdh

Initial Observations

I installed the malware on an emulator and before starting the app I started logcat with a filter for the package name of the current malware. This will just show me activity relevant to this malware sample:
  • adb logcat | grep com.ycisplc.hvmoqgrigmdh
I ran the sample and logcat shows me that a .jar file is dropped in the application folders:

But when I navigated to the relevant folders there is no sign of the .jar file:

So our objective is to grab this .jar file before the malware deletes it. This .jar file will contain the de-obfuscated content that can reveal the code.

Strace the delete function

Frida is very useful for malware research for Android. The basic steps in getting Frida up and running can be seen on one of my older entries here.
In the current scenario we can use Frida to byass the function that deletes the .jar file. So the first order of the day is to find the function that does the deletion work. We can use Strace for this purpose.
Strace can be used to see the system calls made by a process and our aim is to see what function deletes the jar file. With a string of commands we can instruct our app to execute while Strace captures the relevant information and dumps it to a file locally:
  • monkey -p com.ycisplc.hvmoqgrigmdh -c android.intent.category.LAUNCHER 1 && set `ps | grep com.ycisplc.hvmoqgrigmdh` && strace -p $2 -o /sdcard/Download/st1
A quick search for jar reveals the function that is most likely the culprit - unlinkat

So our motive next is to override this function using Frida.

Frida to bypass the deleting function

With Frida server running on the device we spawn the malware via Frida and execute the javascript with the over-riding script:

The complete scripts can be viewed here - Python initiator and Frida Javascript

The un-deleted jar file

Few moments later we finally see the unlinkat function intercepted and upon examining the install folder of the malware we can see the .jar and .dex files in the app_files folder:

Loading up the jar file we can now examine the un-obfuscated code:

A very detailed analysis of this strain of malware can be seen by Cisco Talos, its a great read !

To test this technique, use the sample mentioned in the Fortinet blog and use the blog for assistance. Happy hunting !