-
Notifications
You must be signed in to change notification settings - Fork 296
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DETECTION] Flutter App Packed with unknown Packer (classes.dex) #368
Comments
Hi @ReBensk , I will try to create rules for this packer. Could you tell me unique patterns in these samples? And a made up name for it too? |
At the end of the classes.dex file, packed .dex files are present. |
rule Flutter_Custom_Packer : packer
strings:
condition:
} |
Could we write a rule to specify this behavior? Something like : https://github.com/rednaga/APKiD/blob/master/apkid/rules/dex/common.yara#L40 |
Could you open a pull-request with this rule? It's easier to make changes and add feedback |
rule opened into a pull-request |
Reference ticket id: rednaga#368 rednaga#370
Samples:
https://drive.google.com/file/d/1NKB-BhamMm69xrGf-5ih-MHs3odnl6f4/view?usp=sharing
password: infected@123
Describe the detection issue
Classes.dex file is packed with a custom packer.
From the Classes.dex file structure:
data_size(offset 0x68) +data_off(offset 0x6C) > file_size (offset 0x20)
Sample1: md5: 00C4C2BE707733AEC76575B9F12430FA
Runtime it Drops 2 files classes.dex and classes2.dex these files are compresssed inside the apk's classes.dex (md5: A23691AAFDA6C1F749EC1AB778CF6157) files as AES Ecnrypted.
Key: 7847249444925135
IV: 9662547137267328
The Encrypted bytes are starts at the offset --> data_size(offset 0x68) +data_off(offset 0x6C)
Example for Sample1 : 0x2180 + 0x2A54 = 0x4BD4 (Encrypted bytes start address)
Sample2: md5: 0823ECC8F7732E43E8624F9296008E00
Apk's classes.dex (md5: FEF589F757819AE3881F2D2E5EF295CB ) files as AES Ecnrypted.
Key: 3662583155221358
IV: 7243279461549821
APKiD current results...
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[] ./Sample1.apk!classes.dex
|-> compiler : dexlib 2.x
[] ./Sample2.apk!classes.dex
|-> compiler : dexlib 2.x
Additional context
Cyberchef Recipe to decrypt the Encrypted .dex files for Sample 1:
https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'UTF8','string':'7847249444925135'%7D,%7B'option':'UTF8','string':'9662547137267328'%7D,'ECB/NoPadding','Hex','Hex',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Hex('None')&input=MEQwMTE2RUQ0OUUwNURFN0REQzExRkU3MzBDMTlFM0UxQkZDMThGOTk1QzQ4MTA0MjE2OTQxNjk2OTYwQUNGMDJFQ0Q2OUMwMDYwMjAxMzAxODdFOUUzRDVFRkY4QTdBNzY2MzEyNEFDNENEQ0JCMDM0QTE1NzBBQTAxRUZCQzQ0OTdDQ0I1NUZCODdGQTRENjNDMzYwNkE0NDk3QkIwOEQzMDk4MDNBMURGNEFFNDcyQzUwRjcwRURBMDlEOTlCMDNBNjA1M0NENTM5QzJFQjEwMUJFOEQ3RjY4NjU5NjE0NTA0Q0E1REJDN0M2M0Q0MkNFRkIxOTU1MDg0QzAyMTdDMzkzQkMxMjU2QkIxQkNENTlEMzg2OTg3QTM5RDYyNDYwMThEMDEwNkY0
Cyberchef Recipe to decrypt the Encrypted .dex files for Sample 2:
https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'UTF8','string':'3662583155221358'%7D,%7B'option':'UTF8','string':'7243279461549821'%7D,'ECB/NoPadding','Hex','Hex',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Hex('None')&input=QzNBN0EyOEZDMTkwNDIzMzk5REFEQUJCQjZBNTI0MUU0OTg5NzRFODQ0MDY5NkQz
The text was updated successfully, but these errors were encountered: