Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DETECTION] Flutter App Packed with unknown Packer (classes.dex) #368

Open
ReBensk opened this issue Oct 7, 2023 · 6 comments
Open

[DETECTION] Flutter App Packed with unknown Packer (classes.dex) #368

ReBensk opened this issue Oct 7, 2023 · 6 comments
Labels
detection-issue Bad detection or no detection

Comments

@ReBensk
Copy link
Contributor

ReBensk commented Oct 7, 2023

Samples:

https://drive.google.com/file/d/1NKB-BhamMm69xrGf-5ih-MHs3odnl6f4/view?usp=sharing
password: infected@123

Describe the detection issue
Classes.dex file is packed with a custom packer.
From the Classes.dex file structure:
data_size(offset 0x68) +data_off(offset 0x6C) > file_size (offset 0x20)

Sample1: md5: 00C4C2BE707733AEC76575B9F12430FA
Runtime it Drops 2 files classes.dex and classes2.dex these files are compresssed inside the apk's classes.dex (md5: A23691AAFDA6C1F749EC1AB778CF6157) files as AES Ecnrypted.
Key: 7847249444925135
IV: 9662547137267328

The Encrypted bytes are starts at the offset --> data_size(offset 0x68) +data_off(offset 0x6C)
Example for Sample1 : 0x2180 + 0x2A54 = 0x4BD4 (Encrypted bytes start address)

Sample2: md5: 0823ECC8F7732E43E8624F9296008E00
Apk's classes.dex (md5: FEF589F757819AE3881F2D2E5EF295CB ) files as AES Ecnrypted.
Key: 3662583155221358
IV: 7243279461549821

APKiD current results...
[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[] ./Sample1.apk!classes.dex
|-> compiler : dexlib 2.x
[
] ./Sample2.apk!classes.dex
|-> compiler : dexlib 2.x

Additional context

Cyberchef Recipe to decrypt the Encrypted .dex files for Sample 1:

https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'UTF8','string':'7847249444925135'%7D,%7B'option':'UTF8','string':'9662547137267328'%7D,'ECB/NoPadding','Hex','Hex',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Hex('None')&input=MEQwMTE2RUQ0OUUwNURFN0REQzExRkU3MzBDMTlFM0UxQkZDMThGOTk1QzQ4MTA0MjE2OTQxNjk2OTYwQUNGMDJFQ0Q2OUMwMDYwMjAxMzAxODdFOUUzRDVFRkY4QTdBNzY2MzEyNEFDNENEQ0JCMDM0QTE1NzBBQTAxRUZCQzQ0OTdDQ0I1NUZCODdGQTRENjNDMzYwNkE0NDk3QkIwOEQzMDk4MDNBMURGNEFFNDcyQzUwRjcwRURBMDlEOTlCMDNBNjA1M0NENTM5QzJFQjEwMUJFOEQ3RjY4NjU5NjE0NTA0Q0E1REJDN0M2M0Q0MkNFRkIxOTU1MDg0QzAyMTdDMzkzQkMxMjU2QkIxQkNENTlEMzg2OTg3QTM5RDYyNDYwMThEMDEwNkY0

Cyberchef Recipe to decrypt the Encrypted .dex files for Sample 2:
https://gchq.github.io/CyberChef/#recipe=AES_Decrypt(%7B'option':'UTF8','string':'3662583155221358'%7D,%7B'option':'UTF8','string':'7243279461549821'%7D,'ECB/NoPadding','Hex','Hex',%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D)From_Hex('None')&input=QzNBN0EyOEZDMTkwNDIzMzk5REFEQUJCQjZBNTI0MUU0OTg5NzRFODQ0MDY5NkQz

@ReBensk ReBensk added the detection-issue Bad detection or no detection label Oct 7, 2023
@enovella
Copy link
Collaborator

Hi @ReBensk ,

I will try to create rules for this packer. Could you tell me unique patterns in these samples? And a made up name for it too?

@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 10, 2023

At the end of the classes.dex file, packed .dex files are present.
Example: classes.dex#8446336@classes2.dex#8028064
after the # the numbers are size of the unpacked classes.dex file.

@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 21, 2023

rule Flutter_Custom_Packer : packer
{
meta:

description = "Flutter Custom packer"
sample1      = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c"
sample2      = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0"

strings:

$Cipher = {

	1a00 ????       // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding
	7110 ???? 0000  // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
	0c00            // move-result-object v0
	1a01 0100       // const-string v1, "3662583155221358" // string@0001
	1a02 0200       // const-string v2, "7243279461549821" // string@0002
	7140 0600 2140  // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006
	0c04            // move-result-object v4
	1104            // return-object v4
}	

condition:

is_dex and $Cipher

}

@enovella
Copy link
Collaborator

At the end of the classes.dex file, packed .dex files are present. Example: classes.dex#8446336@classes2.dex#8028064 after the # the numbers are size of the unpacked classes.dex file.

Could we write a rule to specify this behavior? Something like : https://github.com/rednaga/APKiD/blob/master/apkid/rules/dex/common.yara#L40

@enovella
Copy link
Collaborator

rule Flutter_Custom_Packer : packer { meta:

description = "Flutter Custom packer"
sample1      = "d91a793d7a63ca6279da81ea5986ba51663f0762399ce122d85b09a020521a0c"
sample2      = "130f9d4c200f8c45df48e49360eb422710db8999f3dc571f10cfb04b139ed0d0"

strings:

$Cipher = {

	1a00 ????       // const-string v0, "WATEPSY/cEDCnBZ/jPdKNCNSL5GPjawdmdkiWnzg" // string@00b2 // AES/ECB/PKCS5Padding
	7110 ???? 0000  // invoke-static {v0}, Lcom/zzWrgZUeZn;.reewRNuvCn:(Ljava/lang/String;)Ljava/lang/String; // method@0012
	0c00            // move-result-object v0
	1a01 0100       // const-string v1, "3662583155221358" // string@0001
	1a02 0200       // const-string v2, "7243279461549821" // string@0002
	7140 0600 2140  // invoke-static {v1, v2, v0, v4}, Lcom/zzWrgZUeZn;.DgQYvfuzRk:(Ljava/lang/String;Ljava/lang/String;Ljava/lang/String;[B)[B // method@0006
	0c04            // move-result-object v4
	1104            // return-object v4
}	

condition:

is_dex and $Cipher

}

Could you open a pull-request with this rule? It's easier to make changes and add feedback

@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 23, 2023

rule opened into a pull-request

ReBensk added a commit to ReBensk/APKiD that referenced this issue Oct 24, 2023
enovella pushed a commit that referenced this issue Oct 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
detection-issue Bad detection or no detection
Projects
None yet
Development

No branches or pull requests

2 participants