- #REDIRECTOR GVT1 COM INSTALL#
- #REDIRECTOR GVT1 COM ZIP FILE#
- #REDIRECTOR GVT1 COM ANDROID#
- #REDIRECTOR GVT1 COM DOWNLOAD#
This information is logged to file /sdcard/ you begin seeing a large quantities of the same Ads on every page you visit? That and the increased loading times (may not be noticeable on high end computers) are one of the prime symptoms that your computer has been infected by an Redirector GVT1.Com application.
#REDIRECTOR GVT1 COM INSTALL#
This service start a second service that will install the packed APKs, list installed Apps and check if the device is rooted. |Microlog 6Ģ2:14:54,679 Utils|Binder:4646_3 start to installPlugin /storage/emulated/0/origin/Camera.apk,pkgname:null |Microlog 1680Ģ2:14:54,712 Utils|Binder:4646_3 install plugin failed, pkgname:null resultCode:0 |Microlog 1713Ģ2:14:54,722 Utils|Binder:4646_3 start to installPlugin /storage/emulated/0/origin/Core.apk,pkgname:null |Microlog 1723Ģ2:14:54,798 Utils|Binder:4646_3 install plugin failed, pkgname:null resultCode:0 |Microlog 1799Ģ2:14:54,813 Utils|Binder:4646_3 start to installPlugin /storage/emulated/0/origin/Location.apk,pkgname:null |Microlog 1814Ģ2:14:54,869 Utils|Binder:4646_3 install plugin failed, pkgname:null resultCode:0 |Microlog 1870 the content is as follow: 22:14:53,00 Utils|main PService onCreate |Microlog 1Ģ2:14:53,00 Utils|main PService onBind Intent |Microlog 1Ģ2:14:53,01 Utils|main PService Binder uid:10149 |Microlog 2Ģ2:14:53,03 Utils|main PService caller signature md5:3bd158635713d3e220113fb6adc8b6e2 |Microlog 4Ģ2:14:53,48 AppEnv|main onCreate |Microlog 0Ģ2:14:53,50 AppEnv|main startJobSheduler ret 1 |Microlog 2Ģ2:14:53,52 AppEnv|main onCreate List pkgName: svrName: .HService |Microlog 4Ģ2:14:53,53 AppEnv|main onStartCommand startId:1 |Microlog 5Ģ2:14:53,54 AppEnv|Thread-2 startGuard pkgName: svrName: .HService |Microlog 6Ģ2:14:53,54 AppEnv|Thread-2 startGuard wating. The file name is microlog.txt and located in the folder /sdcard. The function onCreate look as follows:ĭesDecrypt 772×272 37.7 KB cipher.init(2, skeyFactory.generateSecret(desKeySpec)) // Initialize cipher to decryption modeīefore encrypting the argument, the function divide the string into two characters, convert it each to integer then encrypt it: byte btxts = new byte ītxts = (byte) Integer.parseInt(txt.substring(i, i + 2), 16) Īs DES decryption is the inversion of DES encryption, the function desDecrypt here is used as encryption routine.Īfter the key generation, the malware start a service that init the configuration file and redirect logs of the application to a file. These APKs will be analyzed later on (Not in this current post). The malware embed three APKs located in the folder assets/init. The file Filtering Rules contains a list of 6291 domain names.Īt each request a new list is downloaded with different domain names.
#REDIRECTOR GVT1 COM ZIP FILE#
The tool founded one zip file which contains 3 files and one directory: To get the data from this file foremoset is used.
#REDIRECTOR GVT1 COM ANDROID#
The application Google Chrome on Android does not support extensions. > file file1.dataįile1.data: Google Chrome extension, version 3
Starting by identifying the file type of the downloaded file. The part AKi1sv7cx4bJf9W1XiuhCek_9.18.0/KDDyO-ENZ8HrUUsbZHNxeA of the request change at each time, it suspected that the information is sent encrypted through the request. The malware sends some parameter trough the request including the public IP address of the victim.
#REDIRECTOR GVT1 COM DOWNLOAD#
Using wget to download the file in order to check what it contains: wget "" -O file1.data The first HTTP request is sent to, which will redirect to one of the C2C servers. Installing the malware on an Android Virtual Device which has Burp Suite as proxy, it can be observed that the server send different HTTP requests to different servers with the domain name : Starting by the traffic analysis will give more information about how the malware communicate with the C2C server and which information is sent. Using jadx-gui to reverse the APK, it can be observed that the malware use nearly all the Android permissions, some of them are listed bellow:
This post is a first part of reversing a version of ActionSpy.
In this article, I’m going to discuss a first part of analysis of one of the variant of the malware ActionSpy. First of all sorry if I did some mistakes I am not a native English speaker.
0 kommentar(er)
