Thursday, January 6, 2011

Decrypt Strings:Geinimi Android Trojan

Just analyzing an Android trojan couple of days ago and I was able to decrypt the strings inside the binary sample. Here it is a source code written in VB.Net.

Imports CryptoSysAPI
Module Module1
    Sub Main()
        Dim Hexdata As String = "64656275675F696E7465726E656C0202" ' hex data here!
        Dim plainHex As String = Des.Pad(Hexdata)
        plainHex = Des.Decrypt(Hexdata, "0102030405060708", Mode.ECB, "")
        Hexdata = Des.Unpad(plainHex)
        If Hexdata.Length = plainHex.Length Then Return
        Console.WriteLine("Input: {0}", Hexdata);
        Console.WriteLine("Decrypt(DES-ECB): {0}", Cnv.StringFromHex(Hexdata))
    End Sub
End Module


Example Output:
C:\>"C:\Projects\Krypton\Krypton\bin\Release\Krypton.exe"
Input: 64656275675F696E7465726E656C0202
Decrypt(DES-ECB): debug_internel


Note: You need CryptoSysAPI library in order to compile this code.

References:
http://www.alienvault.com/blog/jaime/Malware/Inside_Geinimi_Android_Trojan._Chapter_One_Encrypted_data_and_communication.html
Posted by Kamil Alta at
Labels: ,

1 comment:

  1. noneJanuary 7, 2011 at 7:40 AM

    $ echo 64656275675F696E7465726E656C0202 | perl -pe 's/([0-9a-f]{2})/pack("C", hex($1))/ige'
    debug_internel

    ReplyDelete

Subscribe to: Post Comments (Atom)