Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DETECTION] Unknown packer (classes.dex) detection #367

Open
ReBensk opened this issue Oct 2, 2023 · 7 comments
Open

[DETECTION] Unknown packer (classes.dex) detection #367

ReBensk opened this issue Oct 2, 2023 · 7 comments
Labels
detection-issue Bad detection or no detection

Comments

@ReBensk
Copy link
Contributor

ReBensk commented Oct 2, 2023

Samples

https://www.virustotal.com/gui/file/b8f8948187846371eb32b2d7ef4f537c94997329e08d762b9ac6b3bfcbc86993/detection
https://www.virustotal.com/gui/file/fdf5b6930d38da33ec117d7c0f83f142db1c33013d020f0ab4801d1fd781f552/detection

APKiD current results...

[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[] ./com.rihjzvyvdmwsz.wfglmgpoijgnc.apk!classes.dex
|-> compiler : dexlib 2.x
[] ./com.zxqlzbjtkwugo.oekyzihfuspse.apk!classes.dex
|-> compiler : dexlib 2.x
[*] ./classes.dex
|-> compiler : dexlib 2.x

Additional context
Classes.dex file is packed with a custom packer.
From the Classes.dex file structure:a
data_size(offset 0x68) +data_off(offset 0x6C) > file_size (offset 0x20)
@ReBensk ReBensk added the detection-issue Bad detection or no detection label Oct 2, 2023
@enovella
Copy link
Collaborator

enovella commented Oct 2, 2023

Hi @ReBensk ,

I don't have a VT subscription, could you share these files in a ZIP file over here? Thanks

Edu

@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 2, 2023

Sample1.zip
Sample2.zip
Samples Uploaded

@enovella
Copy link
Collaborator

Hi @ReBensk ,

I will try to create rules for this packer. Could you tell me unique patterns in these samples? And a made up name for it too?

@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 10, 2023

rule Detect_Custom_Packer {
strings:
$aes_type = "AESTYPE"
$aes_string = "AES"
$encodeStr_func = "encodeStr"
$g_pass = "globalPass"
$e_pass = "encodePass"
$encodeToMD516_func = "encodeToMD516"
$encodeToMD5 = "encodeToMD5"

condition:
    any of them

}

@enovella
Copy link
Collaborator

enovella commented Oct 19, 2023
edited

rule Detect_Custom_Packer { strings: $aes_type = "AESTYPE" $aes_string = "AES" $encodeStr_func = "encodeStr" $g_pass = "globalPass" $e_pass = "encodePass" $encodeToMD516_func = "encodeToMD516" $encodeToMD5 = "encodeToMD5"

condition:
    any of them

}

This rule will produce many false positives due to the condition any of them with non-unique strings such as AES. What about all of them or 5 of them? Do you have opcodes, asset files, or other fingerprints instead of only-strings?

Lately, I don't get free time to look into this, feel free to pull-request any rule you want to and I will attempt reviewing it. Thanks for opening this ticket.

--Edu

@ReBensk ReBensk closed this as completed Oct 20, 2023
@enovella
Copy link
Collaborator

@ReBensk Can you re-open the ticket and create this rule into a PR?

@enovella enovella reopened this Oct 20, 2023
@ReBensk
Copy link
Contributor Author

ReBensk commented Oct 21, 2023

@ReBensk Can you re-open the ticket and create this rule into a PR?
Please refer the below ticket and created a new rule
#370

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
detection-issue Bad detection or no detection
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@enovella @ReBensk