Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Here are some examples of what the tool can do.
- 1) It can dump the contents of the DEX file in human-readable form. This tends to result in a lot of output, even when done with relatively small DEX files, so instead of pasting an example here, I'm attaching it ZIPped. It's the classes.dex from one of the FakePlayer variants. The tool even disassembles the bytecode instructions, although doesn't try to produce assemblable source like baksmali. But, unlike with baksmali, you can see the actual code that has produced them.
- 2) It can list the names of the classes (without anything else) of a DEX file - often this is enough to figure out whether we're dealing with a variant of some known malware or not:
- c:>dexdump -c RU.apk
- RU.apk->classes.dex (FDB84FF8125B3790011B83CC85ADCE16->A386B4B56E3E5DF95F75D3F816DD44FB)
- org.me.androidapplication1.DataHelper$OpenHelper
- org.me.androidapplication1.DataHelper
- org.me.androidapplication1.HelloWorld
- org.me.androidapplication1.MoviePlayer
- 3) It can produce identification data for each class:
- c:>dexdump RU.apk
- RU.apk->classes.dex (FDB84FF8125B3790011B83CC85ADCE16->A386B4B56E3E5DF95F75D3F816DD44FB)
- D7DDB1C1 org.me.androidapplication1.DataHelper$OpenHelper
- B74CB67C org.me.androidapplication1.DataHelper
- A1DC849D org.me.androidapplication1.HelloWorld
- CC829975 org.me.androidapplication1.MoviePlayer
- Detected: trojan://AndroidOS/FakePlayer.A (Exact)
- 4) It can run in identification-only mode, just telling you if the sample is identified exactly as something known or not:
- c:>dexdump -t RU.apk
- RU.apk->classes.dex Detected: trojan://AndroidOS/FakePlayer.A (Exact)
- 5) It can list the names of the malware it is able to identify:
- c:>dexdump -l
- trojan://AndroidOS/Adrd.A
- trojan://AndroidOS/Adrd.B
- trojan://AndroidOS/Adrd.C
- trojan://AndroidOS/Adrd.D
- trojan://AndroidOS/Adrd.E
- trojan://AndroidOS/Adrd.F
- trojan://AndroidOS/Adrd.G
- trojan://AndroidOS/Adrd.H
- trojan://AndroidOS/Adrd.I
- trojan://AndroidOS/DroidKungFu.A
- trojan://AndroidOS/DroidKungFu.B
- trojan://AndroidOS/DroidKungFu.C
- trojan://AndroidOS/DroidKungFu.D
- trojan://AndroidOS/DroidKungFu.E
- trojan://AndroidOS/DroidKungFu.F
- trojan://AndroidOS/FakePlayer.A
- trojan://AndroidOS/FakePlayer.B
- trojan://AndroidOS/FakePlayer.C
- trojan://AndroidOS/FakePlayer.D
- trojan://AndroidOS/FakePlayer.E
- trojan://AndroidOS/FakePlayer.F
- trojan://AndroidOS/GGTracker.A
- trojan://AndroidOS/GGTracker.B
- trojan://AndroidOS/Lovetrap.A
- trojan://AndroidOS/MobileSpy.A
- trojan://AndroidOS/MobileSpy.B
- trojan://AndroidOS/MobileSpy.C
- trojan://AndroidOS/MobileSpy.D
- trojan://AndroidOS/MobileSpy.E
- trojan://AndroidOS/MobileSpy.F
- trojan://AndroidOS/MobileSpy.G
- trojan://AndroidOS/MobileSpy.H
- trojan://AndroidOS/MobileSpy.I
- trojan://AndroidOS/MobileSpy.J
- trojan://AndroidOS/MobileSpy.K
- trojan://AndroidOS/MobileSpy.L
- trojan://AndroidOS/NikiSpy.A
- trojan://AndroidOS/TapSnake.A
- trojan://AndroidOS/Zitmo.A
- 6) It can check its database for duplicates:
- c:>dexdump -k
- Database OK.
- Read the documentation for information where to get the latest official version of the database for it.
- The syntax of the above commands assumes you're using the script under Windoze. Linux weenies will have to use it as a script file specified when invoking Perl:
- $ perl -f dexdump.bat [options] arguments...
- Here is an example (from the documentation) of how an announcement should look like.
- One of the Adrd variants in my collection - I'm arbitrarily calling it Adrd.A. It comes in the following Trojanized file:
- geinimi.apk->classes.dex (5192AD05597E7A148F642BE43F6441F6->5F86B2E2C2D6BCCA1F580F9B5F444F6D)
- com.tat.cascadeswallpaper.android.CascadesWallpaperService$CascadesEngine$1
- com.tat.cascadeswallpaper.android.CascadesWallpaperService$CascadesEngine
- com.tat.cascadeswallpaper.android.CascadesWallpaperService$Config
- com.tat.cascadeswallpaper.android.CascadesWallpaperService
- com.tat.cascadeswallpaper.android.Log
- com.tat.livewallpaper.dandelion.Dandelion$1
- com.tat.livewallpaper.dandelion.Dandelion$2
- com.tat.livewallpaper.dandelion.Dandelion
- com.xxx.yyy.APNMatchTools$APNNet
- com.xxx.yyy.APNMatchTools
- com.xxx.yyy.ApkReceiver
- com.xxx.yyy.BBBB$LogRedirectHandler
- com.xxx.yyy.BBBB
- com.xxx.yyy.CustomBroadcastReceiver$CustomPhoneStateListener
- com.xxx.yyy.CustomBroadcastReceiver
- com.xxx.yyy.GZipInputStream
- com.xxx.yyy.GZipOutputStream
- com.xxx.yyy.MyAlarmReceiver
- com.xxx.yyy.MyBoolService
- com.xxx.yyy.MyService$APN
- com.xxx.yyy.MyService
- com.xxx.yyy.MyTools
- com.xxx.yyy.NetWorkReceiver
- com.xxx.yyy.UpdateHelper
- com.xxx.yyy.ZipHelper
- com.xxx.yyy.ZipIntMultShortHashMap$Element
- com.xxx.yyy.ZipIntMultShortHashMap
- com.xxx.yyy.ZipUtil
- com.xxx.yyy.adad$1
- com.xxx.yyy.adad
- com.xxx.yyy.ddda
- com.xxx.yyy.qzl$1
- com.xxx.yyy.qzl
- You can see the MD5 hashes of the APK file itself and of the classes,dex file inside. They are between the parentheses.
- The malware itself resides in the com.xxx.yyy.* subtree of classes. Here is the identification data for it:
- trojan://AndroidOS/Adrd.A
- 7E8BE144 com.xxx.yyy.APNMatchTools$APNNet
- 08EA684E com.xxx.yyy.APNMatchTools
- A490446D com.xxx.yyy.ApkReceiver
- 3902FF59 com.xxx.yyy.BBBB$LogRedirectHandler
- 25B4A7E3 com.xxx.yyy.BBBB
- 7E4A5825 com.xxx.yyy.CustomBroadcastReceiver$CustomPhoneStateListener
- 8D27A0C1 com.xxx.yyy.CustomBroadcastReceiver
- 5CAB2F0B com.xxx.yyy.GZipInputStream
- 016FD1D4 com.xxx.yyy.GZipOutputStream
- DC1AC823 com.xxx.yyy.MyAlarmReceiver
- EC712BE9 com.xxx.yyy.MyBoolService
- E4EA5C7B com.xxx.yyy.MyService$APN
- 092E62A6 com.xxx.yyy.MyService
- B6EB634B com.xxx.yyy.MyTools
- 9C18FE76 com.xxx.yyy.NetWorkReceiver
- E468FE5A com.xxx.yyy.UpdateHelper
- 7ED8B247 com.xxx.yyy.ZipHelper
- 96088089 com.xxx.yyy.ZipIntMultShortHashMap$Element
- B780C5D6 com.xxx.yyy.ZipIntMultShortHashMap
- 9C230B97 com.xxx.yyy.ZipUtil
- 3CE2C554 com.xxx.yyy.adad$1
- 123631AD com.xxx.yyy.adad
- 0979EFEB com.xxx.yyy.ddda
- 485C4EDE com.xxx.yyy.qzl$1
- BE451A3A com.xxx.yyy.qzl
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement