You might want to read my prior articles on Android/BianLian first: unpacking, payload, fake server.
There was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the C&C?
Having worked on the samples for several days, I noticed they weren’t always heading to the same website: hxxp://rheacollier31532[.]website, hxxp://shanehook85484[.]website etc.
So, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an asset?
Answer: the active C&C is returned by a malicious GitHub user account. The account name unfortunately varies from one sample to another:
The json page actually contains a Base64-encoded JSON object with the C&C’s URL:
$ curl https://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c868/raw/helloworld.jsoneyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUi
$ echo "eyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUiXX0K" | base64 -d
How does the code work?
- At first, the code sets a Property with a decrypted admin URL.
2. Actually, as the shared preferences file has no C&C yet, this will actually return a dummy C&C https://www.google.com
3. The real C&C is retrieved from the init procedureI have renamed methods for better readability. The original name of the method is com.pmmynubv.nommztx.bot.g.b
4. The code retrieves the “domains” parameter of the JSON
5. Finally, the code sets the URL in the shared preferences.The code reads the “domains” part of the JSON object (readUrl), removes the trailing / if necessary, and finally writes the URL down in its configuration. The original name of this method is com.pmmynubv.nommztx.bot.g.a
Conclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C&C name.
— the Crypto Girl
Article Link: BianLian C&C domain name. You might want to read my prior… | by @cryptax | Jan, 2022 | Medium