{"id":464,"date":"2016-03-18T15:05:32","date_gmt":"2016-03-18T23:05:32","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=464"},"modified":"2018-12-19T13:37:16","modified_gmt":"2018-12-19T21:37:16","slug":"deobfuscating-android-triada-malware","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/deobfuscating-android-triada-malware\/","title":{"rendered":"Deobfuscating Android Triada malware"},"content":{"rendered":"<p>The <a href=\"http:\/\/www.securityweek.com\/triada-trojan-most-advanced-mobile-malware-yet-kaspersky\" target=\"_blank\">Triada malware<\/a>\u00a0has received a lot of news coverage recently. Kaspersky was one of the first firm to publish <a href=\"https:\/\/blog.kaspersky.com\/triada-trojan\/11481\/\" target=\"_blank\">an analysis of this Trojan<\/a> earlier last week.<\/p>\n<p>The code is obfuscated, and most strings are encrypted. The string encryption algorithm is trivial, but ever-changing across classes: bytes are incremented or decremented by constant values, either stored in a default decryptor method, or retrieved via calls to other methods. The result is something quite annoying to handle if you decide to perform a serious static analysis of the file.<\/p>\n<figure style=\"width: 1340px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2924cce8c22ae9b8ab0813076695b2ac.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2924cce8c22ae9b8ab0813076695b2ac.png\" alt=\"\" width=\"1340\" height=\"752\" \/><\/a><figcaption class=\"wp-caption-text\">Encrypted string buffers in Triada. Decryption routines can be seen in the decompiled class on the right-hand side.<\/figcaption><\/figure>\n<p>Our intern Ruoxiao Wang wrote\u00a0<a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-samplecode\/blob\/master\/scripts\/malware_analysis\/TriadaStringDecryptor.py\" target=\"_blank\">a very handy decryption script<\/a> for Triada. It needs customizing (the decryption keys are not automatically retrieved) on a per-class basis, but the overall effort is a couple of seconds versus hours spending doing tedious and repetitive semi-manual work.<\/p>\n<p>The script will decrypt the encrypted\u00a0byte arrays\u00a0and replace the decompiled Java fields supposedly holding the final strings by their actual value, as seen in the picture below.<\/p>\n<figure style=\"width: 1106px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2d64bf5730a3a8ca64d476198c790126.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2016\/03\/2d64bf5730a3a8ca64d476198c790126.png\" alt=\"\" width=\"1106\" height=\"652\" \/><\/a><figcaption class=\"wp-caption-text\">Decrypted strings. Comments (in the left-side red box) indicate the string use was not found via xrefs. The right-side red box shows updated String fields after decryption.<\/figcaption><\/figure>\n<p>The script can also be used as a tutorial on how to use the <a href=\"https:\/\/www.pnfsoftware.com\/jeb\/apidoc\/reference\/com\/pnfsoftware\/jeb\/core\/units\/code\/java\/package-summary.html\" target=\"_blank\">JEB Java AST API<\/a>\u00a0to look for and modify the AST of decompiled code. \u00a0(More examples\u00a0be seen on our <a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-samplecode\/tree\/master\/scripts\" target=\"_blank\">GitHub sample script repo.<\/a>)<\/p>\n<p style=\"text-align: center;\"><strong>Download the Triada decryptor script here:<br \/>\n<a href=\"https:\/\/github.com\/pnfsoftware\/jeb2-samplecode\/blob\/master\/scripts\/malware_analysis\/TriadaStringDecryptor.py\" target=\"_blank\">TriadaStringDecryptor.py<\/a><\/strong><\/p>\n<p>(Specific instructions are located in the script header.)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Triada malware\u00a0has received a lot of news coverage recently. Kaspersky was one of the first firm to publish an analysis of this Trojan earlier last week. The code is obfuscated, and most strings are encrypted. The string encryption algorithm is trivial, but ever-changing across classes: bytes are incremented or decremented by constant values, either &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/deobfuscating-android-triada-malware\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Deobfuscating Android Triada malware<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[15,9,8,2],"tags":[],"class_list":["post-464","post","type-post","status-publish","format-standard","hentry","category-android","category-api-jeb2","category-jeb2","category-malware"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/464","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=464"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/464\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=464"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=464"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=464"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}