[DETECTION] JiaguK packer (classes.dex) detection #374

ReBensk · 2023-11-01T17:40:29Z

Describe the detection issue
The apk samples classes.dex files are packed but this is not detected by APKiD 2.1.5
From the classes.dex file structure
-> data_size(offset 0x68) + data_off(offset 0x6C) > file_size (offset 0x20)
packer code starts after the end of the data directory.
The packer using xor key 0x69 to decrypt data

APKiD current results...

[+] APKiD 2.1.5 :: from RedNaga :: rednaga.io
[*] /root/Desktop/Samples/Jiagu/Sample1.apk!classes.dex
 |-> compiler : unknown (please file detection issue!)
[*] /root/Desktop/Samples/Jiagu/Sample1.apk!assets/l16f56f57_a64.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample1.apk!assets/l16f56f57_a32.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample1.apk!assets/l16f56f57_x64.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample1.apk!assets/l16f56f57_x86.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample2.apk!classes.dex
 |-> compiler : unknown (please file detection issue!)
[*] /root/Desktop/Samples/Jiagu/Sample2.apk!assets/l676efb5b_a64.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample2.apk!assets/l676efb5b_a32.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample2.apk!assets/l676efb5b_x64.so
 |-> protector : Virbox
[*] /root/Desktop/Samples/Jiagu/Sample2.apk!assets/l676efb5b_x86.so
 |-> protector : Virbox

Detection rule:

rule jiagu_k : packer
{
  meta:
    description = "Jiagu K"
    sample1     = "aa666b75ffb3588dd41c8e546d53e353cda67cf278b167c7737b1169262856bb"
    sample2     = "d9baf66e7ac116a8c68599ef16fae5397ac4fd0847e2fcfe3ee2c155ecf4f850"

  strings:
    
    $attachBaseContextOpcodes = {

      7502 0100 1700   //invoke-super/range {v23, v24}, Landroid/app/Application;.attachBaseContext:(Landroid/content/Context;)V // method@0001
      6901 ????        //sput-object v1, Lv45e7a802/l45e7a802;.i:Landroid/content/Context; // field@000c
      7401 ???? 1800   //invoke-virtual/range {v24}, Landroid/content/Context;.getFilesDir:()Ljava/io/File; // method@0008
      0c03             //move-result-object v3
      6e10 ???? 0300   //invoke-virtual {v3}, Ljava/io/File;.getAbsolutePath:()Ljava/lang/String; // method@001b
      0c03             //move-result-object v3
      2204 ????        //new-instance v4, Ljava/io/File; // type@0015
      7020 ???? 3400   //invoke-direct {v4, v3}, Ljava/io/File;.<init>:(Ljava/lang/String;)V // method@0018
      6e10 ???? 0400   //invoke-virtual {v4}, Ljava/io/File;.exists:()Z // method@001a
      0a05             //move-result v5
      3905 0500        //if-nez v5, 0021 // +0005
      6e10 ???? 0400   //invoke-virtual {v4}, Ljava/io/File;.mkdir:()Z // method@001c
      2204 ????        //new-instance v4, Ljava/lang/StringBuilder; // type@0025
      7010 ???? 0400   //invoke-direct {v4}, Ljava/lang/StringBuilder;.<init>:()V // method@003c
      6e20 ???? 3400   //invoke-virtual {v4, v3}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d
      1243             //const/4 v3, #int 4 // #4
      2335 ????        //new-array v5, v3, [B // type@0036
      2605 ???? 0000   //fill-array-data v5, 0000075a // +0000072e
      7110 ???? 0500   //invoke-static {v5}, Lv45e7a802/l45e7a802;.h:([B)Ljava/lang/String; // method@0067
      0c05             //move-result-object v5
      6e20 ???? 5400   //invoke-virtual {v4, v5}, Ljava/lang/StringBuilder;.append:(Ljava/lang/String;)Ljava/lang/StringBuilder; // method@003d
      6e10 ???? 0400   //invoke-virtual {v4}, Ljava/lang/StringBuilder;.toString:()Ljava/lang/String; // method@003e
      0c04             //move-result-object v4
      2205 ????        //new-instance v5, Ljava/io/File; // type@0015
      7020 ???? 4500   //invoke-direct {v5, v4}, Ljava/io/File;.<init>:(Ljava/lang/String;)V // method@0018
      6e10 ???? 0500   //invoke-virtual {v5}, Ljava/io/File;.exists:()Z // method@001a
      0a06             //move-result v6
      3906 0500        //if-nez v6, 0048 // +0005
      6e10 ???? 0500   //invoke-virtual {v5}, Ljava/io/File;.mkdir:()Z // method@001c
      7401 0500 1700   //invoke-virtual/range {v23}, Landroid/app/Application;.getPackageName:()Ljava/lang/String; // method@0005
      0c05             //move-result-object v5  
    }
 
    /**    
        public static String h(byte[] bArr) {
            for (int i2 = 0; i2 < bArr.length; i2++) {
                 bArr[i2] = (byte) (bArr[i2] ^ 105);
            }
            return new String(bArr, 0, bArr.length);
        }
    */

    $xor_key = {
      1200             //const/4 v0, #int 0 // #0 
      1201             //const/4 v1, #int 0 // #0
      2132             //array-length v2, v3
      3521 0c00        //if-ge v1, v2, 000f // +000c
      4802 0301        //aget-byte v2, v3, v1
      df02 0269        //xor-int/lit8 v2, v2, #int 105 // #69
      8d22             //int-to-byte v2, v2
      4f02 0301        //aput-byte v2, v3, v1
      d801 0101        //add-int/lit8 v1, v1, #int 1 // #01
      28f4             //goto 0002 // -000c
      2201 ????        //new-instance v1, Ljava/lang/String; // type@0024
      2132             //array-length v2, v3
      7040 ???? 3120   //invoke-direct {v1, v3, v0, v2}, Ljava/lang/String;.<init>:([BII)V // method@0035
      1101             //return-object v1
    }
  
  condition:
  
    is_dex and all of them
}

The text was updated successfully, but these errors were encountered:

enovella · 2023-11-02T16:25:42Z

Please format the code properly ( I edited your post, please edit and observe how to format code properly)

enovella · 2023-11-02T16:27:31Z

This rule could match many other apps. Could you please find unique patterns with this packer?

enovella · 2023-11-02T16:28:54Z

Can you pull-request this rule?

ReBensk · 2023-11-02T17:22:43Z

This rule could match many other apps. Could you please find unique patterns with this packer?

Yes, I agree, These apps are using a unique xor key value 0x69 and also i noticed this string "Virbox" in all the samples (classes.dex), if you want to add this string I will, so the detection logic becomes ( jiagu packer + virbox protector ) Is it ok ?

ReBensk · 2023-11-03T08:26:07Z

Created pull-request for the rule - jiagu_k : packer
#375

enovella · 2023-11-03T18:21:25Z

This rule could match many other apps. Could you please find unique patterns with this packer?

Yes, I agree, These apps are using a unique xor key value 0x69 and also i noticed this string "Virbox" in all the samples (classes.dex), if you want to add this string I will, so the detection logic becomes ( jiagu packer + virbox protector ) Is it ok ?

Unique fingerprints are crucial to avoid false positives, if you always encountered the string Virbox or whateverStringYouWantToThinkOf please combine it with your opcodes in the rules.

ReBensk · 2023-11-05T14:25:31Z

Included the class name "Lvirbox/StubApp"

ReBensk added the detection-issue Bad detection or no detection label Nov 1, 2023

ReBensk mentioned this issue Nov 3, 2023

JiaguK - packer #375

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[DETECTION] JiaguK packer (classes.dex) detection #374

[DETECTION] JiaguK packer (classes.dex) detection #374

ReBensk commented Nov 1, 2023 •

edited by enovella

Loading

enovella commented Nov 2, 2023 •

edited

Loading

enovella commented Nov 2, 2023

enovella commented Nov 2, 2023

ReBensk commented Nov 2, 2023

ReBensk commented Nov 3, 2023

enovella commented Nov 3, 2023

ReBensk commented Nov 5, 2023

[DETECTION] JiaguK packer (classes.dex) detection #374

[DETECTION] JiaguK packer (classes.dex) detection #374

Comments

ReBensk commented Nov 1, 2023 • edited by enovella Loading

enovella commented Nov 2, 2023 • edited Loading

enovella commented Nov 2, 2023

enovella commented Nov 2, 2023

ReBensk commented Nov 2, 2023

ReBensk commented Nov 3, 2023

enovella commented Nov 3, 2023

ReBensk commented Nov 5, 2023

ReBensk commented Nov 1, 2023 •

edited by enovella

Loading

enovella commented Nov 2, 2023 •

edited

Loading