# BlackRoseLucy ### 01. Introduction > BlackRoseLucy is an Android trojan found in the wild. The malware is known to collect data from infected phones and turns them to a remote controlled bots. You have to find out the address of the Command & Control (CC) server controlling the bots and you will find out more about the name of the malware. The address is "hard coded". Requirements * Download the APK (Android Package). * Decompile the apk (jadx). * Analyze the java code Your goal is to find the CC server address (Protocol,IP, Port) in the decompiled code. **APK File**: {% embed url="" %} ### 02. Analysis Like in the last few exercises I'll check the permissions first: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fe25bulYZbGWjsytD7GWa%2FBlackRoseLucy01.png?alt=media\&token=aeff6334-eaf7-41cd-b230-c2b9bbd1bff8) Next I'll decompile the package by using jadx-gui.

This time I couldn't find any strings that points to an URL. I try to use the search function and search for the term "http\://" and "https\://" inside the code:

I get two results that looks interessting for me:

![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FXBc2AL8n17GDbGEALBHB%2FBlackRoseLucy05.png?alt=media\&token=20d65eea-e3fc-4424-85d8-230e7c6ab0de) I’ll upload the apk file to virus total and get this graph:

Possible CC Server: thelucy.top Port: 443