BlackRoseLucy

01. Introduction

BlackRoseLucy is an Android trojan found in the wild. The malware is known to collect data from infected phones and turns them to a remote controlled bots. You have to find out the address of the Command & Control (CC) server controlling the bots and you will find out more about the name of the malware. The address is "hard coded".

Requirements

Download the APK (Android Package).
Decompile the apk (jadx).
Analyze the java code

Your goal is to find the CC server address (Protocol,IP, Port) in the decompiled code.

APK File:

https://www.dropbox.com/s/hs28j1zpdddtict/BlackRoseLucy.zip?dl=0www.dropbox.com

02. Analysis

Like in the last few exercises I'll check the permissions first:

Next I'll decompile the package by using jadx-gui.

This time I couldn't find any strings that points to an URL. I try to use the search function and search for the term "http://" and "https://" inside the code:

I get two results that looks interessting for me:

I’ll upload the apk file to virus total and get this graph:

Possible CC Server:

thelucy.top

Port: 443

PreviousRedAlert NextCrackme RE Challenge

Last updated 3 years ago

Was this helpful?