search

BlackRoseLucy

hashtag
01. Introduction

BlackRoseLucy is an Android trojan found in the wild. The malware is known to collect data from infected phones and turns them to a remote controlled bots. You have to find out the address of the Command & Control (CC) server controlling the bots and you will find out more about the name of the malware. The address is "hard coded".

Requirements

  • Download the APK (Android Package).

  • Decompile the apk (jadx).

  • Analyze the java code

Your goal is to find the CC server address (Protocol,IP, Port) in the decompiled code.

APK File:

https://www.dropbox.com/s/hs28j1zpdddtict/BlackRoseLucy.zip?dl=0www.dropbox.comchevron-right

hashtag
02. Analysis

Like in the last few exercises I'll check the permissions first:

Next I'll decompile the package by using jadx-gui.

This time I couldn't find any strings that points to an URL. I try to use the search function and search for the term "http://" and "https://" inside the code:

I get two results that looks interessting for me:

I’ll upload the apk file to virus total and get this graph:

Possible CC Server:

thelucy.top

Port: 443

PreviousRedAlertNextCrackme RE Challenge

Last updated