Configuration is downloaded from github, google drive or a tailor made host. In my investigate I checked only github and google drive considering the fact that it was ample to check out the speculation.
Github. Let’s get started with github. 1st of all there are at minimum two different github accounts employed to shop the configurations for the application.
I cloned each the repositories just in situation someone demands the historical details if they are modified or deleted. It appears to be like both of those repositories are about six month old so it is not going to be a thing unpredicted if new repositories are produced before long. These repositories are:The basic format of the concept is some encoded string surrounded by curly braces. You could have found one particular case in point of these in the next movie.
Learn how to stop my VPN subscription?
Below is how it appears to be like like. And listed here is a the text edition of a single of the configs requested for the duration of startup. The decoding code is positioned in the indigenous libs listing with the name libnativelib. so .
I reverse engineered the decoding algorithm and wrote is the python code that does the reversing. You can download it listed here: decode.
py. In get to decode that concept retail store it into a file, let us say ‘data. txt’ and just run that file on it like this:The decoding string string will be place into stdout of the terminal and you if you want to preserve it to a file just redirect the output to the output file. For example:If we operate this decoder on the encoded message offered higher than the output of it will be:If we scroll down to the ‘urls’ segment we could quickly find the website link to the https://turkmenistanairlines.
tm and the time demanded among requiests of 10 seconds. Which plainly strains up with our previously observations. But there are really a handful of information in the github repository and a great deal of different configurations. Listed here are the files found in the repository:These filenames are manufactured in specific buy.
To start with of all the a documents has a prefix like A1, B1, …, World these is their way to break up configurations into ISP relevant configurations. And below is how it is split:with ‘tm’ -> Turkmenistan, ‘ru’ -> Russia, ‘ir’ -> Iran, ‘ae’ -> Unitaed Arab Emirates.
We are interested in configurations that conclude with ‘c’ which is proably a way to detect ‘configurations’. So if we walk over all the configuration documents and collection all the urls the application is DDOS’ing then we will get a listing of these urls:If we appear in this record we can see presently common url to turkmenistanairlines. But other urls are all glance equivalent to each other and all stop with ‘. gov. tm’ which we possibly can assume that this application is seeking to attack some govt websites of Turkmenistan. It is difficult for me to envision why would anyone do that but that is not what were are here for. My curiosity is in specialized explorations. Configurations saved in the apk.
All those earlier explorations could be easily taken off and then there would be no way to prove that this app is basically doing that. So let’s deep a bit extra deeper and in fact locate evidence that is baked inside the apk and cryptographically signed. It turns out not that difficult of a endeavor. If you decompile the by unzipping it or with a device like apktool , there would be a file at the location.
this file is also encrypted and could be decrypted with the ‘decode. py’ script but this documents does not consist of enclosing and >>> marks. So in order to decode that file we just need to have to add ‘-n’ to end of our as next argument for ‘decode.
