Blog da Zscaler

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Inscreva-se
Security Research

Analyzing Android ‘Simplocker’ Ransomware.

image
VIRAL GANDHI
June 06, 2014 - 2 Min. de leitura
 
 
 
 
Recently we came across the sample of a new ransonware ‘Simplocker’ for Android. The ransomware encrypts the files present on SD card and later it demands ransom from victim to decrypt the files.
 

File Information:
File: fd694cf5ca1dd4967ad6e8c67241114c.apk
Size: 4917678
md5: fd694cf5ca1dd4967ad6e8c67241114c
Virustotal Report: 9/51

Let's analyze the ransomeware.

The ransomware  shows the ransom message in "Russian" language asking for ransom money.
Image
Ransom message. 
The ransom message asks for "260 Ukrainian Hryvnia" along with the threat message of deleting the data if ransom not paid.

Translation of the message:
Image
Translation of ransom message.
Let’s dive in to the code for more details.
Image
Use of AES. 
Image
Static strings
The above screenshot shows how ransomware is using AES encryption for encrypting files. Simplocker will scan for the filetypes jpeg, jpg, png, bmp, gif, pdf, doc, docx, txt, avi, mkv, 3gp, mp4 files from the SD card. Then it encrypts them with cypher key “jndlasf074hr”.
Image
Suffix "enc"
The ransomware adds suffix “enc” for scanned files after encrypting them.
 
Image
Device Informations: IMEI number.
Image
Device Informations: Model and Manufacture id. 
It also harvests device informations like device IMEI number, modal number etc.
Image
C&C.
After harvesting device’s details, it communicates with the CnC server, highlighted in screen shot. Interestingly ransomware uses ‘tor’ as a proxy to connect to CnC server for silent communication.

CnC Server:  hxxp://xeyocsu7fu2vjhxs.onion/

The proxy details are shown below.
Image
Proxy Details.
It also keeps on monitoring the back key press on phone. This is done to keep displaying the ransom message again and again.
Image
Monitoring back press.
We advice not to download or install apps from unauthorized app stores to stay away from such android malwares.
 

References:
form submtited
Obrigado por ler

Esta postagem foi útil??

Receba as últimas atualizações do blog da Zscaler na sua caixa de entrada

Ao enviar o formulário, você concorda com nossa política de privacidade.