Thursday, January 6, 2011

Decrypt Strings:Geinimi Android Trojan

Just analyzing an Android trojan couple of days ago and I was able to decrypt the strings inside the binary sample. Here it is a source code written in VB.Net.

Imports CryptoSysAPI
Module Module1
Sub Main()
Dim Hexdata As String = "64656275675F696E7465726E656C0202" ' hex data here!
Dim plainHex As String = Des.Pad(Hexdata)
plainHex = Des.Decrypt(Hexdata, "0102030405060708", Mode.ECB, "")
Hexdata = Des.Unpad(plainHex)
If Hexdata.Length = plainHex.Length Then Return
Console.WriteLine("Input: {0}", Hexdata);
Console.WriteLine("Decrypt(DES-ECB): {0}", Cnv.StringFromHex(Hexdata))
End Sub
End Module


Example Output:
C:\>"C:\Projects\Krypton\Krypton\bin\Release\Krypton.exe"
Input: 64656275675F696E7465726E656C0202
Decrypt(DES-ECB): debug_internel


Note: You need CryptoSysAPI library in order to compile this code.

References:
http://www.alienvault.com/blog/jaime/Malware/Inside_Geinimi_Android_Trojan._Chapter_One_Encrypted_data_and_communication.html