- Jul 1, 2017
- 317
I would like to know what this .apk do, and your opinions. Thanks.
Subject
DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
validto: 11:46 AM 06/05/2043
serialnumber: 5ad9df61
thumbprint: ef48cab315787d955dc7ebda688a4d3cb6c49d88
validfrom: 11:46 AM 01/18/2016
Issuer
DN: CN:votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
CN: votu OU=ehyzo O=zanayy L=leces ST=esemen C=NE
http://
http://3g.sina.com.cn
http://3g.sina.com.cn/
http://addons.sync.maxthon.
http://android.datacenter.maxthon.%domain%/news/category?v=1&guid=%device_id%§ion_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&lang=%language%&country=%country%
http://android.datacenter.maxthon.%domain%/news/channel?v=1&source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&lang=%language%&country=%country%&local_version=%local_version%
http://android.datacenter.maxthon.%domain%/news/customize?v=1&guid=%device_id%§ion_id=%section_id%&length=%length%&id=%id%&summary=%summary%&version=%version%&order=%order%&country=%country%&lang=%language%
http://android.datacenter.maxthon.%domain%/news/item?v=1&guid=%device_id%&id=%id%§ion_id=%section_id%&lang=%language%&country=%country%&type=html
http://bookmark.sync.maxthon.
http://data-android.maxthon.cn/upload.html
http://data-android.maxthon.com/upload.html
http://g.dcs.maxthon.com/mx4/enc?data=%data%
http://g.dcs.maxthon.com/mx4/enc?keyid=default&data=%data%
http://g.perload.maxthon.com/mx4/enc?keyid=default&data=%data%
http://g.perload.maxthon.com/rss/enc?data=%data%
http://gate.baidu.com/tc?from=1090q&src=%target%
http://haha.mx
http://hostname/?
http://m.ccb.com
http://m.cpdyj.com/
http://m.dili360.com/
http://m.tianya.cn/
http://mad.m.maxthon.%host%/promotion/query.php?source_type=%source_type%&channelid=%channelid%&version_code=%version_code%&country=%country%&language=%language%&dvc_id=%device_id%&uid=%uid%&vname=%version_name%
http://maxthon.cn
http://maxthon.com
http://mm.maxthon.cn
http://mm.maxthon.cn/bugcollect/bugreport.php
http://mm.maxthon.cn/feedback/feedback.php
http://mm.maxthon.cn/helpcenter/help/
http://mm.maxthon.cn/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%
http://mm.maxthon.cn/mxbrowser/vote.php?imei=%imei%&status=%status%
http://mm.maxthon.cn/mxbrowser2/checkin/checkin.php?country=%country%&imei=%imei%
http://mm.maxthon.cn/quickdialext/getexturl.php
http://mm.maxthon.cn/webapp/quickdail/
http://mm.maxthon.com/helpcenter/help/
http://mm.maxthon.com/mxbrowser/diy.jsp?source_type=%source_type%&channelid=%channelid%&revision=%revision%&version_code=%version_code%&language=%language%&country=%country%&update_version=1&imei=%imei%
http://mm.maxthon.com/quickdialext/getexturl.php
http://mm:blank
http://my.maxthon.cn/convention.html
http://my.maxthon.cn/recover.html
http://my.maxthon.com/convention.html
http://my.maxthon.com/recover.html
http://online.user.maxthon.
http://p.dcs.maxthon.com/android/ueip
http://profile-api.user.maxthon.
http://profile.user.maxthon.
http://rss_chl.fakeurl
http://rss_reader.fakeurl
http://schemas.android.com/apk/res/android
http://sns.user.maxthon.
http://sns.user.maxthon.cn/v1/request_token?command=
http://sns.user.maxthon.com/v1/request_token?command=
http://stats-a.maxthon.cn/phone-1/online?
http://stats-a.maxthon.com/phone-1/online?
http://suggest.yandex.ru/suggest?part={query}&n=10&nav=yes&mob=1&partner=maxthon
http://suggestion.baidu.com/su?wd={searchTerms}&t={time}&ie=utf-8
http://w.159.com/Index.aspx?url=
http://w2w.spforum.net/?
http://wap.baidu.com/s?from=1097d&word=%s
http://www.baidu.com
http://www.commercial-my-netsky.cu.cc/ton.php?sid=7&tds-key=Bluetooth ToolKit
http://www.google-analytics.com/collect
http://www.google.com
http://www.google.com.hk
http://www.google.com.hk/complete/search?hl={lang}&client=android&q={searchTerms}
http://www.google.com/search?client=aff-maxthon-maxthon4&channel=t8&q=%s
http://yandex.ru/
http://yandex.ru/touchsearch?clid=1909116&text=%s
https://
https://contacts-u.maxthon.com/v1/contacts/sendfile/get
https://contacts-u.maxthon.com/v1/contacts/sendfile/setnickname
https://cs-s.maxthon.com
https://device-u.maxthon.com/device/bind/
https://device-u.maxthon.com/device/status/
https://login-u.maxthon.
https://my.maxthon.cn
https://my.maxthon.com
https://mytabs-u.maxthon.com/
https://mytabs-u.maxthon.com/?userid=
https://profile-api-u.maxthon.cn/getCountryName
https://profile-api-u.maxthon.cn/getMobileVcode
https://profile-api-u.maxthon.cn/register
https://profile-api-u.maxthon.com/getCountryName
https://profile-api-u.maxthon.com/getMobileVcode
https://profile-api-u.maxthon.com/register
https://ssl.google-analytics.com/collect
https://transfile-s.maxthon.com/share
https://transfile-s.maxthon.com/transfile/device
Run-time memory patching is the same as API hooking since it is changing execution flow in memory, as long as you're redirecting to elsewhere.Once it has the library injected, it can do some things, like dynamic API hooking/tracing/patching, process introspection, runtime memory patching, etc.
32-bit process:
MOV EAX, ADDRESS (4 bytes in size for the address)
JMP EAX ; or call EAX
64-bit process:
MOV RAX, ADDRESS (8 bytes in size for the address)
JMP RAX
Sorry if I am misunderstanding, but just to make sure... The APK file from the starting post in this thread is a fake copy of the genuine APK download you linked us to in the post I am quoting now?I add one thing more, I informed the author of the original .apk, this application renamed as bluetooth toolkit unlimited coins was download from Aptoide to see what was, I saw from beginning it was something else. I will read very carefully your comments. Very instructive for me.
This is the original Android .apk from that the author of this ".apk" copied the main icon.
[XPOSED] Bluetooth ToolKit - Android Apps on Google Play
Me too! I actually tried to do the same thing earlier before posting the URLs wrapped around the CODE tags and the same result here.I tried to follow some of those urls, but for example the cu.cc domain was already closed.
I think was a fast and run action.
I cannot comment on an official verdict because I am not an Android analyst, nor do I have experience with handling malicious software for Android however what I can tell you is that if the APK is pretending to be something it is not while having the intention of performing malicious operations then it at least falls under the term "Trojan". But I am not sure what the naming is for Android malware.I wanted to know if was a malware, at this point this look to me as an infostealer?
The sample wasn't shared when uploaded to Hybrid-Analysis so the sample cannot be downloaded.I think can be download from hybrid-analysis with login.