About Teletype
Join
H
@hawkeye
June 14, 2021

Unity_Monkey002_asasqw

Introduction

This application uses Unity assets and IL2CPP compilation mode

Analysis

The analysis is shown using the com.asasqw.sajkqq application as an example.

Traffic capturing showed the initial link and hop chain. In the traffic analyzer the chain of conversions looks like this:

Traffic analyzer screenshot

The complete chain of transitions looks like this:

  1. https://crzmonkeyg.life/QR5gGGQ6?tr_unid=2327183756265289879&app_unid=Monkey002
  2. https://l1l.pw/53z9q7?track_id=31gojrs14h6a
  3. https://bhufgtds.com/cpabro/vlknuab?param=10122&clickid=56783840&uf=04
  4. https://huffsongpp.live/vulkanua/p18000/?atp=10122&goto=sitereg&clickid=56783840&plid=9307&bnid=24160&uf=04
  5. https://vulkan777.live/register/?atp=10122&goto=sitereg&clickid=56783840&plid=9307&bnid=24160&uf=04&refCode=mb_BQBbJAAAYF4AAFBGAAA.2021-06.14.10122&uuid=830f67e55e4ef1f0ef77c32cfc543e543472768e
  6. https://vulkan777.live/register/?atp=10122&bnid=24160&clickid=56783840&goto=sitereg&plid=9307&uf=04&uuid=830f67e55e4ef1f0ef77c32cfc543e543472768e

The process of traffic analysis looks like this:

Traffic analysis video

The initial link https://crzmonkeyg.life was not found in the java source code. But this application was written using unity, so the main code was written in C# and compiled in IL2CPP mode (https://www.what-could-possibly-go-wrong.com/il2cpp/). Long to short, the code was converted from C# to assembler and is not automatically restored to its original state.
The converted code is in the file \lib\armeabi-v7a\libil2cpp.so, and additional data to this code, such as strings, is in the file \assets\bin\Data\Managed\Metadata\global-metadata.dat.
To analyze libil2cpp.so you need to use a disassembler like Ghidra or Ida. For better disassembler performance, it is best to use Il2CppInspector (https://github.com/djkaty/Il2CppInspector), it will correctly transfer the code structure from libil2cpp.so to the disassembler, which will greatly simplify and speed up the code analysis.

Screenshot of the code using the initial link

In the source code, there is a line ...->textAsset, which means that the information is stored in the Unity Assets (Unity resources). All Unity resources are stored in the file \assets\bin\Data\data.unity3d.
Most of the time this file is compressed and when you view it with notepad it's hard to find anything there, so the Unity Assets Bundle Extractor utility (https://github.com/DerPopo/UABE) is used to analyze Unity assemblies.

Unity Assets screenshot

In one of the TextAssets, the text is found in a non-standard form. After converting such text from Hex to normal form, the necessary information was found.

Hex to text converter screenshot
Complete information retrieval chain (Full size)

Conclusion

The result of the analysis is YARA rules based on the links found and the strings unique to this type of application.

Yara rules: https://pastebin.com/r3M71qUz

Password: 762w7E0Jui

@m0cn0
June 14, 2021, 07:07
0 reactions
0 views