Static and Dynamic Analysis of Moji Market.

Introduction:-

Yesterday at 2020–12–09, 22:58:01. Arkbird_solg submitted sample on “malware bazaar” and here we reverse it now. Acc. to Arkbird_solg it’s in the huge demand of to be reversed.

Here’s the java code of Joker based malicious app.

Analysis of “Moji Market” App

Static Analysis:-

Hash’s:

Information About App:

info. of App.

Certificate Info:

Certificate is signed with the v1 signature schema which makes it vulnerable to Janus vulnerability.

App Permissions:

In image we can see app has access to many malicious permissions.

Obfuscation and Anti-VM Code:

Code Analysis:

App logs into the sensitive information of user which should never be logged.It also has ability to read and write into the external storage and also uses the insecure RNG [Random Number Generator ] and SSL. Moreover , it has weak hash’s and also stores the sensitive information of user in temp file and discloses the IP address of device. Clear text network traffic is enabled for the App.

URLs:

URLs found during static analysis of app.

Activities:

Services run by App:

Receivers:

Providers:

Embedded Secrets:

Secret found during static analysis of app.

Dynamic Analysis:-

Running app dynamically on emulator [ android VM ] . App for sometime the App crashes.

screenshot of running app dynamically in emulator.

Binder:

Binder has 4 context implementation.

Crypto Hash:

In image we can seen these crypto hash’s in dynamic analysis.

URLs:

Emails:

Database[.db]:

Logs:

C2 server:-

Joker malware C2 server: 162[.]144[.]62[.]9

Communicating Files with C2:-

Conclusion

Joker malware is pretty much active from last few months starting from beginning of this year and many apps on Google Play Store are being infected with Joker malware.

That’s all for today.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.