0
1
00:00:06,890 --> 00:00:11,990
OK so let's try and run this malware on an emulator and let's try to understand what's happening during
1

2
00:00:11,990 --> 00:00:12,700
execution.
2

3
00:00:13,930 --> 00:00:15,090
Before we do this though.
3

4
00:00:15,100 --> 00:00:16,690
I have to make a disclaimer.
4

5
00:00:16,930 --> 00:00:20,080
It's not really recommended to be executing malware.
5

6
00:00:20,170 --> 00:00:24,670
You definitely don't want to download this APK and run it on your actual device.
6

7
00:00:24,730 --> 00:00:27,160
Definitely do not do that.
7

8
00:00:27,190 --> 00:00:29,890
Here we are running in a contained environment.
8

9
00:00:29,890 --> 00:00:34,390
We're running on an emulator on a P.C. that's dedicated for this specific work.
9

10
00:00:34,880 --> 00:00:41,440
We are also going to disable the network connectivity in other cases you may want to configure a proxy
10

11
00:00:41,440 --> 00:00:42,670
and take other measures.
11

12
00:00:42,670 --> 00:00:48,910
But here we are outright disabling the network connectivity if you're not confident in what you're doing
12

13
00:00:48,970 --> 00:00:53,950
don't execute the malware, just follow the video and don't stay experimenting.
13

14
00:00:53,950 --> 00:00:59,710
The last thing you want to do is download this APK on your phone and install it definitely do not do
14

15
00:00:59,710 --> 00:01:02,500
that. OK.
15

16
00:01:02,520 --> 00:01:10,890
Back to koodous. Koodous has this cool functionality where you can download the APK samples so here we just
16

17
00:01:10,890 --> 00:01:18,790
downloaded this simple locker sample but before we do anything else let's create an emulator. So we're
17

18
00:01:18,790 --> 00:01:20,220
going to create an emulator.
18

19
00:01:20,230 --> 00:01:22,950
That's an old Android version.
19

20
00:01:22,960 --> 00:01:25,420
The reason being that this malware is old.
20

21
00:01:25,420 --> 00:01:30,490
So just in case it didn't handle any permissions or anything like that let's just be safe and run it
21

22
00:01:30,520 --> 00:01:32,560
on an old emulator.
22

23
00:01:32,680 --> 00:01:36,810
We already have a version 16 emulator configured so let's work with that.
23

24
00:01:39,740 --> 00:01:44,000
Let's call this simple locker and configure hardware acceleration.
24

25
00:01:44,000 --> 00:01:50,570
Remember if you're running in a VM you probably want to use software acceleration. Default settings should
25

26
00:01:50,570 --> 00:01:56,490
be good. When you are done click finish. OK.
26

27
00:01:56,520 --> 00:01:58,110
So we've created the emulator.
27

28
00:01:58,140 --> 00:02:01,740
And next we need to run it but we're not going to run it from here.
28

29
00:02:01,770 --> 00:02:07,250
We're gonna have to look at another way of running the emulator so let's go ahead and close Android
29

30
00:02:07,250 --> 00:02:19,240
Studio, go to the SDK folder, so in our case it's Android dash SDK, here you'll find a folder called emulator
30

31
00:02:19,420 --> 00:02:26,390
and if you go within emulator you'll see that there's a tool called emulator. You can use that to launch
31

32
00:02:26,390 --> 00:02:28,900
your emulator. To do that
32

33
00:02:28,920 --> 00:02:39,050
you just do emulator dash AVD and the name of the emulator you just created simplocker. OK.
33

34
00:02:40,320 --> 00:02:46,260
And this will launch the emulator using the emulator tool rather than opening Android Studio every time
34

35
00:02:46,320 --> 00:02:53,680
and opening the AVD manager. So here we see that the new emulator is launched.
35

36
00:02:53,830 --> 00:03:05,780
Let's go ahead and add the SD card so you have to go to API demos content storage external storage and
36

37
00:03:05,780 --> 00:03:12,490
click Create. So let's go back to our terminal and run adb shell
37

38
00:03:17,370 --> 00:03:23,950
if you go to SD card, go to pictures we will see that we have a demo picture over there.
38

39
00:03:25,470 --> 00:03:38,120
So what we can do here is adb pull, so go to SD Card Slash pictures and you will see demo picture dot JPEG
39

40
00:03:39,150 --> 00:03:43,170
so let's pull this adb pull.
40

41
00:03:43,170 --> 00:03:53,740
If you remember is used to bring a file from the emulator to your device type ADB pull and the path.
41

42
00:03:53,810 --> 00:03:59,950
Now if we go on downloads we see that we have a demo picture that is provided by Android over here.
42

43
00:04:00,410 --> 00:04:05,580
What we want to see now is whether simple locker encrypts this demo picture.
43

44
00:04:05,960 --> 00:04:09,260
Let's go ahead and remove this demo picture from our downloads folder.
44

45
00:04:10,790 --> 00:04:11,370
Ok.
45

46
00:04:11,430 --> 00:04:19,080
Now before we connect we're going to turn off the internet connection just in case. OK.
46

47
00:04:19,160 --> 00:04:28,610
And now we can run adb install the file starts with eight and install the APK that we just downloaded
47

48
00:04:28,610 --> 00:04:36,510
from Coodous let's have a look and we can see that it's been installed.
48

49
00:04:36,720 --> 00:04:42,180
Now the user has this malicious application and once he clicks on it he's prompted this notification
49

50
00:04:42,180 --> 00:04:46,970
which seems to be Ukrainian it is saying something along the lines of.
50

51
00:04:47,030 --> 00:04:52,160
OK we have your data you've been going on sites that you shouldn't have been going on you need to pay
51

52
00:04:52,190 --> 00:04:55,210
this amount to so-and-so.
52

53
00:04:55,450 --> 00:05:01,960
And as you can see you can try to minimize it but it will keep prompting you with the message.
53

54
00:05:01,980 --> 00:05:08,280
So this is the ransomware we installed the malware and we're stuck with it.
54

55
00:05:08,460 --> 00:05:17,670
Now let's remove the malware using ADB. ADB uninstall org.simplocker. OK.
55

56
00:05:17,690 --> 00:05:19,240
So it's uninstalled.
56

57
00:05:19,400 --> 00:05:26,240
Now the problem is if we have to run ADB show again and go to SD Card Slash pictures we can see that
57

58
00:05:26,240 --> 00:05:28,750
the malware has encrypted our file.
58

59
00:05:29,030 --> 00:05:33,450
So by simply uninstalling simple locker we didn't get rid of the problem.
59

60
00:05:33,650 --> 00:05:38,350
We have a situation where all the files on our device have been locked and encrypted.
60

61
00:05:39,050 --> 00:05:48,000
So let's confirm that the files are encrypted again using ADB pull let's do ADB pull to obtain the
61

62
00:05:48,000 --> 00:05:55,780
encrypted file and we can see over here this is our encrypted file so that is it for now.
62

63
00:05:55,800 --> 00:06:00,860
Next we'll see how we can get useful information through static analysis of this sample.
63

64
00:06:00,870 --> 00:06:05,610
The goal is to gather enough information that will allow us to decrypt the encrypted files.