Closed OpticFusion1 closed 5 years ago
@xBrownieCodez @ItzSomebody You two might be interested in this issue.
The newest update contains the basics for this check
deobfuscated
I'm already aware of the deobfuscated version @ItzSomebody The fun part is getting the check to fully recognize the strings with the obfuscated version
due to the nature of the obfuscation and such, the normal methods (as far as i can tell) won't work, and i don't have enough experience to figure out how to properly check the strings :/
unless i'm just dumb and i'm missing something obvious
I'm already aware of the deobfuscated version @ItzSomebody The fun part is getting the check to fully recognize the strings with the obfuscated version
I'm just posting a deobfuscated sample if anyone wants to give the jar a check.
due to the nature of the obfuscation and such, the normal methods (as far as i can tell) won't work, and i don't have enough experience to figure out how to properly check the strings :/
One way I would try attacking the obfuscation is to take the field initialization method and modify it to return the created array which would be ideal with an emulator or reflection (assuming you have made sure it is impossible for an arbitrary code execution to happen with reflection). This approach would give you all the strings decrypted with minimal work.
👌
hopefully i can figure this out Should probably do this your self as well, that way the code's there IF i'm unable to figure it out
Yea @ItzSomebody might some help :/ I personally wasn't able to find everything required for that
There's been quite a few updates since this, closing. A general issue will be made if a false-positive of this type is found again (however there's definitely going to be another issue opened up due to this definitely not getting fixed)
General Troubleshooting
Issue
Issue Type
Description
The attached file contains a force-op the next update will include a basic check for this malware, however i'd like to check for certain strings. If someone can add a proper deobfuscator for them, that would be lovely the forceop path is com/unknownmyname/listener/DataListener SpookyAC-v1.zip