SHA1: 6720ae9e5ffac171b4c5106891dcb255a9f7fdc8
The component of the Android.CoinMine.15 worm designed to mine the Monero (XMR) cryptocurrency on an infected Android device. The Trojan is implemented as an sss file, which is saved in the /data/local/tmp/ folder along with the nohup and bot.dat files.
The sss component is launched using the nohup utility as a daemon and goes into standby mode for 10 seconds. It then copies the bot.dat file to the /sdcard/ folder under the name tmpsub. After that, it decrypts a 7-z archive with additional components. The archive is saved to /sdcard/tmpde. The unpacked content is saved to the /data/local/tmp/ folder. After that, the /sdcard/tmpsub and /sdcard/tmpde files are deleted. The unpacked files are listed below:
config.json
ddexe
debuggerd
droidbot
droidbot.apk
install-recovery.sh
invoke.sh
nohup
xmrig32
xmrig64
0755 (rwxr-xr-x) access privileges are installed for all the files. In case the sss running process does not have root privileges, but the “/system/bin/su” or “/system/xbin/su” utilities are located on the computer, the Trojan launches droidbot using su. Otherwise it launches droidbot as it is:
if ( getuid() && (exists("/system/bin/su") || exists("/system/xbin/su")) )
{
system("su -c /data/local/tmp/nohup /data/local/tmp/droidbot");
system("/data/local/tmp/nohup /data/local/tmp/droidbot");
}
else
{
system("/data/local/tmp/nohup /data/local/tmp/droidbot");
}