{ "id": "b15de299-236e-4817-b8b2-0b73916c0839", "created_at": "2026-04-06T00:11:20.848825Z", "updated_at": "2026-04-10T03:21:54.137694Z", "deleted_at": null, "sha1_hash": "6ff19ebd64a19eb0207e42606f7fde09b3ae5aa9", "title": "BianLian C\u0026C domain name", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 434471, "plain_text": "BianLian C\u0026C domain name\r\nBy @cryptax\r\nPublished: 2022-01-25 · Archived: 2026-04-05 14:43:15 UTC\r\nYou might want to read my prior articles on Android/BianLian first: unpacking, payload, fake server.\r\nThere was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the\r\nC\u0026C?\r\nHaving worked on the samples for several days, I noticed they weren’t always heading to the same website:\r\nhxxp://rheacollier31532[.]website , hxxp://shanehook85484[.]website etc.\r\nSo, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an\r\nasset?\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nAnswer: the active C\u0026C is returned by a malicious GitHub user account. The account name unfortunately varies\r\nfrom one sample to another:\r\nhxxps://gist.githubusercontent.com/ferrari458italy/4fe02ee186816abcfcca6eaaed44659d/raw/helloworld.json\r\nhxxps://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c868/raw/helloworld.json\r\n…\r\nThe json page actually contains a Base64-encoded JSON object with the C\u0026C’s URL:\r\n$ curl https://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c868/raw/helloworld.j\r\nXX0K\r\n$ echo \"eyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUiXX0K\" | base64 -d\r\n{\"domains\":[\"http://fullvehdvideoizlemeayarlari4545.site\"]}\r\nHow does the code work?\r\n1. At first, the code sets a Property with a decrypted admin URL.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221\r\nPage 1 of 3\n\n2. Actually, as the shared preferences file has no C\u0026C yet, this will actually return a dummy C\u0026C\r\nhttps://www.google.com\r\nPress enter or click to view image in full size\r\n3. The real C\u0026C is retrieved from the init procedure\r\nPress enter or click to view image in full size\r\nI have renamed methods for better readability. The original name of the method is\r\ncom.pmmynubv.nommztx.bot.g.b\r\n4. The code retrieves the “domains” parameter of the JSON\r\nPress enter or click to view image in full size\r\n5. Finally, the code sets the URL in the shared preferences.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221\r\nPage 2 of 3\n\nThe code reads the “domains” part of the JSON object (readUrl), removes the trailing / if necessary, and\r\nfinally writes the URL down in its configuration. The original name of this method is\r\ncom.pmmynubv.nommztx.bot.g.a\r\nConclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C\u0026C name.\r\n— the Crypto Girl\r\nSource: https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221\r\nhttps://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cryptax.medium.com/bianlian-c-c-domain-name-4f226a29e221" ], "report_names": [ "bianlian-c-c-domain-name-4f226a29e221" ], "threat_actors": [], "ts_created_at": 1775434280, "ts_updated_at": 1775791314, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ff19ebd64a19eb0207e42606f7fde09b3ae5aa9.pdf", "text": "https://archive.orkl.eu/6ff19ebd64a19eb0207e42606f7fde09b3ae5aa9.txt", "img": "https://archive.orkl.eu/6ff19ebd64a19eb0207e42606f7fde09b3ae5aa9.jpg" } }