{
	"id": "a52bad83-f2f0-4be3-9d89-e981ed534c03",
	"created_at": "2026-04-06T00:11:52.241912Z",
	"updated_at": "2026-04-10T13:12:47.537076Z",
	"deleted_at": null,
	"sha1_hash": "8dbcd5285125d5e80d758ed6ae386043ad93bf37",
	"title": "Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 10931296,
	"plain_text": "Deep Analysis of Android Rootnik Malware Using Advanced Anti-Debug and Anti-Hook, Part II: Analysis of The Scope of Java\r\nBy Kai Lu\r\nPublished: 2017-01-26 · Archived: 2026-04-05 19:50:05 UTC\r\nIn part I of this blog we finished the analysis of the native layer and got the decrypted secondary dex file. Here in\r\npart II we will continue to analyze it. For the sake of continuity, we will maintain continuous section and figure\r\nnumbers from part I of the blog.\r\nIV. The secondary dex file\r\nThe following is the decrypted file, which is a jar format file.  It is loaded dynamically as the secondary dex via\r\nmultidex scheme.\r\nFigure 25. The decrypted secondary apk file containing the dex file\r\nAfter decompressing the file “decrypt.dump,” you can now see a file named “classes.dex” located in the folder.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 1 of 42\n\nNext, let’s analyze the classes.dex.\r\nFigure 27. Decompile the secondary dex file and AndroidManifest.xml file\r\nFrom above figure, we can see that classes.dex is the main logic of the malware app named “file Helper”\r\nThe following is the function “onCreate” in class com.sd.clip.activity. FileManagerActivity.\r\nFigure 28. The function onCreate in class FileManagerActivity\r\nFigure 29. The function initadv()\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 2 of 42\n\nFigure 30. The class Nws\r\nThe function getStart in class Nws is then used to start the service com.hg.mer.PG. The following is the definition\r\nof class PG.\r\nFigure 31. The service class com.hg.mer.PG\r\nAfter the function startService() is invoked, the function onCreate() is then invoked, followed by invoking the\r\nfunction onHandleIntent().  In the above figure, we marked four lines of the key code in red, and then analyzed\r\nthem in order.\r\n1. readDex()\r\nThe following is the snippet code in function readDex().\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 3 of 42\n\nFigure 32. The function readDex()\r\nBased on my analysis, the class Sheu is a base64 implementation class, so the result of Sheu.decode(\"S0suYmlu\")\r\nis the string “KK.bin”.  Next, the program opens the file KK.bin in its assets folder and reads its content to extract\r\nsome useful info.\r\nThe following is the file content of KK.bin:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 4 of 42\n\nFigure 33. The file KK.bin in folder assets\r\nThe program could extract some content from the end of the KK.bin file. There are seven strings there encoded\r\nusing base64 that are stored in an array list. The function getAppid() is then used to decode these strings.\r\nFigure 34. The function getAppid()\r\nThe result of decoding these seven strings is shown below:\r\nPls.Kbin: wddex.jar\r\nPls.OI: xdt\r\nPls.PL: com.svq.cvo.Rtow\r\nPls.Jr: getDex\r\nPls.Wv: sgdex\r\nPls.As: dos.jar\r\nPls.NQ: KK.bin\r\n2 .dxfile()\r\nThe following is the code snippet of the function dxfile().\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 5 of 42\n\nFigure 35. The function dxfile()\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 6 of 42\n\nFigure 36. The function UnZipFolder()\r\nThe function Pls.UnZipFolder() extracts the encrypted content from KK.bin. The content starts at offset 0x20 and\r\nends at offset 0x1CDB in the file KK.bin, and then is saved as /data/data/com.web.sdfile/files/wddex.jar. Its\r\ncontent is encrypted using the DES algorithm.\r\nIn the function dxfile() the program decrypts the file contents of /data/data/com.web.sdfile/files/wddex.jar to file\r\n/data/data/com.web.sdfile/app_sgdex/dos.jar.\r\n3 .DexClassLoader()\r\nIts constructor is shown below:\r\nIn this invocation, the value of dexPath is “/data/data/com.web.sdfile/app_sgdex/dos.jar,” and the value of\r\noptimizedDirectory is “/data/data/com.web.sdfile/app_xdt.”\r\nThis function loads classes from the .jar and .apk files containing a classes.dex entry. This function can be used to\r\nexecute code not installed as part of an application. The optimized dex files are written in the file dos.dex in the\r\nfolder data/data/com.web.sdfile/app_xdt.\r\nAfter loading classes from /data/data/com.web.sdfile/app_sgdex/dos.jar, the program deletes this file.\r\n4. Invoke getDex() method in class com.svq.cvo.Rtow dynamically.\r\nNext, let’s examine dos.dex.\r\nFigure 37. Decompile the dex file dos.dex\r\nThe following is the function getDex in class com.svq.cvo.Rtow:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 7 of 42\n\nFigure 38. The function getDex in class com.svq.cvo.Rtow\r\nFigure 39. The constructor of class Dwol\r\nIn the constructor of class com.kdw.xoa.Dwol, a new file mda.ico is created in folder\r\n/data/data/com.web.sdfile/files/. It then invokes the function downloadFile to download a payload from remote\r\nserver http://gt[.]rogsob[.]com/stmp/ad.png, and saves it as /data/data/com.web.sdfile/files/mda.ico. The payload\r\nis encrypted using the DES algorithm.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 8 of 42\n\n……\r\nFigure 40. The function downloadFile\r\nFigure 41. The function initData()\r\nThe following is the definition of the function silentInstall.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 9 of 42\n\nFigure 42. The function silentInstall\r\nThe five parts marked in red in order are explained below.\r\n1. The function dxfile of class Dwol is used to decrypt the payload /data/data/com.web.sdfile/files/mda.ico.\r\nThe decrypted payload is saved as /data/data/com.web.sdfile/app_snex/dkt.jar.\r\n2. The function upZipFile of class Ngss is used to decompress the decrypted payload dkt.jar into the folder\r\n/data/data/com.web.sdfile/files/. It contains the following files:\r\n              \r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 10 of 42\n\nFigure 43. The payload files\r\n3. After decompressing, it deletes the files /data/data/com.web.sdfile/app_snex/dkt.jar and\r\n/data/data/com.web.sdfile/files/mda.ico, and deletes the directory /data/data/com.web.sdfile/app_snex/.\r\n4. Renames the file classes.dex to wsh.jar in folder /data/data/com.web.sdfile/files/.\r\n5. Dynamically loads classes from /data/data/com.web.sdfile/files/wsh.jar, and the optimized directory\r\napp_outdex stores the dex cache file as wsh.dex.\r\n6. Invokes the function getDex in class com.rootdex.MainActivity.\r\nNext, we will look deep into the wsh.dex, which mainly executes the root tool to root the device and install the\r\napplication in the system app folder.\r\nFigure 44. The decomple the dex file wsh.dex\r\nThe following is the definition of the function getDex of class com.rootdex.MainActivity.\r\nFigure 45. The function getDex in class com.rootdex.MainActivity\r\n1. The function GetActive is used to collect device information and send it to the remote server. The URL of\r\nremote server is http://grs[.]gowdsy[.]com:8092/active.do . The following is a capture of the traffic:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 11 of 42\n\nFigure 46. The traffic of sending collected info to remote server\r\n2. Checks if some files exist in folder /data/data/com.web.sdfile/files/ and adds their file name into an array\r\nlist it is preparing for the next step of rooting the device.\r\n3. Executes rooting tools on the device.\r\nNext, the function HandleRoot() is invoked in function run().\r\nFigure 47. The function HandleRoot()\r\nThe following is a key code snippet of the function copyRootFile.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 12 of 42\n\nFigure 48. The function copyRootFile\r\nIn this function, there are four steps.\r\n1. FileUtil.dxfile() is used to decrypt the file /data/data/com.web.sdfile/files/png.ico and save it as the file\r\n/data/data/com.web.sdfile/app_dex/.do.\r\n2. FileUtil.UnZip() is used to decompress the file /data/data/com.web.sdfile/app_dex/.do into folder\r\n/data/data/com.web.sdfile/.rtt, which is a hidden system folder that contains six ELF executables, as shown\r\nbelow. It includes four root exploits r1,r2,r3,r4.\r\nFigure 49. The root exploit executables\r\n3. It deletes the decrypted root tools /data/data/com.web.sdfile/app_dex/.do and folder\r\n/data/data/com.web.sdfile/app_dex.\r\n4. It then creates a new file, psneuter.js, in folder /data/data/com.web.sdfile/files/. Its contents are shown\r\nbelow.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 13 of 42\n\nFigure 50. The file psneuter.js\r\nThe function hanleOriMiddle is invoked in function executeRootAct. The following are four code snippets used to\r\nexecute root exploits via a shell command:\r\nFigure 51. Execute root exploits via shell command\r\nAfter investigating these executable files, I found that r3 is the MTK root scheme from the dashi root tool, the\r\nexploits method in r4 comes from one exploit(CVE-2013-6282) of the open source project android-rooting-tools,\r\nand the exploit method in r2 is the CVE-2012-6422 which is a root exploit on Samsung Exynos.\r\nThe function hanleOriMiddle executes root exploits and some commands via a shell command. All executed shell\r\ncommands are shown below:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 14 of 42\n\nFigure 52. All commands executed when rooting device\r\nAfter successfully gaining root access, the script named psneuter.js is executed with super user privilege. The\r\nmain purpose of this script is to install root privilege applications in folder /system/priv-app/.\r\nLater, we will investigate these two new APK files. To avoid being caught by common users, these two apps have\r\nno icons on a victim’s device after being installed.\r\nAdditionally, the other script named rsh is then executed via a shell command.\r\nFigure 53. Execute the script rsh via shell command\r\nThe script rsh is different, based on the Build.MANUFACTURER property. The script is shown below.\r\nFigure 54. The script rsh(1)\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 15 of 42\n\nFigure 55. The script rsh(2)\r\nV. How BSetting.apk works\r\nAs shown in Figure 50, abc.apk was dropped in the folder /system/priv-app/ and renamed to BSetting.apk, and\r\nBSetting.apk was installed via pm.\r\nBSetting.apk serves as a remote control service, and it fetches tasks from the remote server and performs them.\r\nThis app runs in the background and does not have a launcher icon on the device. The following is the app\r\ninformation.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 16 of 42\n\nFigure 55. App info of BSetting.apk\r\nThe app disguises itself as an Android sync service. The decompiled structure of the apk file is shown below:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 17 of 42\n\nFigure 56. Decompiled abc.apk\r\nFigure 57.  The AndroidMainfest.xml in abc.apk\r\nThe BroadcastReceiver com.sfy.oyr.R performs the main logic of this app.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 18 of 42\n\nFigure 58. The class R\r\nThe program first decrypts jif.png in the folder assets. It’s a dex file, and the program uses java reflection to load\r\nclass and invoke some methods.\r\nWe decompiled the decrypted dex file, as shown below:\r\nFigure 59. Decompile classes.dex\r\nThe function launchTancTask in class ADService is used to fetch tasks from the remote server and perform them.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 19 of 42\n\nFigure 60. Fetching a task from the remote server\r\nThe traffic from fetching the task is shown below.  The remote server has two domains. One is the main domain\r\ngrs[.]gowdsy[.]com, and the other is backup domain grs[.]rogsob[.]com. The response from the remote server is\r\nan xml file that contains the type of task, the url used to push porn, the url of the downloading apk, and the type of\r\napp to install, etc.\r\nFigure 61. The traffic of fetching the task from the remote server\r\nDepending on the type of task fetched, the app executes the task in a different way. The following is the key code\r\nsnippet:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 20 of 42\n\nFigure 62. Execute the task depending on the type of task\r\nThe remote control service is capable of performing multiple malicious behaviors, including but not limited to the\r\nfollowing:\r\n1. Uninstall app\r\nIt uses the utility “pm uninstall” of android system to uninstall app.\r\nFigure 63. Execute pm uninstall to uninstall app via shell command\r\n2. Push porn\r\nThe following are some screenshots for pushed porn.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 21 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 22 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 23 of 42\n\nFigure 64. Porn pushed to the device by the app\r\n3. Create a shortcut on the home screen\r\nThe shortcuts found contain porn, hot app, hot video, etc. The following is the code snippet and some screenshots\r\nof the shortcuts created.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 24 of 42\n\nFigure 65. The snippet of creating the shortcut on home screen\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 25 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 26 of 42\n\nFigure 66. Shortcuts on home screen\r\n4. App and ad promotion\r\nIn addition to gaining root privileges on the device, the rootnik malware promotes apps and ads to generate\r\nrevenue for its creator. Its app and ad promotion is especially aggressive and annoying to the user.\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 27 of 42\n\nThe following are some screenshots of its app promotion:\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 28 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 29 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 30 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 31 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 32 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 33 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 34 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 35 of 42\n\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 36 of 42\n\nFigure 67. App and ad promotion\r\n5. Normal app installation and silent app installation\r\nThe malware uses different ways to install an app, depending on the type of task that has been fetched. The\r\nfollowing is the code snippet of a normal app installation that has a user-interface view during the installation\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 37 of 42\n\nprocess.\r\nFigure 68. Normal app installation\r\nThe app uses the utility “pm install -r” of the Android system to silently install non-system apps while it drops\r\nAPK files into the folder /system/priv-app/ to install system apps.\r\nFigure 69. Silent non-system app installation\r\nIn the folder /data/app/ we found that some apk files (including, but not limited to the following) had been\r\ninstalled.\r\nFigure 70. Apps installed in the folder /data/app/ by the malware\r\nFigure 71.Command to install system app\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 38 of 42\n\nIn the folder /system/priv-app/ we found that some apk files (including, but not limited to the following) had also\r\nbeen installed.\r\nFigure 72. Apps installed in folder /system/priv-app/ by the malware\r\n6. Push notification\r\nThe malware pushes a notification and induces the user to click it to open the URL in a browser.\r\nThe following is the code snippet of the pushed notification.\r\nFigure 73. Snippet of pushed notification\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 39 of 42\n\nFigure 74. Push notifications used by the malware\r\n7. Download files\r\nWe found that there are many files and folders downloaded in folder /sdcard/. They include apk files, jar files,\r\npictures, log files, etc.These files are generated by the installed apps, and some of them perform malicious\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 40 of 42\n\nbehaviors.\r\nFigure 75. The files and folders dowonloaded in folder /sdcard/\r\nSolution\r\nThe malware sample is detected by Fortinet Antivirus signature Android/Rootnik.PAC!tr.\r\nThe traffic communicating with remote C2 server can be detected by Fortinet IPS signature\r\nAndroid.Rootnik.Malware.C2.\r\nSummary\r\nFrom the analysis above, we can see that the rootnik malware is very powerful and uses very advanced anti-debugging and anti-hooking techniques to prevent reversing engineering, and different types of encryption for\r\nfiles and strings. Additionally, it also uses a multidex scheme to dynamically load and install the secondary dex\r\nfile that is the main logic of this malware.  The malware uses some open-sourced Android root exploit tools and\r\nthe MTK root scheme from dashi root tool to gain root access on the Android device.  After successfully gaining\r\nroot privileges on the device, the rootnik malware can perform a variety of malicious, including app and ad\r\npromotion, pushing porn, creating shortcuts on the home screen, silent app installation, and pushing notifications,\r\netc. \r\nAppendix\r\nRootnik Malware Sample\r\nPackage Name: com.web.sdfile\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 41 of 42\n\nSHA256: E5E22B357893BC15A50DC35B702DD5FCDFEAFC6FFEC7DAA0D313C724D72EC854\r\nAdditional APK files dropped into system partition by Rootnik malware\r\nPackage Name: com.br.srd\r\nSHA256: E2BDCFE5796CD377D41F3DA3838865AB062EA7AF9E1E4424B1E34EB084ABEC4A\r\nPackage Name: com.oyws.pdu\r\nSHA256: CEE6584CD2E01FAB5F075F94AF2A0CE024ED5E4F2D52E3DC39F7655C736A7232\r\nC\u0026C Server\r\ngt[.]rogsob[.]com\r\ngrs[.]gowdsy[.]com:\r\nqj[.]hoyebs[.]com\r\nqj[.]hoyow[.]com\r\ngt[.]yepodjr[.]com\r\nSign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging\r\nthreats.\r\nSource: https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-anal\r\nysis-of-the-scope-of-java\r\nhttps://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java\r\nPage 42 of 42",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java"
	],
	"report_names": [
		"deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java"
	],
	"threat_actors": [],
	"ts_created_at": 1775434312,
	"ts_updated_at": 1775826767,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8dbcd5285125d5e80d758ed6ae386043ad93bf37.pdf",
		"text": "https://archive.orkl.eu/8dbcd5285125d5e80d758ed6ae386043ad93bf37.txt",
		"img": "https://archive.orkl.eu/8dbcd5285125d5e80d758ed6ae386043ad93bf37.jpg"
	}
}