{ "id": "74487a27-5f1e-4ee9-8562-969a15d99f20", "created_at": "2026-04-06T00:18:20.001672Z", "updated_at": "2026-04-10T03:24:29.57262Z", "deleted_at": null, "sha1_hash": "9ae38b7512f426048a9011ff094826d4afa4b87e", "title": "Creating a safe dummy C\u0026C to test Android bots", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 55672, "plain_text": "Creating a safe dummy C\u0026C to test Android bots\r\nBy @cryptax\r\nPublished: 2022-01-21 · Archived: 2026-04-05 23:34:00 UTC\r\n2 min read\r\nJan 21, 2022\r\nTo explain what a malware does, there’s no such good thing as showing in a video. But how can you do that\r\nsafely? This is how I did it for Android/BianLian.\r\nThanks to al1foobar for his help with iptables ;-)\r\nThe bot\r\nSimply use an Android emulator. The BianLian sample installs fine on Android 8.\r\nThe (fake) server\r\nBianLian communicates to a C\u0026C via HTTP. So, I created a quick Flask application to act as the web server.\r\nAt first, you don’t know all routes you need to serve. That’s not an issue, we’ll find them: run the fake server and\r\nnotice all the HTTP 404 responses. They happen when the bot fails to contact a URL it needs. In the console,\r\nyou’ll see the missing URL, add those in your code.\r\nFrom my previous analysis of BianLian, I know the C\u0026C sends back JSON data, and I know how some\r\ncommands should be formatted. A fake server is great to test those commands safely, and see what they do + Flask\r\ndynamically reloads its code when it changes, so we can actually send different commands if we want.\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nDownload my fake server template.\r\nRedirecting to our fake server\r\nNormally, the bot communicates to a C\u0026C on hxxp://rheacollier31532.website . This name resolves\r\n(currently) to IP address 159.223.187.91 . So, what we’ll do is redirect all traffic from the emulator and going to\r\nhttps://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5\r\nPage 1 of 2\n\n159.223.187.91 on port 80 to the fake server ( 127.0.0.1 ) on the desired port (I used 9999 ).\r\nOn Linux, use iptables: sudo iptables -t nat -A OUTPUT -d 159.223.187.91 -p tcp -j DNAT — to-destination 127.0.0.1:9999 .\r\nTest it on the emulator and open a browser, and request for example hxxp://rheacollier31532.website , you\r\nshould see the request in your fake Flask server.\r\nVideos\r\nThe resulting videos below.\r\nEnjoy!\r\n— the Crypto Girl\r\nSource: https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5\r\nhttps://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cryptax.medium.com/creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5" ], "report_names": [ "creating-a-safe-dummy-c-c-to-test-android-bots-ffa6e7a3dce5" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434700, "ts_updated_at": 1775791469, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ae38b7512f426048a9011ff094826d4afa4b87e.pdf", "text": "https://archive.orkl.eu/9ae38b7512f426048a9011ff094826d4afa4b87e.txt", "img": "https://archive.orkl.eu/9ae38b7512f426048a9011ff094826d4afa4b87e.jpg" } }