{
	"id": "ef323ed6-8857-4aef-8287-0287a6446877",
	"created_at": "2026-04-06T00:17:33.209765Z",
	"updated_at": "2026-04-10T03:20:17.125622Z",
	"deleted_at": null,
	"sha1_hash": "aae3bb4e7c85f512e21ea9275b8a16925855c4c6",
	"title": "Tracking Android/Joker payloads with Medusa, static analysis (and patience)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 885384,
	"plain_text": "Tracking Android/Joker payloads with Medusa, static analysis\r\n(and patience)\r\nBy @cryptax\r\nPublished: 2022-06-20 · Archived: 2026-04-05 14:44:10 UTC\r\nI am looking into a new sample of Android/Joker, reported on June 19, 2022 by @ReBensk:\r\nafeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f\r\nAndroid/Joker is known for using many payloads: a first payload loads another payload, which loads another\r\none etc. Matryoshka dolls-style 😁. See an analysis of a previous Joker sample. This sample uses many payloads\r\ntoo, but the implementation to load the payloads is a bit different. I’ll detail.\r\nMedusa\r\nI recently discovered Medusa and like it very much… for dynamic analysis (I still prefer static analysis,\r\neverybody knows that by now?). Medusa is easy to use and comes with a collection of ready-to-use Frida\r\nhooks. Launch an Android emulator, a Frida server, install the sample, then launch Medusa python3 medusa.py .\r\nSelect the hooks you want to use (search through hooks with the search command, then use to use a given\r\nhook, finally compile the list of hooks). Those are the hooks you need (I recently contributed to the last two\r\nhooks):\r\nuse http_communications/uri_logger\r\nuse encryption/cipher_1\r\nuse code_loading/dump_dyndex\r\nuse code_loading/load_class\r\nFinally, start the malware ( run -f package_name , or run -n 0 if you have a single sample installed on your\r\nemulator).\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 1 of 6\n\nI use URI hooks (http_communications/uri_logger) in Medusa and see the malware calls those\r\nURLs. Android/Joker is known to use URLs such as xxx[.]aliyuncs.com.\r\nAs Android/Joker samples usually don’t make things simple for malware analysts, I somewhat expected those\r\nURLs to be encrypted. Medusa has decryption hooks too.\r\nPress enter or click to view image in full size\r\nBingo! The look4.oss-ap[..]aliyuncs.com URL is encrypted. The decryption hooks,\r\nencryption/cipher_1, with shows the decrypted value.\r\nMy dynamic DEX dumper + the convenient loadClass hooks show several files are dynamically loaded:\r\nDexClassLoader called: /data/user/0/com.designemoji.keyboard/files/audience_network.dex\r\n[+] Dumped /data/user/0/com.designemoji.keyboard/files/audience_network.dex to dump_1\r\nloadClass: com.designemoji.keyboard.EnableActivity\r\nloadClass: com.facebook.ads.internal.dynamicloading.DynamicLoaderImpl\r\n...\r\nPathClassLoader(f,p) called: /data/user/0/com.designemoji.keyboard/cache/nuff\r\n[+] Dumped /data/user/0/com.designemoji.keyboard/cache/nuff to dump_2\r\nloadClass: seek...\r\nDexClassLoader called: /data/user/0/com.designemoji.keyboard/files/seek\r\n[+] Dumped /data/user/0/com.designemoji.keyboard/files/seek to dump_3\r\nDexClassLoader called: /data/user/0/com.designemoji.keyboard/files/Yang\r\n[+] Dumped /data/user/0/com.designemoji.keyboard/files/Yang to dump_4\r\nloadClass: com.xjuys\r\nloadClass: com.android.installreferrer.api.InstallReferrerClient\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 2 of 6\n\nThe first DEX ( audience_network.dex ) belongs to Facebook. I am not after this. The 3 other DEXes ( nuff ,\r\nseek and Yang ) are far more promising. Note they are loaded by PathClassLoader for nuff , and\r\nDexClassLoader for the other 2.\r\nLoading nuff (payload 1)\r\nDroidLysis doesn’t detect any use of DexClassloader , PathClassLoader or InMemoryDexClassLoader . So,\r\nhow is the first payload loaded? Let’s locate the URL (look4[…]aliyuncs.com). It is encrypted, so I search where\r\nencrypted is used in DroidLysis’ detailed report.\r\n## Cipher\r\n- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a\r\n- file=./emojikeyboard.apk-afeb6efad25ed7bf1bc183c19ab5b59ccf799d46e620a5d1257d32669bedff6f/smali/f/a\r\nFortunately, there are not many different locations, and I directly head to the good one: f.a.a.a . Encrypted\r\nstrings are decrypted using PBEWithMD5AndDES . I write a static decryptor.\r\nDecrypted=https://look4[.]oss-ap-southeast-5[.]aliyuncs.com/designemoji\r\nDecrypted=getClassLoader\r\nDecrypted=loadClass\r\nDecrypted=seek\r\nDecrypted=melody\r\nThe URL gets a JAR, stores it in a cache directory of the application, and then loads it via … getClassLoader !\r\nThat’s why DroidLysis didn’t see it! (to be fixed).\r\nPress enter or click to view image in full size\r\nCode loading the JAR with getClassLoader, then invokes a method named melody()\r\nStatic analysis of nuff (payload 1)\r\nThe JAR contains a classes.dex with a single class named seek , and a method named melody. It is simple to\r\nunderstand:\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 3 of 6\n\n1. It downloads DEX file from https://look4.oss-ap-southeast-5[.]aliyuncs[.]com/nunber\r\n2. It stores that DEX in the application’s file directory, with filename seek\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\n3. It loads the DEX using DexClassLoader\r\n4. It invokes cantus.bustle() in that DEX\r\nPress enter or click to view image in full size\r\nCode of payload 1. Download URL for payload 2 — we also see that class cantus, method bustle is\r\ncalled.\r\nStatic analysis of payload 2\r\nJust guess what cantus.bustle() does? It downloads yet another DEX from https://xjuys.oss-accelerate[.]aliyuncs.com/xjuys !\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 4 of 6\n\nPayload 2 is loading … Payload 3\r\nThis time, the payload will be stored in a file named Yang , and it will search for class com.xjuys and method\r\nxjuys .\r\nStatic analysis of payload 3\r\nThis com.xjuys JAR had been already used in several other samples of Joker (sha256:\r\n2edaf2a2d8fd09a254ea41afa4d32b145dcec1ab431a127b2462b5ea58e2903d ).\r\nIt loads dynamically 2 other ZIPs:\r\n1. https://xjuys.oss-accelerate[.]aliyuncs.com/fbhx1. We have already seen this payload. It is the same as in\r\nthis article and contains facebook hooks.\r\n2. https://beside.oss-eu-west-1[.]aliyuncs.com/af2. It stores the file in the app’s file directory, with filename\r\nKBNViao . Then, it loads com.appsflyer.AppsFlyerLib and methods init() then startTracking()\r\n[love the name of the method, don’t we? 😏]. This is Apps Flyer SDK, a mobile analytics library.\r\nPress enter or click to view image in full size\r\nConnect to remote URL and download payload 4.\r\nSummary\r\nThe initial DEX is quite heavily obfuscated\r\nPayload 1 ( designmoji / nuff ) has no other use than loading Payload 2\r\nPayload 2 ( nunber / seek ) enables notification listeners (we haven’t detailed this in this article) and loads\r\nPayload 3\r\nPayload 3 ( xjuys / Yang ) has yet more malicious code (not detailed here) and loads 2 additional DEX:\r\none for Facebook, the other one contains Apps Flyer SDK.\r\nPayload 4a and 4b: Facebook hooks + Apps Flyer SDK.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 5 of 6\n\n— Cryptax\r\nSource: https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nhttps://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cryptax.medium.com/tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2"
	],
	"report_names": [
		"tracking-android-joker-payloads-with-medusa-static-analysis-and-patience-672348b81ac2"
	],
	"threat_actors": [],
	"ts_created_at": 1775434653,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/aae3bb4e7c85f512e21ea9275b8a16925855c4c6.pdf",
		"text": "https://archive.orkl.eu/aae3bb4e7c85f512e21ea9275b8a16925855c4c6.txt",
		"img": "https://archive.orkl.eu/aae3bb4e7c85f512e21ea9275b8a16925855c4c6.jpg"
	}
}