Now we can view and analyze the data we unpacked and decompiled in the previous steps. We can use JD-GUI to do this. JD-GUI is a free utility that is able to display the Java source codes of .class files. You can download this tool here: http://jd.benow.ca/.
Here are the contents of classes.jar displayed by JD-GUI:
We already know a lot about our banking Trojan; let's try to learn something new from code analysis. We identified two suspicious URLs as the result of dynamic analysis, rtrjkrykki.iego.net/appHome/ and 192.151.226.138:80/appHome/. Most likely this is the same server, so let's try to find at least one of the URLs in the code using JD-GUI:
Okay, now we know that the URL is found in ConstantDatas.class. Let's look inside:
If we search for BANKURL, we will find that it's used in MainActinn.class:
Look at the following line: "ConstantDatas.URL = ConstantDatas.BANKURL;". Let's search for ConstantDatas.URL now. We'll find a good hit in Hearttttt.class:
Here, you can see that the application collects information about the device it's installed on and its operating system, installed banking applications, mobile country code and mobile network code, unique subscriber ID, and so on, and posts this data in JSON format to 192.151.226.138:80/appHome/servlet/OnLine.
As you can see, you can get a lot of additional information from static code analysis; sometimes it's relatively easy, sometimes it's not, as a malware sample can be highly obfuscated.
To analyze code with a higher rate of success, we highly recommend you start learning Android programming. Refer to the books provided in the Further reading section.