Posts

What is considered malicious for an APK?

It's been a few months since my last post and I thought that a post about what items might be considered suspicious in an APK would be good to have. There is only two main items that I can think of but should provide a researcher with an idea of when they might need to reverse an application to figure out exactly what it is doing.

Permissions
In order for applications to access certain features of an Android device they must request access to the corresponding permissions for that feature. Such as, if an application wants to send SMS it must request access to that feature. This is usually done on install. When you choose to install a new application the user has to grant or deny access. This is the only time a user is prompted to allow access as the application will not request permissions when running. This can be dangerous if you allow access to an application and do not know what it is actually requesting access to.

Permissions are a good place to start with when trying to figur…

Quick and Easy Android Malware Analysis - Part 3 Digging In!

Image
Hope you brought your shovel as we start to take apart this malware and look at it's internal code. To get started we will need to pull the APK from the device to our local system. To do this you will need to turn on usb debugging on the phone or emulator from the settings menu of Android (Check out this link if you don't know how https://www.kingoapp.com/root-tutorials/how-to-enable-usb-debugging-mode-on-android.htm). Now that you have your phone/emulator connected to your system you can now download the malicious APK.

In our case we already have the APK but for those situations when you might now already have it downloaded you use the adb pullcommand (e.g. adb pull /data/app/bad.apk)to pull the package from the device. After you have completed this process we can now start the static analysis of APK.

The main tool for performing static analysis of the APK is a decompiler. I prefer JEB (https://www.pnfsoftware.com/jeb2/) but it requires a subscription. A free decompiler that …

Quick and Easy Android Malware Analysis - Part 2 Beginning Analysis - Let's see what it does

Image
In the previous post I covered how to get an Android image running in an emulator and how to install the malicious APK to the device. This post will focus on performing some basic dynamic analysis of the APK in the emulator.

The first thing we need to do is start our device. I've found the best way to do this that allows me to save the network traffic is with the command line tool 'emulator'. If you type 'emulator -help' you will get a ton of arguments which this command takes but thankfully for us we only need a few of them. We start our device with the command emulator -avd  MyDevice -qemu -tcpdump traffic.pcap. This will start the device and save out a pcap of the network connections to the file specified.

Now its time to get to work. I pulled done a sample from VirusTotal that I've worked with before which is called MisoSMS. This malware was found targeting users in Asia and FireEye did a good writeup on it a while ago which you can read here. Its main purp…

Quick and Easy Android Malware Analysis - Part 1 Getting Started

Image
Over the last year I have been performing research on mobile devices. My last job had me analyzing the security of Android applications and recently I found my new job drawing on my past experience to help someone analyze some Android malware. First we started to do some research on potential solutions that could help automate analysis or at least do some type of dynamic analysis and that is were I stumbled onto CuckooDroid (https://github.com/idanr1986/cuckoo-droid).
After a day or two of  messing with CuckooDroid I decided that it was a little overkill for what I needed to do which was grab a PCAP of the traffic. In one of my next post I'll cover setting it up but for now here is what you need to do if you want to do a quick and easy analysis of an Android malware sample. 
1) Install Android Studio (http://developer.android.com/sdk/installing/index.html) 2) Use the SDK Manager to install the SDKs and Images to work for the malware you are going to be analyzing.


3) Create a new A…

Need your wifi info? There is a Powershell script for that.

I spent some time cleaning up my laptop the other day which included removing unused programs and files. It then hit me that I probably had a bunch of wifi profiles that I don't need anymore so I thought about writing a script to call the netsh command to output this info. After working on this for about an hour and finally having a crude Powershell command that did output me this info I did a search and sure enough someone else had already wrote on. Anyways, here is the command I came up with and a link to the script I found.


PS C:\Windows\system32> netsh wlan show profiles | Select-String -Pattern "All User Profile"  | ForEach-Object {$_.ToString()} | ForEach-Object {$_.Replace("    All User Profile     : ",$null)} | ForEach-Object {netsh wlan show profile name=$_ key=clear} | Format-List


Profile Wireless1 on interface Wi-Fi:
=======================================================================

Applied: All User Profile  

Profile information
-----------…

Port Scanning with Powershell

It's been a few weeks since my last post so I've decided to try out some more Powershell scripting. Here is a script to do some port scanning from a Windows system with Powershell. Right now it only allows for IP Addresses to be used.

###############################################################################################
#
# Script: PSPortScanner.ps1
# By: Tim Muniz
# Date: 20160120
#
###############################################################################################
<#

.SYNOPSIS

This script scans a remote host to check what ports are open.


.DESCRIPTION

This script scans a remote host to check what ports are open.


.PARAMETER Target

Remote host to scan


.PARAMETER SPort

Port to start scan with.

.PARAMETER EPort

Port to end scan with.


.EXAMPLE

Scan remote host to check what ports are open.

PSPortScanner.ps1  1  1024 10.1.1.2


.NOTES

Please let me know what you think or if it isn't working.

#>
[CmdletBinding()]
Param(

    [Parameter(Mandatory=$True,Pos…

Testing Joomla for CVE-2015-8562

Over the last couple of days I've been responding to question about Joomla's 0-day which has been gaining some attention lately. I decided to write a PowerShell script to check a Joomla server if it is running the at least 3.4.6 or 3.4.7. Hope you enjoy it and let me know your thoughts.

###############################################################################################
#
# Script: CheckJoomla.ps1
# By: Tim Muniz
# Date: 20151222
#
############################################################################################### <#
.SYNOPSIS
This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562.


.DESCRIPTION
This script checks Joomla Version to check if the remote host is vulnerable to CVE-2015-8562.

.PARAMETER target
a host running Joomla to test.


.PARAMETER Https
To test a host running SSL/TLS. 
This is an optional parameter.


.EXAMPLE
Check remote Joomla Host and report if vulnerable.
CheckJoomla.ps1 myjoomla.com 


.EXAMPLE 
C…