Posts

Showing posts from 2016

Quick and Easy Android Malware Analysis - Part 3 Digging In!

Image
Hope you brought your shovel as we start to take apart this malware and look at it's internal code. To get started we will need to pull the APK from the device to our local system. To do this you will need to turn on usb debugging on the phone or emulator from the settings menu of Android (Check out this link if you don't know how https://www.kingoapp.com/root-tutorials/how-to-enable-usb-debugging-mode-on-android.htm ). Now that you have your phone/emulator connected to your system you can now download the malicious APK. In our case we already have the APK but for those situations when you might now already have it downloaded you use the adb pull   command (e.g. adb pull /data/app/bad.apk)to pull the package from the device. After you have completed this process we can now start the static analysis of APK. The main tool for performing static analysis of the APK is a decompiler. I prefer JEB ( https://www.pnfsoftware.com/jeb2/ ) but it requires a subscription. A free decomp

Quick and Easy Android Malware Analysis - Part 2 Beginning Analysis - Let's see what it does

Image
In the previous post I covered how to get an Android image running in an emulator and how to install the malicious APK to the device. This post will focus on performing some basic dynamic analysis of the APK in the emulator. The first thing we need to do is start our device. I've found the best way to do this that allows me to save the network traffic is with the command line tool ' emulator '. If you type ' emulator -help ' you will get a ton of arguments which this command takes but thankfully for us we only need a few of them. We start our device with the command emulator -avd  MyDevice -qemu -tcpdump traffic.pcap. This will start the device and save out a pcap of the network connections to the file specified. TestAndroid - Galaxy Nexus Android v4.2.1  Now its time to get to work. I pulled done a sample from VirusTotal that I've worked with before which is called MisoSMS . This malware was found targeting users in Asia and FireEye did a good writeup o

Quick and Easy Android Malware Analysis - Part 1 Getting Started

Image
Over the last year I have been performing research on mobile devices. My last job had me analyzing the security of Android applications and recently I found my new job drawing on my past experience to help someone analyze some Android malware. First we started to do some research on potential solutions that could help automate analysis or at least do some type of dynamic analysis and that is were I stumbled onto CuckooDroid (https://github.com/idanr1986/cuckoo-droid). After a day or two of  messing with CuckooDroid I decided that it was a little overkill for what I needed to do which was grab a PCAP of the traffic. In one of my next post I'll cover setting it up but for now here is what you need to do if you want to do a quick and easy analysis of an Android malware sample.  1) Install Android Studio (http://developer.android.com/sdk/installing/index.html) 2) Use the SDK Manager to install the SDKs and Images to work for the malware you are going to be analyzing. 3)

Need your wifi info? There is a Powershell script for that.

I spent some time cleaning up my laptop the other day which included removing unused programs and files. It then hit me that I probably had a bunch of wifi profiles that I don't need anymore so I thought about writing a script to call the netsh command to output this info. After working on this for about an hour and finally having a crude Powershell command that did output me this info I did a search and sure enough someone else had already wrote on. Anyways, here is the command I came up with and a link to the script I found. PS C:\Windows\system32> netsh wlan show profiles | Select-String -Pattern "All User Profile"  | ForEach-Object {$_.ToString()} | ForEach-Object {$_.Replace("    All User Profile     : ",$null)} | ForEach-Object {netsh wlan show profile name=$_ key=clear} | Format-List Profile Wireless1 on interface Wi-Fi: ======================================================================= Applied: All User Profile   Profile information

Port Scanning with Powershell

It's been a few weeks since my last post so I've decided to try out some more Powershell scripting. Here is a script to do some port scanning from a Windows system with Powershell. Right now it only allows for IP Addresses to be used. ############################################################################################### # # Script: PSPortScanner.ps1 # By: Tim Muniz # Date: 20160120 # ############################################################################################### <# .SYNOPSIS This script scans a remote host to check what ports are open. .DESCRIPTION This script scans a remote host to check what ports are open. .PARAMETER Target Remote host to scan .PARAMETER SPort Port to start scan with. .PARAMETER EPort Port to end scan with. .EXAMPLE Scan remote host to check what ports are open. PSPortScanner.ps1  1  1024 10.1.1.2 .NOTES Please let me know what you think or if it isn't working. #> [CmdletBindin