Android Malware Analysis Overview: Reverse Engineering and Threat Actor Profiling Process

-
Hi everyone, I would like to share my way of doing Android malware analysis and investigation, definitely not the best methodology but sharing is caring.

Dynamic Analysis

Usually, I start with dynamic analysis (usually but most of the time I do it concurrently with static analysis) to understand the behavior of the malware & it easier to understand what is going on and it help me creating my mind map on how the malware execute and data I/O.

Meanwhile, I use Burp Suite, ADB Logcat and interaction in emulator running concurrently and monitor the output the application generated and printed on the logcat. Why I do this?
  • To observe its network activity, every HTTP connection it make to command and control  (C2) server.
  • Any log created and behavior of the malware.
  • Tracing functionality of the malware, what logcat and system react to the application.
  • I screenshot everything what is happening on the screen.
  • Extract data generated by application.
  • Running processes (ps, top etc).
  • Checking method of persistent used by the malware.
This is important. Take note on what is happening and I find using paper & pen really do the job and very satisfying. It's OK if no one understands what you write in your note, I create my note and nobody can read it because of my ugly handwriting with all the sketch I do to create the flow but whatever helps for me to make my report as detailed as possible later.

After finishing execute the application to get the its runtime context and completing dynamic analysis, it is time to get my hand dirty by doing static analysis.

Static Analysis

Doing static analysis is tedious and very time consuming thus automation can really help, to speed up everything I dump all the samples into MobSF. Click here you want to check it out. I really recommend it.

Before this I usually reverse the application using Dex2Jar and JD-GUI, but since I found MobSF, it's much easier and faster, with all the information it extract from the APKs I dump, argh! Heaven. Imagine if I have more than 50 sample of malware at one time, how much time I have to spend for each of the malware sample to reverse engineer it. The only things I need is a way to know when the app is compiled. Does anyone know?

Extract Indicator of Compromise (IOC) from the automated tool I still have to do it manually and I should write some script maybe to make this easier and bearable. This is what I need and take at first:
  • Package name.
  • Version code and version number.
  • Manifest file.
  • Hash (MD5, SHA1, SHA256).
  • Domain & IP Address.
  • Version & signing certificate.
After all this is done, reversing the code is the easy part, the hardest part is reading the code,  I go through line by line, method by method, class by class, which part do this and that, referring to the result I gather during dynamic analysis to understand the flow of the code.

Comment and extract snippet of code that really matter and comments the snippet to get the picture of the functionality coded by malware authors. I'll save it in new text file and comment its functionality and use it as part of the report. 

What if that application is obfuscated? That topic I will share later.

Profiling

In this part, I'll use all the information collected from previous activities and start to do further investigation.

I started with domain and IP addresses that were collected previously, using WHOIS and some special tools and gathering more information regarding:

  • Domain owner.
  • Domain registrant.
  • Registrant name.
  • Registrant email.
  • Domain registrar.
  • Public hosting used.
  • Domain created and expired.
  • Any relevant information.

Why is this information is relevant to your investigation? Because you can construct the timeline of that threat actor campaign, which malware belong to which campaign and providing critical information for escalation process later.

Then I search any detection on signature from hash that I collected in VirusTotal (Usually) for additional information. Nothing fancy, just to check for detection. lol

With all IP addresses and Domain found, I step up my game by gathering more information on that server.

Reporting

I compile the report, make it multiple section. The first section is a general overview of the malware or/and the campaign, facts, figures and statistics. Second part is more in-depth technical report, which probably most management level and non-technical person not even interested. Last part, is where I share and include all the IOCs.

At the same time, I escalate and report to the respective party for take down whether to ISP, domain or public hosting provider and authorities.

That's all.

Comments

Post a Comment

Popular posts from this blog

Deploying open-source SOC lab with red team simulation, at home. Elasticsearch Stack EDR + SIEM (Part 1)

-
Image
Introduction I’m always want to have my own lab that can mimic enterprise monitoring at home which include EDR (Endpoint Detection and Response), SIEM (Security Information and Event Management), case management and have a threat intel platform. It must be something that can be built from open source and free... Since there is significant upgrade on my personal workstation, I’m able to ramp up my virtualization capacity to support my endeavor. let’s gooooo! Network & Resources Allocation For this lab, everything will be deployed in virtual machine (VM) and in private network, simple. These are minimum specification I used in this lab; you can allocate more if you have more resources. CPU: 2 cores Network: bridged connection and replicate physical network connection state Storage: 80 GB RAM: 8 GB (For both Ubuntu VM, I’m allocating 16GB for better performance) Architectural & System Design Refer to the diagram above We will deploy two (2) Ubuntu 20.04 Desktop a...
Read more

Deploying open-source SOC lab with red team simulation, at home. MISP, Cortex and TheHive (Part 2)

-
Image
Sorry for posting this a bit late for those who are waiting for part 2. During my time writing part 1 and part 2, I was in rush to prepare for the new addition to my family, we (me, wife & family) have been blessed with our firstborn baby boy. So yeah, with the birth of my son, Ramadhan, and preparation for Aidilfitri all together at once, time is a little bit tight. Hehe Thank you very much for all your wishes and thank you for still following this series, so this time we will set up and install components for MISP, Cortex, and TheHive. This includes installation and integration between these 3 components as described in part 1. Once you have completed all the installation and integration, this server will tremendously help your analysis and automate a lot of things, you can track your progress or investigation, manage case, alert, task, and IOCs found. With a click of a button, you can receive reports and threat intel from multiple sources. This can be your great tool as a ...
Read more

Android Application Security - obfuscation using ProGuard in Android Studio

-
There are many techniques out there for Android Application code obfuscation. Most popular and easy to be applied is using ProGuard in Android Studio. What it usually does is it will shorten your app's class name, optimize your code, remove unnecessary resources and code. The main goal of it is to make your app harder to be reverse engineered. Obfuscation in Android Application has been applied extensively by malware author to hide their malicious code and give security researcher like us a bad day. As developer, you can applied ProGuard in your Android App project by implement this additional rule in your project level build.grade(Module:app)  file. buildTypes { release { minifyEnabled true shrinkResources true proguardFiles getDefaultProguardFile ( 'proguard-android-optimize.txt' ), 'proguard-rules.pro' } debug { minifyEnabled false shrinkResources false proguardFiles getDefaultProguardFile ( 'proguard-and...
Read more