TryHackMe: Mobile Malware Analysis Write-up
This room is created by cmnatic, Termack and farinap5 in the TryHackMe platform. This room is rated easy and is to let users learn and practice mobile malware analysis. Without further ado, let’s get started.
Link to TryHackMe Mobile Malware Analysis room: https://tryhackme.com/room/mma
Task 2 An Unknown Land
What is the first malware created to affect mobile devices?
Ans: Cabir
What technology does this worm use to multiply?
Ans: Bluetooth
What operating system did it infect?
Ans: Symbian
What message did it show on the screen of the infected mobile phones?
Ans: Caribe.
Task 3 Small Size, a lot of Destruction
Start the machine and wait for the machine to completely boot up. Next, scan the file named “ TWFsd2FyZQ.apk” which is located at the machine desktop as in the figure below.
After upload, the application will auto analyze the file. It might take up to several minutes. For me, my attack box crashes a few times before it is able to run.
This is the result.
The format of the file?
Ans: .apk
Decode the name of the sample.
Ans: Malware
Which is the target platform?
Ans: Android
Task 4 Digging Deeper
For this task, we need to run VirusTotal to analyze the file. The results are:
We can start answering the question.
What does Avast-Mobile can tell us about this software?
Ans: Cant show it here.
What program was used to create the malware?
Ans: Metasploit
What is the package name?
Ans: com.metasploit.stage
What is the SHA-1 signature?
Ans: 74d442594acf11dc6e3492ffea5eb8956afd000d
The unique XML file name can be found in VirusTotal:
How many permissions are there inside?
Ans: 22 (Gotta count it)
Which permission allows the application to take pictures with the camera?
What is the message left by the community? It can be found at the “COMMUNITY” tab in the VirusTotal result.
Task 5 MobSFing the sample.
The programming language used in this malware is Java as I saw this.
The signature found in the package is only 1, as v2 and v3 are false.
For the next question, the answer can be found just right below part of the Signer Certificate.
The name of the app?
Ans: .MainActivity
The function that calling package manager, so it can see all the installed applications can be found in payload.java as stated in hints. So after looking for a while, I found it.
For the severity of configuration for “android:allowbackup”, we can find the severity in manifest analysis.
Task 6 It doesn't smell good!
Run the analysis for Sample2.apk.
The SHA-256 value is redacted.
After running on VirusTotal, we have the results here.
With what we have, try to find out the name of the sample.
Ans: Pegasus
This became news for spying journalists, what year was that?
Ans: 2017
The ID of the sample can be found on the MITRE website after searching for Pegasus.
The technique that has the ability to exploit OS vulnerability to privilege escalation can be found in MITRE too.
The status for each permission can be found. For android.permission.GET_ACCOUNTS status can be found on page 5.
The org.eclipse.paho.client file refers to properties of Portuguese from Brazil (pt-br) can be found at the end of the page.
The malware has a special appeal for its safety and its internal components, reducing the risk of compromise. It has the functionality for its cryptographic operations with the feature of a random bit generation service. To find this, we can go to NIAP Analysis in the MOBSF results. The first identifier shows the matched description for this question.
And this is the end!
Thank you for reading and completing this write-up. I will try my best to write write-ups for future and past rooms which I missed previously. And thank the creators for creating such a great room for users to learn new things!
Any improvements or suggestions are welcomed.
The write-up is published after 72 hours as in the rules.
###########################################
The progress might be slower due to the lower specs of my laptop. Any sponsorship is greatly appreciated to speed up my learning and progress. xD
