THM Writeups
Back to all writeups
extracted

Mobile Malware Analysis

~15 min read

Room Name: Mobile Malware Analysis Room Link: https://tryhackme.com/room/mma

What known as the first malware created to affect mobile devices? Cabir What technology does this worm used to multiply? Bluetooth What operating system did it infect? Symbian What message did it show on the screen of the infected mobile phone? Caribe What is the format of the file? .apk Decode the name of the sample. Malware Which is the target platform? Android What does Avast-Mobile can tell us about this software? Android:Metasploit-Q [PUP] What program was used to create the malware? Metasploit What is the package name? com.metasploit.stage What is the SHA-1 signature? 74d442594acf11dc6e3492ffea5eb8956afd000d What is the unique XML file? AndroidManifest.xml How many permissions are there inside? 22 Which permission allows the application to take pictures with the camera? android.permission.CAMERA What is the message left by the community? THM{V1ru5-T0t4al-TWFsd2FyZS1BbmFseXNpcw} What is the programming language used to create the program? Java How many signatures does the package has? 1 Application is signed with v1 signature scheme, what is it vulnerable to on Android <7.0? Janus What is the App name? MainActivity It looks like there is a function calling for the package manager, so it can see all the installed applications. What function is that? b.getPackageManager The flag "android:allowBackup" allows the user to backup application data via USB debugging. It is recommended that this be set as "False", even if by default it is "True". What is the severity of this configuration? medium What is the SHA-256 hash of the file? bd8cda80aaee3e4a17e9967a1c062ac5c8e4aefd7eaa3362f54044c2c94db52a After finding the sample on VirusTotal, what does the "Avast" anti-virus engine recognizes it as? Android:Obfus-BM [Trj] With what we have, try to find out the name of the sample. Pegasus It seems like it is a very dangerous malware and has a big history of destruction. This became news for spying journalists, what year was that? 2017 If we search the name we found of the malware in MITRE ATT&CK (https://attack.mitre.org/), we can find some interesting information. What is the ID of the MITRE ATT&CK that is associated with our sample? S0316 What technique has the ability to exploit OS vulnerabilities to escalate privileges? T1404 There is a permission that when accepted, allows the application to access the list of accounts in the Accounts Service. What is the status shown by MobSF regarding this permission. (android.permission.GET.ACCOUNTS) dangerous What org.eclipse.paho.client file refers to properties of Portuguese from Brazil (pt-br)? org/eclipse/paho/client/mqttv3/internal/nls/messages_pt_BR.properties The malware has a special appeal for its safety and its internal components, reducing the risk of compromise. It has a functionality for its cryptographic operations with the feature of a random bit generation service. How can it be identified? FCS_RBG_EXT.1.1
Back to all writeups