Clik here to view.
Performing forensic on SMS (Short Message Service)
One of the things I really find interesting when performing malware analysis on Android is the information from logcat. With logcat you can spot lot of things which are difficult to spot via other...
View ArticleClik here to view.
Reversing the C2C HTTP Emmental communication
In last post l explained how it was possible to decrypt the initial C&C communication from the data dumped from memory, with the support of a python script. In this post, I am going to follow the...
View ArticleClik here to view.
Implementing Yara rules to detect emmental malware: statically and dynamically
In this short post, I am going to use yara to create some signatures in order to detect the emmental malware I've been analysing in previous posts"Yara is a tool aimed at (but not limited to) helping...
View ArticleClik here to view.
Detecting bank trojans which steal 2FA token through the code (Android)
In the last weeks I am working on a personal project to quickly detect Android Banking trojans which steal 2FA tokens. The idea is to create some intelligence around it.I have been analysing different...
View ArticleClik here to view.
Detecting bank trojans with snort and the (fake)User-Agent
Some years ago I wrote a research paper for SANS 'Monitoring Network Traffic for Android Devices' in which I described the process to monitor the traffic produced by Android smartphones in a corporate...
View ArticleClik here to view.
Reversing the SMS C&C protocol of Emmental (1st part - understanding the code)
In a previous post I described how I reversed and decrypt the HTTP C2C protocol used by Emmental malware. Also, in other post I introduced the Androguard framework with some examples. Now it is time to...
View ArticleClik here to view.
Reversing the SMS C&C protocol of Emmental - 2nd part
During my previous post I investigate the source code of the emmental malware, following all the flows, in order to understand how the C&C commands are interpreted by the malware. I took as an...
View ArticleClik here to view.
PoC to exploit Android Wormhole Vulnerability
A few days ago TrendMicro made public a post in which they adviced that 100 million Android devices might be affected by a serious vulnerability. In their words:"This is a critical issue, perhaps even...
View ArticleClik here to view.
Android malware (emmental) dynamic Analysis with ddms (Dalvik Debug Monitor)
In this post I will explain an easy way to see what an Android malware is doing while running with a debugger. Android provides the Dalvik Debug Monitor which it is a tool for debugging.The malware...
View ArticleClik here to view.
Forensic of Refete malware (windows) with Redline
In the previous post I did the debugging (dynamic analysis) of a fresh APK malware which is part of the Emmental campaign. Also, I mentioned that I got a SMS with the malicious link to the APK, but how...
View ArticleClik here to view.
Analysis of Dridex (I) - Analysis of malicious macros with a debugger
A few day ago I had to investigate an email which contained a suspicious attachment. The attachment was a MS Office Word document using macros. The file is already in VT...
View ArticleClik here to view.
Analysis of Dridex (II) - Analysis of malicious executables with ProcDOT
During the last post I ended up with an executable file downloaded by a malicious macro embedded in a MS Office Word file. This was the first part of the infection.Dridex has been in the wild for a...
View ArticleClik here to view.
Analysis of Dridex using GRR Rapid Response Framework
GRR is a framework developed by Google to perform live incident response on systems. It has many interesting features but from my point of view and when comparing with other tools there are two things...
View ArticleClik here to view.
Analysis of BlackEnergy MS Office XLS Dropper
In the last few days there were a lot of news (2) regarding a malware which produced some blackout in Ukrainian.It is not clear yet the full intrusion chain and how the malware was related to the...
View ArticleClik here to view.
Tinba malware Analysis (part I)
Threat actors are always evolving and changing their Techniques Tactics and Procedures (TTP). A current example of this is the evolution in terms of malware used by the threat actors behind Retefe /...
View ArticleClik here to view.
2nd part of Tinba Malware analysis: The APK side
As showed in my previous post about Tinba malware Threat Actors are continually adapting and changing their techniques and tools. While doing the analysis of the Tinba malware, I ended up with an...
View ArticleClik here to view.
Tinba: Continuation of the APK malware analysis
During my previous post I explained that the new version of the Android Bank trojan related to Tinba is able to install other APK for persistence purposes. During a first look on both samples the core...
View ArticleClik here to view.
Usage of Tor by Tinba malware
It is not new that cyber criminals and malware developers use Tor. Today I ended up with a very nice sample of the Tinba / Refete family which has evolved to make usage of Tor.The sample, which has...
View ArticleClik here to view.
Enterprise Incident Response: detecting Gozi IFSB Malware
Yesterday the Swiss GoverCERT.ch wrote a post about a bug they have found in a malware (Gozi IFSB) currently hitting Swiss financial Institutions. The information references to a post that the same...
View ArticleClik here to view.
Tinba malware Memory Forensic
Forensic techniques have evolved in the last years. There has been a lot of research done and many tools have been developed around forensic in live systems. The analysis approach has changed quite a...
View Article