Okay, so let's go through these questions together. I have my hex capes of'em up and ready to go. I've already navigated to the lab folder and also have a document that has the questions in it so that we can record the findings. Okay, so let's begin. Question one. What is the hash of the program?
Okay, so that is pretty easy, right? We just do it MD five
and we get the hash. Okay, so that's easy enough.
Okay, Is the Mau were known. Okay, well, there's three ways we can do this, right? We can look at virus Total. We could search Google and we get scanning with a V. So let's see if Google knows anything about this hash here.
Okay? Nothing from Google. Let's see, a virus total knows anything about it.
Okay, No matches found. So at this point, we go ahead and scan it if it's not a sensitive application, or we can just continue. So let's just continue.
So is the Mau were known while at the moment.
Clearly have a problem typing.
Okay. Are there any interesting strings in this malware? Okay, well, let's go ahead and unpack it right to do that. We just unzip it like we did in previous examples.
Let's look at our directory structure. Came our Mauer down A p A.
So we go into the mouth were folder. We should have a payload director. Correct?
Yes, we D'oh! Okay, let's dive into the payload directory.
There's arm our app.
So now we need the excusable name.
Where is he? Execute a ble.
Okay, so we don't have an execute. Will name, name? Malware. So how do we find out what the execute a ble name is? While we can use the p analyst utility or the pl utility
info dot p list. Right. And this should give us the executed all name.
Okay, so here we go. CF bundle, execute Herbal. No icon. So that is our executed will name. So that's what we want to use on the string.
Okay. Or that's what we're gonna use with the strings command. Right? So are there any interesting strings? Let's look
okay. Lots of output here.
So now we can go through and come take a look at what the strings are to see if there's anything really interesting
we could do this manually, or we could search for some artifacts. So why don't we search for some artifacts first, http, for example,
we'll grab for http.
Okay, So here we go. We got a ton of interesting. You are else here. Basically, what we could do is search any one of these an open source and see if we get any data back
so constantly We want to revisit this question. Is the malware known Well know right now, But I bet you if we take this domain or any, any one of those domains, actually, and it will come up with something, maybe. Hopefully you never know.
I messed up the screen. Okay,
that's fine. Just go back here,
okay? Sorry. Are there any interesting strings? Yes. There are
We could go ahead and search for different things. Let's see. Um,
let's grab this. No icon. What is this supposed to be doing?
What is the name of this application?
Okay, so we've got some different names here.
It's even calling this no icon update that I PS. So it looks like it may be getting another application somewhere, So why don't we take that.
and look at some context around it.
Yeah, so look at this. It looks like it's going to look at this 80 page that I p a could be getting that again with no icon update.
It's using this bundle in some way. This user bundle?
Yes. So there are lots of interesting, interesting strings here. Um, looks for
other packages. Other i p A. They should say.
Okay, what is the applications name and how is it displayed to the user? Okay, well, I think we already looked at the application name. We know it's no icon,
these are just assumptions. Right?
Let's confirm that with by looking at the pl you to look at the P list and for that P lis, right? That's what we wanted to You look at the
the execute herbal is no icon. We know that. So let's go up
and look at some of the keys here.
Ha ha. Look at this.
The bundle display name is passbook,
so it looks like it may be installing itself as passbook even know the name of the application is no icon. And that kind of gives you a clue, right? No, icon.
It's definitely very interesting.
Look at this. So this bundle identify WR here is dot com wheeling, hidden icon launch and the status is hidden. So this is not even going to come up on our springboard when we launch it.
So the applications name is no one con. However,
is not displayed to the user,
so those are definitely some interesting things that we could check out.
Okay. What type of Africa application is this?
Swift. Okay, So what? Basically, we're talking about what language is this in, right, What language is developed in? Well, this is pretty easy. We can use O'Toole for that. We could search the symbols. We could search the classes. We could search the library's. So let's start with the libraries.
Okay, So doesn't make use of any swift libraries. Okay, so let's search the symbols now.
Okay, so no symbols.
Okay, so let's search classes now.
No classes. So what kind of application is this? Probably objective C.
But we can go ahead and bare by that with other tools as well. Okay, so we really only scratched the surface of this application. You can go ahead and search classes, libraries, symbols, strings, lots of different things to search out the functionality of this program. So I definitely encourage you to go ahead offline. Do that.
And if you have any questions, feel free to ask me.
So in this lab, we took a look at the application. Malware Got I p A. And based on some of the findings, we have a general hypothesis that this application is gonna install in the user device. But it may be hidden. Has several domains that it may connect to two over the Internet. It also made download some other APS in some way.
So it's, um, next steps. We could use O'Toole and NM to dump the symbols and libraries of the program,
and we could look at the classes to confirm or reject our theories. Or lastly, we could use a tool like Hopper and begin to interpret the functions of the program.