now you should have a good understanding of what techniques he should use for basic static analysis of an android application
in this lab, you'll analyze Mauer to die a P K, which is located in the lab files lab to folder. At the same time, we're going to bypass the whole identification online threat hunting of the MD five. But of course, in normal situations, it's definitely good practice.
However, I feel we've really covered this in depth already, and if you want, you can take it off line
and research it on your own. So to complete this lab, you should use only static analysis techniques. And I recommend Callie or Santa coup. But any limits machine with a peak, a tool in a job, a D compiler is appropriate in this instance. So go ahead, pause the video, answer the questions, take all the time you need. And when you come back,
I'll be here and we'll go over them together.
Okay, so how did you do on this lab? Okay,
I hope so. I'm imagining lots of smiling faces and collapse. Okay, so let's go over these answers together, Okay? So I've got my VM up and running. Where am I? I'm in the lab file's directory. Okay, so we need to be in lap two.
Okay, There's malware two, It's clear. The screen.
Okay, question one. What is the name of the Mount? Where? Okay. Well, first off, we need to unzip it. Right.
So now we've got different files there. Okay, Good. What's the name? We still don't know yet. We have to look at the Android manifesto. XML rights not decoded. So we gotta run a peek a tool.
Okay. Let's clean screen there.
All right, so let's go. Look at her. Are
android manifest file.
Okay, So what is the app name? While the first thing you should do is you should take a look at the first intent filter. You should see that should be the main activity. So in 10 filter and 10 filter. Okay, so there's the There's the activity now right above it. I'm sorry. There's the intent. Filter that right above it. This should be the Apne.
Okay, So the labels, the Abney So
Okay, so this is a string. So we'll have to go into our
and look at our strings to find out what the APP name is.
Okay, The string resource is okay. So it's these characters here,
So that is the ab name.
Okay, let's see what this is.
Translate from Korean.
Okay, smart banking.
There we go. There's our application name.
Okay. Based on the name of the mouth or what's the intended purpose of the application? Okay. We'll say banking. Right.
Okay. Based on the purpose of the app. What permissions are suspicious to you? Okay, so we have to go look at the android manifest file to see what permissions are suspicious to us. So it's a banking application, right? So what do you think to me? The suspicious ones are read SMS write SMS
installed lead packages.
Those air suspicious to me.
Okay. So what is this application doing? We don't know yet. Right? So where do we start? Well,
what we can do is look at the activity so we know where the application is gonna launch from, right? It's gonna watch from this main. That's the action that it's gonna take for the intent Let's take a look at some of these other activities.
bank, pre activity, bank activity, bank number, bank card, bank activity.
Okay, look at this SMS receiver. So that's pretty interesting. Let's take a look at that.
That now, if you remember Android name, that is the class that we want to look at because it matches the permissions. So let's go and investigate that.
But first we need to
convert the decks files. Let's do that.
kor classes, the decks.
all right. We've got a jar file. So let's open that up in J d. Gooey
Okay, so what do we got here?
we've got a couple of
things we want to look at. So here's our main activity. We know that we've got that. So we wanted to take a look at the SMS receiver, So let's look at that.
Oh, here is some tasty juicy stuff right here.
String SMS receiver SMS received
Android telephony SMS received.
Oh, this looks This looks bad.
Banking one dot cat cat dot net. That definitely doesn't look like a ray. Her banking site
update. You are l looks for connectivity, so it looks like for and it looks like it needs Internet connectivity. It's got that update that u R l
looks like it gets SMS is from the phone.
Looks like it gets the SIM card number, the telephone
And then we've got lots of other errors. So it seems like we have a pretty good idea of what this application is doing. It's definitely reading information from the phone. Intercepting SMS is possibly and connecting to that you are l. So those air definitely some artifacts that we can go ahead and investigate
with some more static analysis. Or maybe we could use some dynamic analysis
all right, and lab to. We looked at a piece of android malware that seems to be targeting banking customers in Korea.
The malware could be used to intercept SMS messages as well as profile the device for telephony information, and then that info might be sent to the questionable girl that we found in the SMS class. So what we want to do next is confirmed those hypothesis by running similar tools
and carefully inspect the Java classes to uncover more functionality
and maybe even used this an AG dynamic analysis scenario to confirm our suspicions