Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• yzing iYou got a malware sample from the wild. Your task is to discover what
malware does by analt
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the script unless TAs ask you to execute.
• archive.sh
• This will archive the answer sheet for submission (create a zip file)
Project Structure
• In the Virtual Machine (VM)
• Directories
• vm
• A directory that stores Windows XP virtual machine (runs with QEMU)
• We use the given VM for both Cuckoo and a testbed. Please see page 17.
• shared
• A shared directory between Ubuntu and Windows machine. You can put/copy the file in/from
this directory.
• Please see page 22.
• report
• The answer sheet for project questionnaire.
• setup
• Required files for setting up the machine. You don’t need to modify, nor use the files in this
directory.
Project Structure
• In the Virtual Machine (VM)
• Directories
• tools
• network
• Configure your network firewall rules (iptables) by editing iptables-rules.
• You can allow/disallow/redirect the traffic from the malware
• ‘./reset’ command in this directory will apply the changes
• cfg-generation (CFG stands for Control-Flow Graph)
• An analysis tool that helps you to find interesting function of malicious activity
• You need to edit score.h to generate the control-flow graph
• Use xdot to open the generated CFG.
Project Structure
• In the Virtual Machine (VM)
• Directories
• tools
• sym-exec
• A symbolic executor (based on angr: https://github.com/angr)
• Helps you to figure out the commands that malware expects
• Use cfg-generation tool to figure out the address of the function of interests
• c2-command
• A simplified tool for C2 server reconstruction
• You can write down command in the *.txt file as a line
• In the default settings, it will randomly send a command in the line
Project Structure
• Network Configurations
Ubuntu
Windows (QEMU)
Malware
tap0 (vif)
br0 (network bridge)
enp0s3 (NAT Network)
Analysis tools Fake servers
iptables
The Internet
C2 server Fake targets
Project Structure
• Network Configurations
• tap0
• Virtual network interface for Windows XP
• IP Address: 192.168.133.101
• br0
• A network bridge between Windows XP and Ubuntu
• IP Address: 192.168.133.1
• enp0s3
• A network that faces the Internet
• IP Address: 10.0.2.15 (it varies by your VirtualBox settings)
Project Structure
• Malware
• stage1.exe – stage 1 malware
• It will be updated into stage 2 malware if the malware receives the correct command
• stage2.exe – stage 2 malware
• It will download the payload
• payload.exe – the malware attack payload
• Please discover that what payload is doing on the command from C&C
Questionnaire
• 1) To get your credit for the project, you have to answer the questionnaire
on ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer on each
question on assignment-questionnaire.txt. TAs use a autograder for your
submit.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Read carefully the questionnaire, and answer them on ~/report/assignmentquestionnaire.txt
• For each stage, there are 4~6 questionnaire that inquires regarding the behavior of
the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Read carefully the writeup, answer on on ~/report/assignment-questionnaire.txt
Submitting Questionnaire
• Required files
• Zip the following files and upload to T-Square
• Run ~/archive.sh will automatically zip the whole files
• ~/report/assignment-questionnaire.txt
• Stage1.exe, stage2.exe, payload.exe
• ~/tools/network/iptables_rules
• ~/tools/cfg-generation/score.h
• Running ~/archive.sh will create report.zip automatically
• Please check the content of zip file before submitting it to T-square
Tutorial (for stage1.exe malware)
• Initializing the project
• Open the terminal (Ctrl-Alt-T, or choose terminal from the menu)
• Run ./init.py
• Type your Georgia Tech username (the login name used for Canvas)
• This will download stage1 malware (stage1.exe) into ~/shared directory
Tutorial – Secure Experiment Environment
• We need a secure experiment environment to execute the malware.
• Why?
• Insecure analysis environment could damage your system
• You may not want:
• Encrypting your file during a ransomware analysis
• Infecting machines in your corporate network during a worm analysis
• Creating a tons of infected bot client in your network during a bot/trojan analysis
• The solution:
• Contain malware in a virtual environment
• Virtual Machine
• Virtual Network
• Conservative rules(allow network traffic only if it is secure)
• We provide a Win XP VM as a testbed!
Tutorial – Run Win XP VM
• Run Windows XP Virtual Machine with virt-manager
• Open a terminal
• Type “virt-manager” and double click “winxpsp3”
• Click the icon with the two monitors and click on “basecamp”
• Run Windows XP Virtual Machine with virt-manager
• Right click on basecamp, and click “Start snapshot.” Click Yes if prompted.
• Once, virt-manager successfully calls the snapshot, click Show the graphical
console.
• Click on the Windows Start Menu and Turn off Computer.
• Then select Restart
Tutorial – Run Win XP VM
• DO NOT MODIFY OR DELETE THE GIVEN SNAPSHOTS!
• The given snapshots are your backups for your analysis.
• If something bad happens on your testbed, always revert back to the
basecamp snapshot.
Tutorial – Run Win XP VM
Tutorial – Copy from Shared Directory
• Go to shared directory by clicking icon (in Windows XP)
• Copy stage1.exe into Desktop
Tutorial – Run the malware!
• Now we will run the malware
• Execute stage1.exe (double click the icon)
• It will say “Executing Stage 1 Malware”. Then, click OK.
• You should click OK on each dialog to dismiss it
• Otherwise, malware execution will be blocked
Tutorial – Run the malware!
• If you want halt the running malware.
• Execute stop_malware in temp directory at Desktop.
• Then it will quit the current running malware.
• Please halt first before you execute another malwares.
Tutorial – Network behavioral analysis
• To analyze network behaviors, you need
• Wireshark (https://www.wireshark.org/)
• Network Protocol Analyzer
• Cuckoo (https://cuckoosandbox.org/)
• Capturing & Recording inbound/outbound network packets
Tutorial – Observing Network Behavior
• By capturing and recording network packets through the tools,
• Reveal C&C protocol
• Attack Source & Destination
• But, malware will not do anything. Why?
• The C2 server is dead!
• Therefore, the malware(C2 client) will never unfold its behaviors.
• Question?
• If we know C&C dialog of malware, can we build a fake C2 server in order to unfold the
malware behaviors?
• Answer: Hack Yeah! That is your job for this project!
Tutorial – Wireshark
• Let’s check it through network monitoring
• Open wireshark (open a terminal. Type “sudo wireshark“ – you can ignore the
error message that pops up)
• Choose br0 to capture the network traffic
• Then start capture by clicking on the shark-fin on the top left
Tutorial – Redirect Network Connection
• Redirecting Network Connection
• From WireShark, we can notice that the malware tries to connect to the host
at 128.61.240.66, but it fails
• Let’s make it to be redirected to our fake C2 server
• Goto ~/tools/network
• Edit iptables_rules to redirect the traffic to 128.61.240.66 to 192.168.133.1 (fake host)
• Whenever you edit iptables_rules, always do reset. (~/tools/network/reset)
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• In the WireShark, we can notice that now the malware can communicate with
our fake C2
• But there will not be further execution, because the command is wrong..
Tutorial – Reading C2 Traffic
• Observing C2 traffic
• You can see the contents of the traffic by right-clicking on the line, then click
Follow – TCP Stream
Tutorial – Cuckoo
• Let’s use cuckoo this time.
• NOTE! You can’t run the testbed vm and cuckoo simultaneously.
• Always turn off the testbed vm, and follow the steps below to execute
Cuckoo
• Open two terminals.
• $workon cuckoo #Set virtualenv as cuckoo for both terminal1 and terminal2
• $cuckoo –d #To run cuckoo daemon for terminal1
• $cuckoo web #To run cuckoo webserver for terminal2
If you get an error when running cuckoo web because port 8000 is
already in use, run “sudo fuser -k 8000/tcp” and try again
Tutorial – Cuckoo
• The given Cuckoo uses the snapshot of the given testbed VM.
• The snapshot is 1501466914
• DO NOT TOUCH the snapshot!
• When you want to use the testVM back,
• Always follow the page 21.
Tutorial – Upload a file to Cuckoo
• To open cuckoo webserver, type the following URL into Chromium
• http://localhost:8000
• To upload a file, click the redbox and choose a file.
Tutorial – Analysis on Cuckoo
• Once you click the analyze button, will take some time to run the
malware.
Tutorial – Analysis on Cuckoo
• Once the pending job is done, You are ready to see the result
• Click the redbox
Tutorial – Analysis on Cuckoo(File Info)
Tutorial – Analysis on Cuckoo(Network Info)
• After redirecting, the result of cuckoo shows high-level information
• Observing the C2 traffic.
• Please compare this result with your Wireshark’s result.
Tutorial – Analysis on Cuckoo(Network Info)
• In network analysis tab, cuckoo provides more detailed info: payload,
HTTPs, etc.
Tutorial – Figuring Out the List of Commands
• The malware does not exhibit its behavior because we did not send the
correct command through our fake C2 server
• We will use
• File/Registry/Process tracing analysis to guess the malware behavior.
• control-flow graph (CFG) analysis and symbolic execution to figure out the list of the
correct commands
• The purpose of tracing analysis is to draw a big picture of the malware
• What kinds of System call/API the malware use?
• Does the malware create/read/write a file? How about registry?
• The purpose of CFG analysis is to find the exact logic that involves the
interpretation of the command and the execution of malicious behavior
• Then, symbolic execution finds the command that drives the malware into
that execution path
Tutorial – Tracing Analysis on Cuckoo
• On the side bar, there are useful menus for tracing analysis.
• We are focusing on:
• Static Analysis
• API/System Call.
• Behavioral Analysis
• Trace behaviors in time sequence.
Tutorial – Static Analysis on Cuckoo
• Static Analysis
• Information of the malware.
• Win32 PE format information
• Windows binary use PE format
• Complicated structure
• Sections shows that
• .text
• Strings, etc.
• .data
• .idata
• .reloc
• Virtual link, dynamic link, etc.
• More ref: http://resources.infosecinstitute.com/2-malware-researchers-handbook-demystifying-pe-file/#gref
Tutorial – Static Analysis on Cuckoo
• Interestingly three DLL(Dynamic Link Libaries) files are imported.
• In WININET.dll, we can see the malware use http protocol.
• In ADVAPI32.dll, we can check the malware touch registry files
• In Kernel32.dll, we can check the malware waiting signal, also sleep.
Tutorial – Behavior Analysis on Cuckoo
• Tracing a behavior(file/process/thread/registry/network) in time
sequence.
• Useful to figure out cause-and-effect in process/file/network.
• Malware create a new file and run the process, write the process on
memory.
Tutorial – Analysis result on Cuckoo
• Based on the analysis of Cuckoo, We can sniff
• The malware uses HTTP protocol to communicate
• Communicate with whom? C&C?
• Web server access? For checking alive C2 server?
• Commands through http protocol? Cookie?
• The malware touches(create/write/read) a file/registry/process
• This might be a dropper? Or Download a binary from the C2 server?
• What is the purpose of creating process? Modifying registry?
Tutorial – Control Flow Graph Analysis
• Based on the pre-information that we collected from the previous
step, we are going to perform CFG analysis & symbolic execution
analysis
• CFG:
• graph representation of computation and control flow in the program
• Nodes are basic blocks
• Edges represent possible flow of control from the end of one block to the
beginning of the other.
Tutorial – Control Flow Graph Analysis
• CFG : An Example
• But, in malware analysis, we are analyzing CFG in instruction-level.
Tutorial – Control Flow Graph Analysis
• We provide a tool for you that helps to find command interpretation logic
and the malicious logic
• We list down the functions or system calls the malware uses internally
• If you provide the score (how malicious it is, or how likely the malicious logic will use
such a function) for the functions, then the tool will find where the malicious logic is,
by its score
• Example: if you set StrCmpNIA to score 10, then the function that calls StrCmpNIA 5 times
within itself will have the score 50.
• Higher score implies more functions related to the malicious activity is used with in the
function.
• Your job is to write the score value per each function
• More ref:
• http://www.cs.cornell.edu/courses/cs412/2008sp/lectures/lec24.pdf
Tutorial – Control Flow Graph Analysis
• From our network analysis, we know that the malware uses the
Internet connection to 128.61.240.66
• From our cuckoo-based analysis, we know that the malware use HTTP
protocol.
• Let’s make the Internet related functions to have higher score
• Open score.h, and edit the score of all of the Internet related functions
• The score is the value at the end (all others are set as 1)
Tutorial – Control Flow Graph Analysis
• Build control flow graph
• By executing ./generate.py stage1, the tool gives you the CFG
• This finds the function with higher score
• Implies that this calls high score functions on its execution
• For stage2 and payload
• Use ’stage2’ and ‘payload’ as an argument respectively
• Note: your graph and its memory addresses will vary from this example
• The function entry is at the address of 405190
• And, there is a function (marked as sub) of score 12
• At the address of 40525a (marked as red)
• Use the block_address, not the call sub_address
• This implies that
• sub_4050c0 calls some internet related functions.
• We need to find the command that makes malware to
• Run from 405190 to 40525a
Tutorial – Finding Command
• Finding Command by Symbolic Execution
• We want to find a command that drives malware from 405190 to 40525a
• Let’s do symbolic execution to figure that out
• What is symbolic execution?
• Rather than executing the program with some input, symbolic execution treats the input
data as symbolic variable, then tries to calculate expressions for the input along the
execution.
• Let’s take an example
Example – Symbolic Execution
Symbolic execution moves along the path of conditional statements, and
combine all conditions until it reaches to the target function. At the end,
it solves the expression to get an input that satisfies all of the conditions
• What is Symbolic Execution?
• Path explosion
• Modeling statements and environments
• Constraint solving
Example – Symbolic Execution
Code Example
Type i, j
If i+5 < j
If i%2 == 0
If j%3 == 0
Correct! Incorrect!
i+5 < j
i+5 < j; i%2==0
i+5 < j; i%2==0; j%3 == 0
Solve the expression
i = 2
j > 7, but multiple of 3 so
j=9
Expressions
i=2, j=9 will lead the program to print “Correct!”
Example – Symbolic Execution
Code Example Receive command
Command ==
‘launch-attack’
Command ==
‘remove’
destroy_itself()
Expressions
attack()
Command ==
‘launch-attack’
Command ==
‘remove’
This executes attack() on command ‘launch-attack’, and destroy_itself() on
‘remove’ command
Example – Symbolic execution engine
• Symbolic Execution Engine: Klee, Angr, Mayhem, etc.
• Loading a binary into the analysis program
• Translating a binary into an intermediate representation (IR).
• Translating that IR into a semantic representation
• Performing the actual analysis with symbolic execution.
Feel free to check this for more information
https://www.cs.umd.edu/~mwh/se-tutorial/symbolic-exec.pdf
Tutorial – Finding Command on Angr
• We prepared a symbolic executor and a solver for you
• Your job is to find the starting point of the function which interprets the
command, and find the end point where malware actually executes some
function that does malicious operations
• Use Control-flow Graph (CFG) analysis tool!
• The symbolic executor is called angr.(http://angr.io/index.html)
Tutorial – Finding Command on Angr
• We prepared a symbolic executor and a solver for you
• How to run?
• Go to ~/tools/sym-exec
• Run it as
• ./sym-exec-on-addr [program_path] [start_address] [end_address]
• ./sym-exec-on-addr ~/shared/stage1.exe 405190 40525a
• The command will be printed at the end (if found)
Replace these with start and
end addresses from your graph
Symbolic Execution – Special Note for stage2.exe
• sys-exec for stage2 takes a lot of time to resolve (up to 20 minutes) –
you are welcome to modify the VM performance settings (memory,
cores) based on your hardware to speed this up
• If you get a single error message, keep trying again – sym-exec will
occasionally fail for stage2
• If your screen is filling up with error messages, then you have the
wrong start and/or end address
Tutorial – Reconstructing C2
• After CFG analysis + symbolic execution, reconstruct the C2
Malware
Connect to C&C
Test2: $command2
Test1: $command1
Fake C&C server
Test3: $command3
Tutorial – Reconstructing C2
• The tool for helping the reconstruction of C2 server is ready on the
VM
• It runs nginx and php script
• This will read ~/tools/c2-command/stage*-command.txt
• Your job is to write each command on that *.txt file
• The command that leads the execution from 405190 to 40525a is “$uninstall”
• Then, type ”$uninstall” and save the file.
• Important: be sure to put the ‘$’ character before you commands, even if stage*-
command.txt says that it’s optional
• The order of commands in the file does not matter – they’ll run in a random order
After that…
• If you find all commands for stage1.exe malware, the malware will
download stage2.exe by updating itself.
• For stage2.exe, please follow the same step on the tutorial
• Check its network access by Wireshark
• Redirect network traffic to fake host if required (if connection fails)
• Try to identify malicious function by editing score.h and cfg-generation tool
• Discover the list of commands using the symbolic execution tool
• Fill the commands in ~/tools/c2-command/stage2-command.txt
• Do the same step for payload.exe (stage3)
Tutorial – Copy to Shared Directory
• As described in page 14, you will see a malware is downloaded.
• You need to copy the malware into the Linux host to analyze.
• Right-click the downloaded malware in Desktop, then click “Copy”.
• Open Shared Directory and right-click, then click “paste”
Tutorial – Copy to Shared Directory
• Back to the Linux host, open a terminal and go to “~/shared”.
• Please the following steps below.
Tips for assignment-questionnaire.txt
• Complete the questionnaire as you go; try to avoid backtracking as
this wastes time
• The URL example in the questionnaire is
“http://scouter.cc.gatech.edu/a/b/c”, but some URLs may not include
the path (a/b/c) – this is fine, just be sure to include the path in your
answer for the URLs that include it
• The grading script will ignore “http://”, “https://” and “www.” for your
convenience, but try to be thorough and match what you see exactly
• Commands and memory addresses are NOT case sensitive, but be
sure you don’t mix up 0 (zero) and O – the zero should have a dot in it
in the VM
Tips
• Getting the domain name from an IP address (if packet is encrypted)
• Use nslookup (IP -> domain, and domain name -> IP vice versa)
Tips
• Getting the exact domain name from an IP address
• Let fake connection can happen (redirect to 192.168.133.1)
• Then look at the TCP stream data
• HTTP header will give the answer
• Host: netscan.gtisc.gatech.edu
Tips
• Getting the process name of the malware
• Use taskmgr in Windows
• Start menu -> run -> taskmgr; or, press Ctrl-Shift-Esc on Windows.
• Click on the ‘Processes’ tab to see the list of processes
• Or use cuckoo in behavior analysis
Tips
• Getting the process name of the malware and the registery key that
created by the malware
• Use the given Procmon in ProcessMonitor at the testbed VM
Tips
• If the malware does not run
• E.g., not displaying the dialog box with “Starting Stage X malware” on start
• Try to run stop_malware on the desktop
• This will stop all malware activity, and you can run in the clean state
Tips
• Click OK to proceed malware execution
• Currently, the dialog is set to block the execution of the malware
• Click OK whenever this dialog pops-up from the malware
• Otherwise, the malware will not execute further to show their behavior
Tips
• Iptables rules
• Edit ~/tools/network/iptables_rules
• Make sure you have no error on writing rules
• Make sure you execute ./reset on that directory
• This command will update the current iptables rules…
• NAT Redirect Syntax
• iptables -t nat -A PREROUTING -p tcp -s [source-ip-address] -d [destination-ip-address] —
dport 80 -j DNAT –to 192.168.133.1:80
• Insert the rule in the PREROUTING table of NAT,
• And if the protocol is tcp, source ip is matched with [source-ip-address],
• Destination IP is matched with [destination-ip-address], and destination port is 80
• Then redirect this traffic to 192.168.133.1, port 80.
Advanced Tips
• For those of you who is interested in Reverse Engineering, this slides covers a
fundamental material that you need to study.
• Dissembler/Debugger
• IDA Pro, binary ninja, radare2, x64 dbg, GDB, immunity debugger, etc.
• Packer/Obfuscation
• Ether, VMIUnpacker, xorunpacker, etc.
• PE/ELF binary format
• Memory snapshot.
• More.
Advanced Tips
• Most malware are packed or obfuscated by a known/unknown packer
or obfuscator.
• For Win32 binary, by checking PE32 format, we can check whether
binary is packed.
• For obfuscation, we need to usually reverse engineer whether to
check the binary is obfuscated.
Advanced Tips
• Assembly code & OS architecture
• X86, x86-64, arm64, etc.
• Stack, heap, canary, guardian, etc.
• An example:
Advanced Tips
• Anti debugging/Anti VM techniques
• Malware is becoming more advanced.
• Malware authors knows:
• Malware analyst use debugging/disassembler tool
• Malware analyst use VM environment
• Malware authors embedded evasion of debugging software and VM
environment.
• Detection software/hardware breakpoint
• Detection memory/conditional breakpoint
• Timing/Artifact based VM detection
Android Malware Analysis
• Manifest Analysis
• Identifying suspicious components
• Static Analysis
• Search for C&C commands and trigger conditions
• Vet the app for any anti-analysis techniques that need to be removed.
• Dynamic analysis
• Leverage the information found via static analysis to trigger the malicious
behavior.
Manifest Analysis
• Identify suspicious components
• Broadcast receivers registering for suspicious actions.
• Background services
• Narrow the scope of analysis
• Malicious apps are repackaged in benign apps with 1000’s of classes.
Broadcast receiver from CoinPirate’s malware family.
Static Analysis
• Search for C&C commands and trigger conditions
Static Analysis
• Identifying Anti-analysis techniques
Scenario
Analyzing Android Malware
• You have received a malware sample sms.apk.
• You need to identify communication with C&C server
• Identify anti-analysis techniques being used by the app.
• Identify commands that trigger any malicious behavior.
Project Structure
• Android emulator
• An emulator for Android 4.4 is pre-installed
• Run ‘run-emulator’
• This will open Android emulator.
• Jadx
• Disassembles apk files into Java source code.
• Apktool
• Disassembles apk file into Smali.
• Rebuilds apk files.
• Write-up (~/Android/MaliciousMessenger/writeup.pdf)
• Detailed guide on how to complete the Android section of the lab.
Project Structure
• Android App
• ~/Android/MaliciousMessenger/tutorialApps
• emu-check.apk
• A tutorial example (Shown as ‘My application’ in the emulator)
• CoinPirate.apk
• Another tutorial example
• ~/Android/MaliciousMessenger/sms.apk
• Target app to analyze to answer the questionnaire
• READ ~/Android/MaliciousMessenger/writeup.pdf
Starting C&C Server
• Starting C&C Server
• Run `start_server`
How to
• Emulator
• Run with ‘run-emulator’
How to
• Emulator
• Run Application
• My Application (tutorial, not required)
• emu-check.apk
• Coin Pirates (tutorial, not required)
• CoinPirates.apk
• Messenger
• Sms.apk (analysis target)
How to
• Emulator
• Click ‘…’ to control the emulator
How to
• Emulator
• Send SMS
• Can change sender ID
• Can change content
How to
• Decompile
• Run jadx-gui
How to
• Disassemble
• Run apktool
• apktool d –f –r sms.apk
• This command generates decompilied *.smali files
• Copy APK file before doing this.
• Repackage (requires signing)
• apktool b sms –o sms.apk
• This command will re-assemble *.smali files into an apk file (as sms.apk, you can change this)
• Sign
• You should sign the app to install the app to emulator
• Run ‘signer.py sms.apk’
How to
• Install / uninstall (you should uninstall first to re-install the app)
• Install
• adb install sms.apk
• This command will install sms.apk into the emulator
• Make sure turn on the emulator first
• adb uninstall com.smsmessenger
• This command will uninstall sms.apk from the emulator
How to
• Decompile
• Run jadx-gui
• Open apk file
• Open class…
Questionnaire
• 1) To get your credit for the project, you have to answer the questionnaire
on ~/report/assignment-questionnaire.txt !!!!!
• 2) Please strictly follow the format or the example answer on each
question on assignment-questionnaire.txt. TAs use a autograder for your
submit.
• Windows Part
• Read ~/report/assignment-questionnaire.txt
• Read carefully the questionnaire, and answer them on ~/report/assignmentquestionnaire.txt
• For each stage, there are 4~6 questionnaire that inquires regarding the behavior of
the malware.
• Android Part
• READ ~/Android/MaliciousMessenger/writeup.pdf
• Read carefully the writeup, answer on on ~/report/assignment-questionnaire.txt
Submitting Questionnaire
• Required files
• Zip the following files and upload to T-Square
• Run ~/archive.sh will automatically zip the whole files
• ~/report/assignment-questionnaire.txt
• Stage1.exe, stage2.exe, payload.exe
• ~/tools/network/iptables_rules
• ~/tools/cfg-generation/score.h
• Running ~/archive.sh will create report.zip automatically
• Please check the content of zip file before submitting it to T-square