The Android Malware Handbook by Qian Han & Salvador Mandujano & Sebastian Porst & V.S. Subrahmanian & Sai Deep Tetali & Yanhai Xiong
Author:Qian Han & Salvador Mandujano & Sebastian Porst & V.S. Subrahmanian & Sai Deep Tetali & Yanhai Xiong
Language: eng
Format: epub, pdf
Publisher: No Starch Press
Published: 2024-11-15T00:00:00+00:00
Decrypting the Command-and-Control Communications
As in the previous chapter, one of the most important properties of the malware weâll want to reverse engineer is its encrypted communication with the command-and-control server. Breaking the encryption will allow us to better understand the commands it supports. Rather than using static analysis and code reading to find out how this communication works, weâll use dynamic analysis. Between tcpdump, logcat, and Frida, we have all the tools we need.
After our earlier analysis using tcpdump and Wireshark, we know that the first connection the malware makes is an HTTP POST request to http://simpleyo5.tk/ping. In this request, the malware sends a JSON object with four entries, as shown in Listing 4-6.
{ "hash": "c9KjsZ9C7He6VRmwPMY9YpRrW8H9UFIITKB7umfOUyo=", "id": "9hbTqZU/XYXD8Z1hftmY0N63NltNY2+ihQOnUHrg9T1B/C...", "iv": "M0KcSRwOMvKnbNd4TE719Q==", "type": "request_verify" }
Listing 4-6: The JSON payload posted to the /ping URL
Itâs still unclear what these values are. The one plaintext entry, "type": "request_verify", suggests that the purpose of this connection is to request that the malware client be verified. Weâve shortened the value of id here; originally, it had more than 7,000 bytes. Its length indicates that it might be the messageâs main payload. The value of hash is unknown at this point, as is the value of iv, which has a noteworthy name. Could this be the initialization vector used to encrypt the payload? Later, weâll confirm this to be the case.
Download
The Android Malware Handbook by Qian Han & Salvador Mandujano & Sebastian Porst & V.S. Subrahmanian & Sai Deep Tetali & Yanhai Xiong.pdf
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Cryptography | Encryption |
Hacking | Network Security |
Privacy & Online Safety | Security Certifications |
Viruses |
Effective Threat Investigation for SOC Analysts by Yahia Mostafa;(6619)
Practical Memory Forensics by Svetlana Ostrovskaya & Oleg Skulkin(6342)
Machine Learning Security Principles by John Paul Mueller(6309)
Attacking and Exploiting Modern Web Applications by Simone Onofri & Donato Onofri(5985)
Operationalizing Threat Intelligence by Kyle Wilhoit & Joseph Opacki(5943)
Solidity Programming Essentials by Ritesh Modi(4061)
Microsoft 365 Security, Compliance, and Identity Administration by Peter Rising(3701)
Operationalizing Threat Intelligence by Joseph Opacki Kyle Wilhoit(3431)
Mastering Python for Networking and Security by José Manuel Ortega(3359)
Future Crimes by Marc Goodman(3351)
Mastering Azure Security by Mustafa Toroman and Tom Janetscheck(3337)
Blockchain Basics by Daniel Drescher(3308)
Learn Computer Forensics - Second Edition by William Oettinger(3189)
Incident Response with Threat Intelligence by Roberto Martínez(2917)
Mobile App Reverse Engineering by Abhinav Mishra(2889)
Mastering Bitcoin: Programming the Open Blockchain by Andreas M. Antonopoulos(2873)
The Code Book by Simon Singh(2832)
Building a Next-Gen SOC with IBM QRadar: Accelerate your security operations and detect cyber threats effectively by Ashish M Kothekar(2801)
From CIA to APT: An Introduction to Cyber Security by Edward G. Amoroso & Matthew E. Amoroso(2785)
