During the previous post I described the steps necessary to be able to dump the memory of a physical Android phone.
Now, we will focus on searching evidence. The first step is to install a malware sample in the device and afterwards dump the memory. The malware sample used is from the Emmental campaign (986d67fdff01c836be442fac5712ceaa), and in future posts we will analyze a bit more this campaign.
Running the malware and dumping the memory
First step is to install the sample with 'adb' (adb install CreditSuisse-SmsSecurity-v-20_08.apk) and then execute the application just intalled.
The smartphone gets Internet access through a WiFi Pinneaple connected to a Macbook, as showed in the screenshot below:
This setup permits to capture the network traffic through Wireshark.
Once the application has started, I dump the memory of the device by loading LiME module into the kernel via 'insmod
/sdcard/lime.kopath=TCP:4444 lime2.dump format=lime' as explained in the previous post.
The memory dump is sent by netcat to the host and stored as lime2.dump
Running volatility against the memory dump
Extracting the processing running
During the previous post I created a profile for Volatility, named LinuxNexus5-511ARM, base on the customize Android kernel. Now it is time to run Volatility :)
# List the process running in the system
$ python vol.py
--profile=LinuxNexus5-511ARM -f ~/Android2/CS_mem_image/lime2.dump
linux_psaux
Pid Uid Gid Arguments
1 0 0 /init
2 0 0 [kthreadd]
3 0 0 [ksoftirqd/0]
7 0 0 [kworker/u:0H]
8 0 0 [migration/0]
13 0 0 [khelper]
14 0 0 [netns]
18 0 0 [modem_notifier]
19 0 0 [smd_channel_clo]
20 0 0 [smsm_cb_wq]
22 0 0 [rpm-smd]
23 0 0 [kworker/u:1H]
24 0 0 [irq/317-earjack]
37 0 0 [sync_supers]
38 0 0 [bdi-default]
39 0 0 [kblockd]
40 0 0 [vmalloc]
41 0 0 [khubd]
42 0 0 [irq/102-msm_iom]
43 0 0 [irq/102-msm_iom]
44 0 0 [irq/102-msm_iom]
45 0 0 [irq/79-msm_iomm]
46 0 0 [irq/78-msm_iomm]
47 0 0 [irq/78-msm_iomm]
48 0 0 [irq/74-msm_iomm]
49 0 0 [irq/75-msm_iomm]
50 0 0 [irq/75-msm_iomm]
51 0 0 [irq/75-msm_iomm]
52 0 0 [irq/75-msm_iomm]
53 0 0 [irq/273-msm_iom]
54 0 0 [irq/273-msm_iom]
55 0 0 [irq/97-msm_iomm]
56 0 0 [irq/97-msm_iomm]
57 0 0 [irq/97-msm_iomm]
58 0 0 [l2cap]
59 0 0 [a2mp]
60 0 0 [cfg80211]
62 0 0 [qmi]
63 0 0 [nmea]
64 0 0 [msm_ipc_router]
65 0 0 [apr_driver]
67 0 0 [kswapd0]
68 0 0 [fsnotify_mark]
69 0 0 [cifsiod]
70 0 0 [crypto]
88 0 0 [ad_calc_wq]
89 0 0 [hdmi_tx_workq]
90 0 0 [anx7808_work]
91 0 0 [k_hsuart]
92 0 0 [diag_wq]
93 0 0 [diag_cntl_wq]
94 0 0 [diag_dci_wq]
95 0 0 [kgsl-3d0]
97 0 0 [f9966000.spi]
108 0 0 [usbnet]
109 0 0 [irq/329-anx7808]
110 0 0 [k_rmnet_mux_wor]
111 0 0 [f_mtp]
112 0 0 [file-storage]
113 0 0 [uether]
114 0 0 [synaptics_wq]
115 0 0 [irq/362-s3350]
117 0 0 [msm_vidc_worker]
118 0 0 [msm_vidc_worker]
119 0 0 [msm_cpp_workque]
120 0 0 [irq/350-bq51013]
122 0 0 [dm_bufio_cache]
123 0 0 [dbs_sync/0]
124 0 0 [dbs_sync/1]
125 0 0 [dbs_sync/2]
126 0 0 [dbs_sync/3]
127 0 0 [cfinteractive]
128 0 0 [irq/170-msm_sdc]
129 0 0 [binder]
130 0 0 [usb_bam_wq]
131 0 0 [krfcommd]
132 0 0 [bam_dmux_rx]
133 0 0 [bam_dmux_tx]
134 0 0 [rq_stats]
135 0 0 [deferwq]
136 0 0 [irq/361-MAX1704]
138 0 0 [mmcqd/1]
139 0 0 [mmcqd/1rpmb]
140 0 0 [wl_event_handle]
141 0 0 [dhd_watchdog_th]
142 0 0 [dhd_dpc]
143 0 0 [dhd_rxf]
144 0 0 [dhd_sysioc]
145 0 0 [vibrator]
146 0 0 [max1462x]
147 0 0 [irq/310-maxim_m]
148 0 0 [irq/311-maxim_m]
149 0 0 /sbin/ueventd
151 0 0 [jbd2/mmcblk0p25]
152 0 0 [ext4-dio-unwrit]
155 0 0 [flush-179:0]
157 0 0 [jbd2/mmcblk0p28]
158 0 0 [ext4-dio-unwrit]
162 0 0 [jbd2/mmcblk0p27]
163 0 0 [ext4-dio-unwrit]
164 0 0 [jbd2/mmcblk0p16]
165 0 0 [ext4-dio-unwrit]
188 1036 1036 /system/bin/logd
189 0 0 /sbin/healthd
190 0 0 /system/bin/lmkd
191 1000 1000 /system/bin/servicemanager
194 0 0 /system/bin/vold
195 0 0 [IPCRTR]
196 1000 1003 /system/bin/surfaceflinger
197 9999 3004 /system/bin/rmt_storage
198 0 0 [sb-1]
199 0 0 [ipc_rtr_q6_ipcr]
200 1000 1000 /system/bin/qseecomd
202 0 0 [ngd_msm_ctrl_ng]
203 0 0 /system/bin/netd
204 0 0 /system/bin/debuggerd
205 1001 1001 /system/bin/rild
206 1019 1019 /system/bin/drmserver
207 1013 1005 /system/bin/mediaserver
208 1012 1012 /system/bin/installd
210 1017 1017 /system/bin/keystore
/data/misc/keystore
212 1001 1001 /system/bin/bridgemgrd
213 1001 1001 /system/bin/qmuxd
214 1001 1000 /system/bin/netmgrd
215 9999 3004 /system/bin/sensors.qcom
218 0 1001 /system/bin/thermal-engine-hh
221 0 0 [msm_slim_qmi_cl]
222 0 0 [msm_qmi_rtx_q]
225 0 0 [irq/288-wcd9xxx]
230 0 0 zygote
235 0 0 [kauditd]
241 1000 1000 /system/bin/qseecomd
242 1023 1023 /system/bin/sdcard -u 1023 -g
1023 -l /data/media /mnt/shell/emulated
243 1006 1006 /system/bin/mm-qcamera-daemon
244 1000 3004 /system/bin/time_daemon
261 2000 2000 /sbin/adbd
--root_seclabel=u:r:su:s0
306 0 0 [msm_thermal:hot]
307 0 0 [msm_thermal:fre]
346 0 0 [mdss_fb0]
511 0 0 daemonsu:mount:master
541 0 0 [IPCRTR]
543 0 0 [ipc_rtr_smd_ipc]
574 0 0 daemonsu:master
772 1000 1000 system_server
912 1010 1010 /system/bin/wpa_supplicant
-iwlan0 -Dnl80211 -c/data/misc/wifi/wpa_supplicant.conf
-I/system/etc/wifi/wpa_supplicant_overlay.conf -N -ip2p0 -Dnl80211
-c/data/misc/wifi/p2p_supplicant.conf
-I/system/etc/wifi/p2p_supplicant_overlay.conf
-puse_p2p_group_interface=1 -e/data/misc/wifi/entropy.bin
-g@android:wpa_wlan0
954 10022 10022 com.android.systemui
1093 10024 10024
com.google.android.googlequicksearchbox:interactor
1117 10056 10056
com.google.android.inputmethod.latin
1166 1027 1027 com.android.nfc
1192 1001 1001 com.redbend.vdmc
1213 1001 1001 com.android.phone
1261 10024 10024
com.google.android.googlequicksearchbox
1350 10009 10009 com.google.process.gapps
1720 10009 10009 com.google.android.gms
1742 10009 10009
com.google.android.gms.persistent
1858 0 0 /system/bin/mpdecision
--no_sleep --avg_comp
2352 0 0 daemonsu:10087
4084 0 0 daemonsu:0
4086 0 0 daemonsu:0:4081
4300 0 0 tmp-mksh -
6311 10067 10067 com.google.android.apps.plus
7463 10024 10024
com.google.android.googlequicksearchbox:search
9547 0 0 daemonsu:10088
24285 10006 10006 android.process.media
24315 10065 10065
com.google.android.apps.photos
28743 10008 10008 com.google.android.apps.gcs
28796 10061 10061
com.google.android.apps.magazines
32564 0 0 [kworker/0:0H]
3447 0 0 [kworker/u:4]
5478 0 0 [kworker/0:1H]
7409 0 0 [kworker/0:0]
9669 0 0 [kworker/u:7]
10520 10014 10014
com.google.android.partnersetup
10861 0 0 [kworker/u:12]
12900 10035 10035
13558 1000 1000 com.android.settings
13964 0 0 [kworker/u:14]
14116 1014 1014 /system/bin/dhcpcd -aABDKL -f
/system/etc/dhcpcd/dhcpcd.conf -h android-173db3c715e97b6 wlan0
15087 10005 10005 com.android.defcontainer
15575 99028 99028
com.android.chrome:sandboxed_process7
15600 0 0 [kworker/0:1]
16038 2000 2000 /system/bin/sh -
16043 2000 2000 su -
16046 0 0 daemonsu:0:16043
16050 0 0 [kworker/0:3H]
16063 10087 10087 eu.chainfire.supersu
16185 0 0 tmp-mksh -
16354 0 0 [kworker/0:2]
16358 10091 10091 org.mozilla.firefox
16626 10004 10004 android.process.acore
16662 10017 10017 com.android.musicfx
16681 10018 10018 com.android.vending
16717 0 0 [kworker/0:3]
16740 10009 10009 com.google.android.gms:car
16763 10009 10009
com.google.android.gms.wearable
16787 10041 10041 com.google.android.apps.docs
16967 0 0 [kworker/u:0]
16968 0 0 [kworker/u:1]
17145 10093 10093 org.thoughtcrime.securesms
17372 0 0 [kworker/u:2]
17424 0 0 [kworker/0:2H]
17439 0 0 [kworker/u:3]
17686 0 0 insmod lime.ko path=TCP:4444
lime2.dump format=lime
17687 0 0 [migration/1]
17688 0 0 [kworker/1:0]
17689 0 0 [kworker/1:0H]
17690 0 0 [ksoftirqd/1]
17691 0 0 [kworker/1:1H]
17692 0 0
[kworker/1:2H]
The process worth to investigate, with PID 17145, is highlighted in yellow.
As a note, I have highlighted the process running the memory dump (PID 17686)
As a note, I have highlighted the process running the memory dump (PID 17686)
Dumping the memory allocated to suspicious process
Once we know the PID of the process worth to investigate, it is possible to list all the blocks of memory allocated to that process with volatity and the 'linux_proc_maps' option:
$ python vol.py --profile=LinuxNexus5-511ARM -f lime2.dump -p 17145 linux_proc_maps
Offset Pid Name
Start End Flags Pgoff Major Minor
Inode File Path
------------------ -------- --------------------
------------------ ------------------ ------ ---------- ------ ------
---------- ---------
0x00000000ed175500 17145 crime.securesms
0x0000000012c00000 0x0000000012e01000 rw- 0x0 0 4
9397 /dev/ashmem/dalvik-main space
0x00000000ed175500
17145 crime.securesms 0x0000000012e01000 0x0000000013252000 rw-
0x201000 0 4 9397 /dev/ashmem/dalvik-main space
.........
........
0x00000000ed175500 17145 crime.securesms 0x00000000b6fe7000 0x00000000b6fe8000 r-- 0x2000 179 25 325 /system/bin/app_
process32_original
0x00000000ed175500 17145 crime.securesms 0x00000000b6fe8000 0x00000000b6fe9000 rw- 0x0 0 0 0
0x00000000ed175500 17145 crime.securesms 0x00000000be027000 0x00000000be028000 --- 0x0 0 0 0
0x00000000ed175500 17145 crime.securesms 0x00000000be028000 0x00000000be827000 rw- 0x0 0 0 0 [stack]
........
0x00000000ed175500 17145 crime.securesms 0x00000000b6fe7000 0x00000000b6fe8000 r-- 0x2000 179 25 325 /system/bin/app_
process32_original
0x00000000ed175500 17145 crime.securesms 0x00000000b6fe8000 0x00000000b6fe9000 rw- 0x0 0 0 0
0x00000000ed175500 17145 crime.securesms 0x00000000be027000 0x00000000be028000 --- 0x0 0 0 0
0x00000000ed175500 17145 crime.securesms 0x00000000be028000 0x00000000be827000 rw- 0x0 0 0 0 [stack]
This shows the full list of memory positions. Now, we get a list with all memory blocks numbers (this is column 'Start', which it is fourth) with some 'awk' command (awk '{print $4}') and save in a file name. In this case we will use the name 'pos_mem.txt'.
$ head -3 pos_mem.txt
0x0000000012c00000
0x0000000012e01000
0x0000000013252000
0x0000000032c00000
Next step is to dump all the memory blocks in files to further investigate in order to figure out which contains interesting data. I do it with a shell command using Volatility with the 'linux_dump_map' option:
$ head -3 pos_mem.txt
0x0000000012c00000
0x0000000012e01000
0x0000000013252000
0x0000000032c00000
Next step is to dump all the memory blocks in files to further investigate in order to figure out which contains interesting data. I do it with a shell command using Volatility with the 'linux_dump_map' option:
for i in `cat pos_mem.txt`;
do python vol.py --profile=LinuxNexus5-511ARM -f lime2.dump linux_dump_map -p 17145 -s $i
--dump-dir memoria_analisis/; done
The command file show which can of data is each memory file.
$ file * | grep -v ": data"
task.17145.0x12c00000.vma: dBase IV DBT of \377\377\377\377\377\377\377\377.DBF, blocks size 1, next free block index 1280, 1st item "\355"
task.17145.0x12e01000.vma: raw G3 data, byte-padded
task.17145.0x9f940000.vma: GLS_BINARY_LSB_FIRST
task.17145.0xa0b30000.vma: AIX core file fulldump 32-bit, \377\377\377\377\376\376\376\377\376\376\376\377\376\376\376\377\377\377\377\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376 64-bit, \376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376
task.17145.0xa1f33000.vma: FoxPro FPT, blocks size 1305, next free block index 1048
task.17145.0xa1f39000.vma: MS Windows icon resource - 2 icons, 2x, 1-colors
task.17145.0xa2487000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xaf013000.vma: MS Windows icon resource - 2 icons, 2x, 1-colors
task.17145.0xaf2b2000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped
task.17145.0xaf428000.vma: lif file
task.17145.0xb0fd6000.vma: 8086 relocatable (Microsoft)
task.17145.0xb3552000.vma: FoxPro FPT, blocks size 0, next free block index 276828288
task.17145.0xb3554000.vma: FoxPro FPT, blocks size 0, next free block index 1
task.17145.0xb3556000.vma: FoxPro FPT, blocks size 0, next free block index 1
task.17145.0xb3558000.vma: FoxPro FPT, blocks size 0, next free block index 255
task.17145.0xb35de000.vma: FoxPro FPT, blocks size 0, next free block index 14704051
task.17145.0xb35e0000.vma: AIX core file fulldump 32-bit, \371\211 64-bit, U-c\240\300\2454p;
task.17145.0xb4800000.vma: dBase III DBT, 1st item "qA"
task.17145.0xb5049000.vma: MS Windows icon resource - 2 icons, 3x, 4-colors
task.17145.0xb504c000.vma: FoxPro FPT, blocks size 0, next free block index 3697477888, 1st used item "\023"
task.17145.0xb5052000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5057000.vma: FoxPro FPT, blocks size 0, next free block index 7341493
task.17145.0xb5058000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb505c000.vma: FoxPro FPT, blocks size 50606, next free block index 12584373
task.17145.0xb505d000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb529b000.vma: dBase IV DBT of PROP\253\320n\374.DBF, blocks size 1059, next free block index 39216, 1st item "alno"
task.17145.0xb5d94000.vma: AIX core file fulldump 32-bit 64-bit
task.17145.0xb5e9c000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5e9d000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5f4a000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb62cd000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb673c000.vma: FoxPro FPT, blocks size 0, next free block index 12612534
task.17145.0xb6748000.vma: FoxPro FPT, blocks size 0, next free block index 8418486
task.17145.0xb6ba3000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb6bf3000.vma: FoxPro FPT, blocks size 32831, next free block index 3194806
task.17145.0xb6e1a000.vma: MPEG ADTS, layer I, v2, 16 kHz, Monaural
task.17145.0xb6eee000.vma: AIX core file 32-bit 64-bit
$ file * | grep -v ": data"
task.17145.0x12c00000.vma: dBase IV DBT of \377\377\377\377\377\377\377\377.DBF, blocks size 1, next free block index 1280, 1st item "\355"
task.17145.0x12e01000.vma: raw G3 data, byte-padded
task.17145.0x9f940000.vma: GLS_BINARY_LSB_FIRST
task.17145.0xa0b30000.vma: AIX core file fulldump 32-bit, \377\377\377\377\376\376\376\377\376\376\376\377\376\376\376\377\377\377\377\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376 64-bit, \376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376\377\376\376\376
task.17145.0xa1f33000.vma: FoxPro FPT, blocks size 1305, next free block index 1048
task.17145.0xa1f39000.vma: MS Windows icon resource - 2 icons, 2x, 1-colors
task.17145.0xa2487000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xaf013000.vma: MS Windows icon resource - 2 icons, 2x, 1-colors
task.17145.0xaf2b2000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked, stripped
task.17145.0xaf428000.vma: lif file
task.17145.0xb0fd6000.vma: 8086 relocatable (Microsoft)
task.17145.0xb3552000.vma: FoxPro FPT, blocks size 0, next free block index 276828288
task.17145.0xb3554000.vma: FoxPro FPT, blocks size 0, next free block index 1
task.17145.0xb3556000.vma: FoxPro FPT, blocks size 0, next free block index 1
task.17145.0xb3558000.vma: FoxPro FPT, blocks size 0, next free block index 255
task.17145.0xb35de000.vma: FoxPro FPT, blocks size 0, next free block index 14704051
task.17145.0xb35e0000.vma: AIX core file fulldump 32-bit, \371\211 64-bit, U-c\240\300\2454p;
task.17145.0xb4800000.vma: dBase III DBT, 1st item "qA"
task.17145.0xb5049000.vma: MS Windows icon resource - 2 icons, 3x, 4-colors
task.17145.0xb504c000.vma: FoxPro FPT, blocks size 0, next free block index 3697477888, 1st used item "\023"
task.17145.0xb5052000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5057000.vma: FoxPro FPT, blocks size 0, next free block index 7341493
task.17145.0xb5058000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb505c000.vma: FoxPro FPT, blocks size 50606, next free block index 12584373
task.17145.0xb505d000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb529b000.vma: dBase IV DBT of PROP\253\320n\374.DBF, blocks size 1059, next free block index 39216, 1st item "alno"
task.17145.0xb5d94000.vma: AIX core file fulldump 32-bit 64-bit
task.17145.0xb5e9c000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5e9d000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb5f4a000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb62cd000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb673c000.vma: FoxPro FPT, blocks size 0, next free block index 12612534
task.17145.0xb6748000.vma: FoxPro FPT, blocks size 0, next free block index 8418486
task.17145.0xb6ba3000.vma: ELF 32-bit LSB shared object, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped
task.17145.0xb6bf3000.vma: FoxPro FPT, blocks size 32831, next free block index 3194806
task.17145.0xb6e1a000.vma: MPEG ADTS, layer I, v2, 16 kHz, Monaural
task.17145.0xb6eee000.vma: AIX core file 32-bit 64-bit
Taking a deeper look and playing a big with 'string' I finally found that that the interesting file is ‘‘task.17145.0x12e01000.vma’ (highlighted in yellow) which references
to block of memory:
0x00000000ed175500
17145 crime.securesms 0x0000000012c00000 0x0000000012e01000
rw- 0x0 0 4 9397 /dev/ashmem/dalvik-main
space
Now we know where to start looking at. During next post I will analyse the content of file.
