0
1
00:00:08,820 --> 00:00:14,600
So the first sandbox analysis to finish was the one at APKlab.IO.
1

2
00:00:14,610 --> 00:00:16,980
Here you can see the results.
2

3
00:00:17,070 --> 00:00:23,210
Let's have a look at the general dashboard over here OK so basic stuff.
3

4
00:00:23,210 --> 00:00:28,860
It tells you there are two activities one server and one receiver.
4

5
00:00:28,920 --> 00:00:37,080
It shows what permissions are being used shows you what you are l the malware is connecting to usually
5

6
00:00:37,080 --> 00:00:41,340
this is the kind of stuff you'd want to try to identify by going through code.
6

7
00:00:41,340 --> 00:00:42,810
So this is a really good start.
7

8
00:00:44,070 --> 00:00:46,580
As an analyst this is an ideal scenario.
8

9
00:00:46,650 --> 00:00:54,310
You upload malware let it run and see the results then besides the general dashboard you have more detailed
9

10
00:00:54,310 --> 00:00:55,360
results.
10

11
00:00:55,570 --> 00:01:04,550
For example static analysis actually before we see this let's have a look at koodous. In Koodous you can
11

12
00:01:04,550 --> 00:01:07,640
search for APKs including the one you just uploaded.
12

13
00:01:08,360 --> 00:01:14,300
So here we have the hash of the APK and we can just search using this.
13

14
00:01:14,300 --> 00:01:20,410
So you might see that no analysis was done for a specific APK in that case.
14

15
00:01:20,420 --> 00:01:26,570
Just click analyse or reanalyze if you want a new analysis like so
15

16
00:01:29,590 --> 00:01:36,290
and an analysis request has been sent, report generation can take several minutes but it will give you
16

17
00:01:36,290 --> 00:01:42,790
a notification when it finishes so you'll probably get an e- mail report saying okay your analysis is
17

18
00:01:42,790 --> 00:01:49,540
complete. I'll just show you the results in one of the sandboxes which I think is one of the best ones
18

19
00:01:49,540 --> 00:01:57,070
actually APKLab.Io but whatever you see in APKlab you'll probably see similar results in the
19

20
00:01:57,070 --> 00:02:02,150
other sandboxes. At the end of the day in the background
20

21
00:02:02,150 --> 00:02:05,680
all of them are doing similar tasks and using similar tools.
21

22
00:02:06,320 --> 00:02:13,850
However APKlabs seems to be quite a serious and advanced tool. Technically in the background,
22

23
00:02:13,860 --> 00:02:18,180
they're using the tools we showed you earlier while providing the user with a UI
23

24
00:02:21,350 --> 00:02:28,310
I believe APKlab goes a step further and they apply some advanced analysis maybe using some A.I.
24

25
00:02:29,780 --> 00:02:31,970
Oh and the other thing about the sandboxes.
25

26
00:02:31,970 --> 00:02:36,090
As I mentioned earlier they're also good sources for actual malware.
26

27
00:02:36,560 --> 00:02:43,070
So if you want to analyze a specific malware you can go to an online sandbox search by name package
27

28
00:02:43,210 --> 00:02:46,420
MD5 etc and find your sample.
28

29
00:02:46,640 --> 00:02:52,600
Since these are public repositories they're receiving malware samples from all over the world.
29

30
00:02:52,700 --> 00:03:00,170
So for example if you want to find a stagefright sample just come here and search stagefright or do
30

31
00:03:00,170 --> 00:03:06,780
some research and find the hashes for stagefright and search here or you can use tags.
31

32
00:03:06,950 --> 00:03:16,040
For example you're researching fake installers so search tag colon fake dash installer and you'll find
32

33
00:03:16,040 --> 00:03:24,710
several samples so let's have a look at the analysis reports that APKlab generated under the static
33

34
00:03:24,710 --> 00:03:25,450
analysis.
34

35
00:03:25,490 --> 00:03:30,160
It gives you some basic information about the application suspicious permissions.
35

36
00:03:30,440 --> 00:03:33,320
It tells you that it goes through S M S's on receipt
36

37
00:03:36,390 --> 00:03:39,030
Creates SMS data.
37

38
00:03:39,030 --> 00:03:44,760
Again related to SMS queried contacts.
38

39
00:03:44,830 --> 00:03:50,500
So again here it is telling you to be careful it's reading your contacts over here.
39

40
00:03:50,530 --> 00:03:52,300
This was all done automatically.
40

41
00:03:53,420 --> 00:03:55,280
OK what else.
41

42
00:03:55,280 --> 00:03:57,560
URL strings.
42

43
00:03:57,610 --> 00:04:00,750
This is quite interesting too. OK.
43

44
00:04:00,760 --> 00:04:06,500
So from the static automated analysis we just saw that it reads S M S's.
44

45
00:04:06,700 --> 00:04:13,470
It reads contacts and it sends data to postman dash echo.
45

46
00:04:13,490 --> 00:04:18,830
This is all information that we saw in the building a basic Android apps section.
46

47
00:04:18,830 --> 00:04:24,350
But remember usually as analysts we are not aware of what the developer did.
47

48
00:04:24,380 --> 00:04:28,590
So we are working blindly and all of this info is valuable.
48

49
00:04:30,260 --> 00:04:37,120
OK now let's look at dynamic.. so it says that they ran it on Android 6.
49

50
00:04:37,130 --> 00:04:44,710
Here we have network stats showing where data is being exposed traded to so it's interesting to see
50

51
00:04:44,710 --> 00:04:51,620
if data is coming from or going to a specific country network dumb.
51

52
00:04:51,670 --> 00:04:59,370
So we can download it and see more info on the traffic data. Permissions.
52

53
00:04:59,400 --> 00:05:05,790
Again here it sees what permissions where requested but more importantly which ones were used.
53

54
00:05:05,790 --> 00:05:07,410
Entry points.
54

55
00:05:07,500 --> 00:05:12,300
This provides info about the components together with screenshots.
55

56
00:05:12,300 --> 00:05:12,670
OK.
56

57
00:05:12,690 --> 00:05:18,190
This is a lot of information that we got from an automated analysis for the analyst.
57

58
00:05:18,190 --> 00:05:19,390
This is great.
58

59
00:05:19,420 --> 00:05:23,050
You upload the app and you have all this info about the app's behavior.
59

60
00:05:32,250 --> 00:05:37,320
Now while it doesn't provide a full picture it does give you good insight on where you should go to
60

61
00:05:37,320 --> 00:05:38,040
look deeper.
61

62
00:05:38,910 --> 00:05:45,360
So for example this here tells you that there is a receiver if you want to look deeper you can do some
62

63
00:05:45,360 --> 00:05:48,490
static analysis manually on top of it.
63

64
00:05:48,780 --> 00:05:56,860
We can use byte code viewer or other tools we saw earlier and dig deeper. So here we saw an automated
64

65
00:05:56,890 --> 00:06:01,620
online malware sandbox in an upcoming course that we're preparing,
65

66
00:06:01,660 --> 00:06:08,200
we'll show you how to set up your own malware sandbox. So you could develop your own Android malware
66

67
00:06:08,200 --> 00:06:13,460
sandbox but in your own local environment there are definitely some advantages to this.
67

68
00:06:13,600 --> 00:06:18,820
If you're testing an application that is targeted at your organization maybe you don't want to upload
68

69
00:06:18,820 --> 00:06:22,770
it to a public repository so you could obtain the same results
69

70
00:06:22,780 --> 00:06:29,060
but in your contained environment instead. There are also some other advantages.
70

71
00:06:29,070 --> 00:06:33,810
So for example here you have no control over the interaction with the sandbox.
71

72
00:06:34,760 --> 00:06:40,100
Whereas if you set up your own environment you can interact with the malware as the analysis is being
72

73
00:06:40,100 --> 00:06:47,330
conducted so you can click buttons, log into websites or apps run several apps and so on.
73

74
00:06:48,870 --> 00:06:51,660
This is not always possible with online sandboxes.
74

75
00:06:51,660 --> 00:06:56,070
Since we have no control over the emulator or devices running the analysis
75

76
00:06:58,680 --> 00:07:04,890
another advantage is that you can setup a proxy to intercept HTTP s traffic which is extremely useful
76

77
00:07:04,890 --> 00:07:06,910
for network analysis.
77

78
00:07:06,930 --> 00:07:13,530
You can also perform instrumentation to bypass cert pinning to ensure that you are in fact able to intercept
78

79
00:07:13,590 --> 00:07:21,270
HTTPs. All of this is more advanced and doesn't really belong in an introductory course like this.
79

80
00:07:21,430 --> 00:07:26,110
But if you liked this course then you'll definitely find our more advanced one extremely interesting.