tag:blogger.com,1999:blog-5046096073918528715.post6674928954086085791..comments2024-02-02T00:26:03.637-08:00Comments on contagio mobile: Collection of 96 mobile malware samples for Kmin, Basebridge, Geinimi, Root exploits, and PJAppsMilahttp://www.blogger.com/profile/09472209631979859691noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-5046096073918528715.post-2733982582681058502011-10-27T05:23:44.431-07:002011-10-27T05:23:44.431-07:00I did follow the link to Androguard - but I am no ...I <i>did</i> follow the link to Androguard - but I am no wiser because of it.<br /><br />So, there is this tool called Androguard, written in some difficult to understand language (Python?), which claims to have all kinds of magical "features", none of which is explained adequately. In addition, the few "signatures" listed on that site bear no resemblance to the "memory dump" above.<br /><br />In fact, I have trouble even differentiating between the different entries in the "memory dump". For instance, is the first entry this:<br /><br />GingerMaster (0 and 1)<br /> ---> METHSIM L:0 I:0 N:0 J:2 1045 [4.9593749046325684, 4.3729357719421387, 4.7183656692504883, 4.4228439331054688, 3.9754178524017334]<br /> ---> METHSIM L:0 I:1 N:1 J:2 1341 [4.9452362060546875, 4.7812762260437012, 4.7661762237548828, 4.5302424430847168, 3.9754178524017334]<br /><br />How does this relate to the "gingermaster signature" listed on the Androguard site as<br /><br />[ { "SAMPLE" : "apks/malwares/gingermaster/35bda16e09b2e789602f07c08e0ba2c45393a62c6e52aa081b5b45e2e766edcb" }, { "BASE" : "AndroidOS", "NAME" : "GingerMaster", "SIGNATURE" : [ { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "l", "D" : "()Lcom/igamepower/appmaster/aq;" }, { "TYPE" : "METHSIM", "CN" : "Lcom/igamepower/appmaster/GameService;", "MN" : "m", "D" : "()V" } ], "BF" : "0 and 1" } ]<br /><br />and what the blazes do both <i>mean</i>?<br /><br />Not to mention that Gingermaster is an exploit, not a particular piece of malware, and if you base malware classification on a "signature" extracted from the original proof-of-concept exploit app, you'll end up classifying in this "family" every single malware that uses the same exploit. In fact, I suspect that this is exactly what you are doing with several things classified as "Ozotshielder" - which I have no idea what it is, but the name implies that it might be some kind of code obfuscator.<br /><br />Or is the whole beginning of the "memory dump", until the first empty line, some kind of debug output and the first "real" classification line is this:<br /><br />B5444E6C3C8376F7D2ECCB974F31C7C3 : loading apk.. loading dex.. M S C:23 CC:11 CMP:9 EL:479 C:0 CC:0 CMP:0 EL:0 ----> Ozotshielder [[33, 0.24361948668956757]]<br /><br />And how is AECB7C76CB497401BE48459FF944F5FE "invalid APK"? It seems perfectly valid to me - a ZIP file containing classes.dex with valid checksums and so on.<br /><br />...<br /><br />OK, assuming the stuff before the first empty line is some meaningless to me debug output, I wrote a small script that stripped all the garbage from from the "memory dump" and left only the MD5 of the sample and the name of the malware it was classified as, ending up with the following:<br /><br />33 samples classified as "Ozotshielder"<br />7 samples classified as "Ozotshielder.C"<br />25 samples classified as "Geinimi"<br />2 samples classified as "Hongtoutou"<br />2 samples classified as "DroidDream"<br />2 samples classified as "RageagainstTheCage"<br />4 samples classified as "Pjapps"<br />10 samples classified as "Pjapps.B"<br />2 samples classified as "Pjapps.C"<br />2 samples classified as "YZHCSMS.B"<br />6 samples not classified as anything<br /><br />In which case I am still left wondering how is this classification "better". It differs from Mila's only in the family names (Ozotshielder->Kmin, Hongtoutou->Adrd, RageagainstTheCage->Root Exploit), plus it doesn't classify as anything a few samples that Mila does.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-1320967311727436622011-10-27T03:59:25.947-07:002011-10-27T03:59:25.947-07:00Hi,
you have the malware and the detected signatu...Hi,<br /><br />you have the malware and the detected signature (full debug) in the database.<br /><br />Follow the link in the post to find more information about the signature.Anonymoushttps://www.blogger.com/profile/13774661631687864953noreply@blogger.comtag:blogger.com,1999:blog-5046096073918528715.post-67065590708775286212011-10-26T09:17:01.276-07:002011-10-26T09:17:01.276-07:00Ahem, could you please provide some insight into A...Ahem, could you please provide some insight into Anthony Desnos' classification and why it is "better"? It looks more like a memory dump to me than as something sensible...Anonymousnoreply@blogger.com