1
00:00:00,210 --> 00:00:06,630
Remember the video in where we have created an AP Kape payload in MSF venom?

2
00:00:07,170 --> 00:00:13,410
Well, you can do the same by injecting a legit app with this payload.

3
00:00:13,620 --> 00:00:20,560
So as you can see here, this is the command we used to inject a legit application here.

4
00:00:20,580 --> 00:00:22,780
The application is CRM, that HBK.

5
00:00:23,520 --> 00:00:26,430
It is the same command I've used earlier.

6
00:00:26,490 --> 00:00:29,070
This has to have hyphen here for that.

7
00:00:30,600 --> 00:00:39,210
So MRSA venom, you're injecting this CRM dot PPK with the reverse DCP Android payload.

8
00:00:39,810 --> 00:00:42,690
And here you have to put your IP and port tumbler.

9
00:00:43,740 --> 00:00:50,430
And this is the output so you can do the same for any HBK you can extract from your phone, you download

10
00:00:50,440 --> 00:00:57,120
from the Internet, you download from a Picchi, Mary, etc., even for the famous ones like WhatsApp

11
00:00:57,150 --> 00:00:57,870
and Facebook.

12
00:00:58,320 --> 00:00:59,690
So we just run it here.

13
00:00:59,790 --> 00:01:02,820
You inject it with the payload end and there you go.

14
00:01:03,060 --> 00:01:06,240
Now I want to tell you about a mobile framework.

15
00:01:06,330 --> 00:01:08,180
I'll be showcasing now.

16
00:01:08,670 --> 00:01:12,810
It's called Mobile Security Framework and OBSS.

17
00:01:12,840 --> 00:01:14,580
You can find it here on Get Hub.

18
00:01:15,210 --> 00:01:21,090
I'll share the stock because it's origin sold on my machine here to install it, to just have just copy

19
00:01:21,090 --> 00:01:21,480
paste.

20
00:01:21,510 --> 00:01:25,390
These commands first installed Python three.

21
00:01:25,410 --> 00:01:27,450
Then Dash V and V.

22
00:01:27,900 --> 00:01:31,110
Then you clone it from the repository and get hub.

23
00:01:31,680 --> 00:01:34,260
Then you let me go here with you now.

24
00:01:34,770 --> 00:01:36,570
So I'll open the terminal.

25
00:01:37,010 --> 00:01:37,770
I'll go.

26
00:01:38,200 --> 00:01:43,110
S I'll see these to the mobile security framework.

27
00:01:43,650 --> 00:01:46,190
I'll do LSD again to run it for the first time.

28
00:01:46,200 --> 00:01:52,830
You just have to do dot forward slash and setup dot as h but not what's already there.

29
00:01:52,980 --> 00:01:55,890
I'll do run those dots as H instead.

30
00:01:56,220 --> 00:02:04,410
So once you run it it will let me do that again because in the Cali user, not the route.

31
00:02:07,440 --> 00:02:13,880
So once you do that, the service will start and it will be accessible on local hosts.

32
00:02:14,430 --> 00:02:17,670
Eight thousand PT. Just copy that.

33
00:02:17,730 --> 00:02:22,400
Go to your browser and just base your L.

34
00:02:23,790 --> 00:02:24,510
And here we go.

35
00:02:24,540 --> 00:02:25,970
This is the main interface.

36
00:02:26,100 --> 00:02:29,990
Now you can upload any HBK you want to analyze.

37
00:02:30,030 --> 00:02:35,440
For example, you have two AP versions before the payload and after the payload, anything.

38
00:02:35,880 --> 00:02:42,000
So you just we will upload an API key here, the one that we have created earlier, Jordan signed with

39
00:02:42,110 --> 00:02:42,410
B.K..

40
00:02:43,050 --> 00:02:46,500
And let's see the result of such analysis.

41
00:02:47,220 --> 00:02:48,510
It came very fast.

42
00:02:48,690 --> 00:02:55,140
So it will tell us here an overview on the application, one activity, one service or receiver.

43
00:02:55,740 --> 00:02:57,030
Let's go down a bit.

44
00:02:59,160 --> 00:03:01,650
It will tell us the application is signed.

45
00:03:01,740 --> 00:03:04,050
These are the details of the signature.

46
00:03:04,740 --> 00:03:08,670
If you go down, here comes the important information.

47
00:03:08,700 --> 00:03:10,630
This is the Android manifest.

48
00:03:10,870 --> 00:03:11,670
Ximo file.

49
00:03:12,120 --> 00:03:15,090
It will automatically highlight the dangerous permissions.

50
00:03:15,540 --> 00:03:18,090
So you're doing static malware analysis.

51
00:03:18,120 --> 00:03:23,630
But with the help of a tool here, the dangerous permissions are highlighted in red.

52
00:03:23,730 --> 00:03:27,630
And there is a description and explanation next to it going down.

53
00:03:29,400 --> 00:03:34,890
It will tell you as well some analysis of the structure of the application.

54
00:03:34,920 --> 00:03:41,070
So the H2 G.P.S. connections are found in this Java file here.

55
00:03:41,490 --> 00:03:47,700
So this Java without it will tell it to give you a guideline on how to do the static malware analysis.

56
00:03:48,300 --> 00:03:54,540
It's a very helpful to the sockets as well, can be found in this file and so forth.

57
00:03:54,690 --> 00:04:01,540
This is a very important piece of information for our static analysis going down here.

58
00:04:01,580 --> 00:04:04,650
It will highlight the issues.

59
00:04:04,710 --> 00:04:08,460
For example, we have a broadcast receiver issue and a service issue.

60
00:04:08,880 --> 00:04:16,730
These are shared between this application and the other and the severity is high going down as well.

61
00:04:16,740 --> 00:04:22,620
It will highlight another issues related to the hashing or the encryption being used.

62
00:04:23,280 --> 00:04:24,720
It's we caching.

63
00:04:25,680 --> 00:04:28,530
Here is the app uses an insecure random generation number.

64
00:04:28,590 --> 00:04:34,960
So again, it's a very important tool that will give you all these important information.

65
00:04:34,980 --> 00:04:38,430
You can take it further by doing your own analysis.

66
00:04:38,470 --> 00:04:46,800
So if the I think let me see here as well, if the application is using Eskil light, it will tell you

67
00:04:46,800 --> 00:04:50,280
all the information on that aspect here.

68
00:04:51,150 --> 00:04:55,530
So you can't upload the malicious SPCA or the AP.

69
00:04:55,530 --> 00:04:58,590
Kaney question to virus total, for example.

70
00:04:58,690 --> 00:04:59,820
So do the analysis.

71
00:05:00,150 --> 00:05:03,930
But this tool will go one step further to perform that.

72
00:05:04,560 --> 00:05:08,640
Keep in mind here that this tool can be downloaded as a Docker version.

73
00:05:09,060 --> 00:05:14,610
The Docker version only have static analysis and not dynamic analysis.

74
00:05:14,940 --> 00:05:17,160
So feel free to play around with the tool.

75
00:05:17,280 --> 00:05:25,330
It's really helpful and it will give you much more insights on what's going on in an application.