0
1
00:00:08,800 --> 00:00:14,680
So far we have seen how to develop an Android app and how to analyze a potentially malicious Android
1

2
00:00:14,680 --> 00:00:14,970
app.
2

3
00:00:16,580 --> 00:00:24,270
In this case we're going to look at an actual malware sample called simple locker or simplocker. So
3

4
00:00:24,270 --> 00:00:26,520
simplocker is ransomware.
4

5
00:00:26,640 --> 00:00:30,630
It is a bit old but it is a very good sample to use in a training course.
5

6
00:00:32,380 --> 00:00:37,810
I say this because within the analysis we'll be able to extract very useful information that can be
6

7
00:00:37,810 --> 00:00:43,300
used to decrypt the files that were encrypted by the ransomware.
7

8
00:00:43,310 --> 00:00:50,960
So what we will do is analyze the ransomware determine how it encrypts our files and develop a tool
8

9
00:00:50,990 --> 00:00:55,220
that is able to restore our data by decrypting the files.
9

10
00:00:55,290 --> 00:00:58,620
In other words we're going to create a simple locker decryption tool.
10

11
00:01:01,640 --> 00:01:06,830
Simplocker is an interesting sample because we have all the information needed for decryption within
11

12
00:01:06,830 --> 00:01:09,500
the source code. OK.
12

13
00:01:09,510 --> 00:01:14,040
So koodous.com is the online sandbox I mentioned earlier.
13

14
00:01:14,040 --> 00:01:20,330
It's useful for doing automated malware analysis but more importantly it's a useful resource for APKs
14

15
00:01:20,400 --> 00:01:27,720
Once you sign up you'll be able to search for apks by using search fields like malware family
15

16
00:01:27,720 --> 00:01:30,350
name and find APK
16

17
00:01:30,550 --> 00:01:40,010
You can search by hash, app name, develope,r package name, tag and so on. Tag is quite a useful search functionality
17

18
00:01:41,380 --> 00:01:43,480
Koodous has a large research community.
18

19
00:01:43,630 --> 00:01:48,880
And if someone would have tagged simple locker as simple locker then you should find all the associated
19

20
00:01:48,880 --> 00:01:56,450
samples through the tag. So here you can see that someone tagged this specific malware.
20

21
00:01:56,450 --> 00:01:59,750
Or rather this specific APK as simplocker.
21

22
00:02:00,770 --> 00:02:02,590
And they also tagged it as ransomware.
22

23
00:02:04,040 --> 00:02:09,560
If we search the tag ransomware we'd probably find a whole bunch of other ransomware samples.
23

24
00:02:09,560 --> 00:02:16,760
This would be useful if you're doing research on ransomware samples and here detected means that it
24

25
00:02:16,760 --> 00:02:23,200
was detected as malware, so let's click on the simple locker sample.
25

26
00:02:23,680 --> 00:02:30,690
Here we see that it has an analysis section and here's where the analysis part comes in.
26

27
00:02:30,710 --> 00:02:35,990
So this is where you can see the hashes and basic AP case data.
27

28
00:02:36,010 --> 00:02:42,850
Here is an automated result of Androguard. we saw Androguard and the possible results it can produce
28

29
00:02:42,880 --> 00:02:45,100
earlier on.
29

30
00:02:45,130 --> 00:02:48,820
So for example here it shows there is a main activity.
30

31
00:02:48,820 --> 00:02:56,130
Here there are two receivers, a few  URLs, this here is quite interesting.
31

32
00:02:56,150 --> 00:02:59,640
We can see that it uses Tor over here.
32

33
00:02:59,680 --> 00:03:10,530
There are two services the Tor service again indicating that it probably uses Tor.  OK what else ... a few
33

34
00:03:10,530 --> 00:03:17,350
filters, permissions, here we can see that it writes to external storage.
34

35
00:03:17,360 --> 00:03:20,530
So that's quite interesting for us.
35

36
00:03:20,740 --> 00:03:22,230
What else.
36

37
00:03:22,480 --> 00:03:24,320
It says that it uses crypto.
37

38
00:03:24,370 --> 00:03:29,270
This is probably used to encrypt the files, network.
38

39
00:03:30,080 --> 00:03:30,460
OK.
39

40
00:03:30,470 --> 00:03:37,240
There are some network communications we can resolve these and try to identify the URLs if necessary
40

41
00:03:39,520 --> 00:03:40,780
Droidbox.
41

42
00:03:40,780 --> 00:03:43,560
This is a malware dynamic analysis tool.
42

43
00:03:43,570 --> 00:03:45,440
The thing is it's a bit of an old tool.
43

44
00:03:45,460 --> 00:03:51,080
So that's one of the reasons why we didn't show you droid box. Here it seems 
44

45
00:03:51,080 --> 00:03:53,120
they ran it against droidbox.
45

46
00:03:53,300 --> 00:04:04,200
We can see that there are a few file writes, file reads, service started, Dexcalls, so there is dynamic
46

47
00:04:04,200 --> 00:04:06,360
code loading.
47

48
00:04:06,430 --> 00:04:13,690
So yes there's a lot of information we can obtain from here from an automated analysis report. However
48

49
00:04:13,690 --> 00:04:17,070
we won't just be relying on this information.
49

50
00:04:17,370 --> 00:04:24,690
We'll be going deeper using the analysis tools that we demonstrated earlier on. First will run the malware
50

51
00:04:24,690 --> 00:04:27,970
in our emulator and we'll see what the impact is.
51

52
00:04:27,990 --> 00:04:34,760
So here will confirm that it's actually encrypting our files, then we'll analyze the sample and hopefully
52

53
00:04:34,790 --> 00:04:39,800
we'll be able to extract the code or the information that would help us to decrypt the files that are
53

54
00:04:39,800 --> 00:04:43,280
being encrypted. Finally,
54

55
00:04:43,290 --> 00:04:48,030
we'll try to decrypt the files on the emulator to show that our decryptor tool worked.