irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add markdown wiki with 473 pages and zk browser

Browse Source 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
tobias
2026-03-28 19:50:36 +01:00
parent b13db23a5e
commit e62a14dafc
478 changed files with 7683 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
data/generated/wiki/workflows/android-analysis-workflow.md
+65
View File
@@ -0,0 +1,65 @@
# Android Malware Analysis
> Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.
## Steps
### Step 1: APK Triage
**Tools:** [[tools/file|file]], [[tools/apkid|apkid]]
Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques.
```bash
file specimen.exe
```
### Step 2: Manifest Analysis
**Tools:** [[tools/apktool|apktool]]
Decompile APK: apktool d <apk> -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters.
```bash
apktool d <app.apk> -o output/
```
### Step 3: Source Code Recovery
**Tools:** [[tools/jadx|jadx]]
Decompile DEX to Java: jadx <apk> -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks.
```bash
jadx <app.apk> -d output/
```
### Step 4: Static Analysis
**Tools:** [[tools/androguard|androguard]], [[tools/droidlysis|droidlysis]]
androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage.
```bash
androguard analyze <app.apk>
```
### Step 5: Native Library Analysis
**Tools:** [[tools/strings|strings]], [[tools/radare2|radare2]]
If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto.
```bash
strings binary.exe
r2 specimen.exe
```
### Step 6: Dynamic Instrumentation
**Tools:** [[tools/frida|frida]]
Hook suspicious functions at runtime: frida -U -l hook.js <package>. Intercept: crypto operations, network calls, file access, SMS operations.
```bash
frida -l hook.js <process_name>
```
### Step 7: Document Findings
Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location).
#android #apk #mobile #frida #jadx #apktool #workflow