tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
69 lines
2.3 KiB
Plaintext
69 lines
2.3 KiB
Plaintext
============================================================
|
|
Android Malware Analysis
|
|
============================================================
|
|
|
|
Analyze suspicious Android APK files using static and dynamic techniques available in REMnux.
|
|
|
|
────────────────────────────────────────────────────────────
|
|
|
|
Step 1: APK Triage
|
|
Tools: file, apkid
|
|
Verify file type and check for packers/obfuscators.
|
|
APKiD detects: known packers (DexGuard, Bangcle),
|
|
obfuscators, anti-debug techniques.
|
|
|
|
$ file specimen.exe
|
|
|
|
Step 2: Manifest Analysis
|
|
Tools: apktool
|
|
Decompile APK: apktool d <apk> -o output/. Examine
|
|
AndroidManifest.xml for: excessive permissions,
|
|
receivers, services, exported components, intent
|
|
filters.
|
|
|
|
$ apktool d <app.apk> -o output/
|
|
|
|
Step 3: Source Code Recovery
|
|
Tools: jadx
|
|
Decompile DEX to Java: jadx <apk> -d output/. Review
|
|
source code for: C2 URLs, crypto operations, SMS
|
|
interception, data exfiltration, root checks.
|
|
|
|
$ jadx <app.apk> -d output/
|
|
|
|
Step 4: Static Analysis
|
|
Tools: androguard, droidlysis
|
|
androguard: analyze APK structure, permissions,
|
|
activities. droidlysis: automated static analysis with
|
|
IOC extraction. Check for: hardcoded keys, URLs,
|
|
suspicious API usage.
|
|
|
|
$ androguard analyze <app.apk>
|
|
|
|
Step 5: Native Library Analysis
|
|
Tools: strings, radare2
|
|
If APK contains .so libraries: extract from lib/
|
|
directory. Analyze with strings and radare2. Native
|
|
code often hides C2 logic and crypto.
|
|
|
|
$ strings binary.exe
|
|
$ r2 specimen.exe
|
|
|
|
Step 6: Dynamic Instrumentation
|
|
Tools: frida
|
|
Hook suspicious functions at runtime: frida -U -l
|
|
hook.js <package>. Intercept: crypto operations,
|
|
network calls, file access, SMS operations.
|
|
|
|
$ frida -l hook.js <process_name>
|
|
|
|
Step 7: Document Findings
|
|
Record: package name, permissions abused, C2
|
|
infrastructure, data exfiltrated, persistence
|
|
mechanism, targeted user data (SMS, contacts,
|
|
location).
|
|
|
|
────────────────────────────────────────────────────────────
|
|
Tip: 'fhelp cheat <tool>' for full examples
|
|
'Ctrl+G' for interactive cheatsheet browser
|