1
00:00:00,360 --> 00:00:07,470
As a prerequisite for malware analysis for Android, we need PPK files, obviously, from where you

2
00:00:07,470 --> 00:00:08,730
can get those files.

3
00:00:09,120 --> 00:00:10,890
Well, there are two sources.

4
00:00:11,580 --> 00:00:18,450
You have the Internet, which is full of repositories for known malicious applications such as GetUp!

5
00:00:18,840 --> 00:00:22,830
We have some trusted Web sites like hybrid analysis or virus total.

6
00:00:23,130 --> 00:00:32,230
And you can as well download HBK files directly from redistribution Web sites such as a B.K. Pure HBK

7
00:00:32,250 --> 00:00:33,930
combo or HBK Mirror.

8
00:00:34,380 --> 00:00:40,660
Supposedly the applications there are safe, but to be honest, I don't trust those Web sites.

9
00:00:40,740 --> 00:00:46,770
If I want to download an application, I go directly to the Google store, the other source.

10
00:00:46,830 --> 00:00:53,700
If you have an application that is already installed on your mobile, you want to check for possible

11
00:00:53,700 --> 00:00:55,860
malware or malicious code.

12
00:00:56,310 --> 00:01:02,010
You want to check for possible malicious code or data exfiltration that this application is performing.

13
00:01:02,790 --> 00:01:07,910
You can install tools that will help you extract the application into an AP format.

14
00:01:08,520 --> 00:01:11,340
Then you can download on your lab machine.

15
00:01:11,730 --> 00:01:17,670
Some of these applications are PPK Extractor, E.S. File Explorer, Android and many others.

16
00:01:18,030 --> 00:01:20,280
And this course will be in this course.

17
00:01:20,490 --> 00:01:22,860
I'll be demonstrating this approach using Android.

18
00:01:23,190 --> 00:01:27,870
So let's go check what's available there on the Internet in our Caleigh box.

19
00:01:28,770 --> 00:01:32,190
Open Firefox and go to hybrid dash analysis dot com.

20
00:01:32,820 --> 00:01:40,260
It's a trusted Web site that you need to sign in using your commercial or corporate email address.

21
00:01:40,650 --> 00:01:44,160
After that, you'll be able to search for malware.

22
00:01:44,790 --> 00:01:46,560
You can go to the file collection.

23
00:01:49,070 --> 00:01:56,120
And then under the user here and go to advanced search here, we can specify the file type.

24
00:01:56,390 --> 00:01:58,520
We're interested in Android applications.

25
00:01:58,910 --> 00:02:02,620
Suppose that you want to search for reforged WhatsApp application.

26
00:02:04,340 --> 00:02:06,110
So you just type what's up here?

27
00:02:06,500 --> 00:02:08,240
And then just search.

28
00:02:10,080 --> 00:02:10,770
Here we go.

29
00:02:10,950 --> 00:02:18,780
You have list of four to what's up applications that you can install in an AP K format to use for your

30
00:02:18,960 --> 00:02:19,770
analysis.

31
00:02:20,670 --> 00:02:24,960
Some of the known repositories on gets Hub as this one here.

32
00:02:25,320 --> 00:02:33,540
I'll be sharing the link in the course, different malicious Android applications that you can download

33
00:02:33,570 --> 00:02:34,620
and start using.

34
00:02:35,820 --> 00:02:40,020
This is another one that has recent for the year 2020.

35
00:02:40,500 --> 00:02:43,680
And as you can see, they are all in zipped format.

36
00:02:43,950 --> 00:02:47,310
Again, these malware are real and live.

37
00:02:49,000 --> 00:02:55,330
If you scroll down, you will see the SHA hash for all of these applications.

38
00:02:55,690 --> 00:02:58,780
Some of these applications have the M.D. five hash as well.

39
00:03:00,490 --> 00:03:06,580
All of these zip files here are protected with a password which is infected.

40
00:03:07,150 --> 00:03:10,340
Suppose that you want to test.

41
00:03:11,080 --> 00:03:12,940
Let's see this malware application here.

42
00:03:13,420 --> 00:03:14,710
Let's copy that.

43
00:03:14,770 --> 00:03:17,320
And the five hash and go to a virus.

44
00:03:17,320 --> 00:03:19,180
Total dot com virus.

45
00:03:19,180 --> 00:03:22,660
Total is another Web site that you can search for.

46
00:03:22,890 --> 00:03:26,110
You are El IP address domain or file hash.

47
00:03:26,500 --> 00:03:29,140
So let's based our file hash here.

48
00:03:31,060 --> 00:03:32,230
Initiate the search.

49
00:03:33,580 --> 00:03:41,050
As you can see, the results here will tell you that 19 out of 62 anti malware engines detected this

50
00:03:41,050 --> 00:03:42,400
file as malicious.

51
00:03:42,670 --> 00:03:50,290
You can see all the details here of the venders, as well as the category of the as well as the category

52
00:03:50,290 --> 00:03:51,190
of the malware.

53
00:03:51,460 --> 00:03:53,830
It was detected as an AP case file.

54
00:03:54,070 --> 00:03:55,280
18 days ago.

55
00:03:55,610 --> 00:03:57,370
Sighs You can as well find.

56
00:03:59,690 --> 00:04:08,240
More details on the harshing you can as well fine under the details tab, you will find more details

57
00:04:08,240 --> 00:04:10,760
related to the hash, the history.

58
00:04:21,800 --> 00:04:30,150
Permission is required by the applications, the activities, services, receivers, et cetera.

59
00:04:30,180 --> 00:04:35,400
So, as you can see, a virus total is a very handy tool when it comes to malware.

60
00:04:35,850 --> 00:04:36,420
Search.