Analysing Android memory Dump

This post is just about analysing an Android memory dump which was taken when device was doing something malicious but not known to me. As I will go through the memory I’ll try to go as-deep-as I can to figure what malicious activities were going-on and how and when they were executed.

Memory Dump – “Will Provide Link”

Prerequisites:

  • Linux Machine (I’ll be using my custom pentestOS linuxmint)
  • Volatility with goldfish profile configured

Analysing Memory:

Started analysing by dumping list of processes from the memory dump.

“vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_pslist”

hackogram_linux_pslist_1 hackogram_linux_pslist_2pslist-output.txt – Link-pslist(inactive)

Process with PIDs 47, 1255, 1454 and 1461 executed shells onto the Android phone. Last processes with PIDs 1454, 1461, 1468 executed insmod and can be ignored because they were created during the process of taking this memory dump for investigation from Android Phone.

PID 47 belongs to GID 1007 relates to media process (d.process.media) which runs shell when mobile device is connected to Android Debug Bridge, so this file looks like a part of creating dump  and can be ignored.

PID 1255 belongs to GID 10061 which has another PID 1185 (org.jtb.httpmon) is the suspected process, lets proceed with in-depth of analysing this process.

Analysing process using List of files(Lsof)

“vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_lsof -p 1185”

hackogram_linux_lsof_1 hackogram_linux_lsof_2lsof-output.txt – Link-lsof(inactive)

Lsof list shows two suspicious jar files with FD – 39,40 being”/data/data/org.jtb.httpmon/files/UpdateService.jar” and FD – 41,42 being “/data/data/org.jtb.httpmon/files/rathrazdaeizaztaxchj.jar”
Android uses Google Play Store to update applications and widgets, it doesn’t require UpdateServices.jar to perform update for services.

So process PID 1185 (org.jtb.httpmon) with GID/UID 10061 was executed on 2014-02-25 05:10:56 UTC+0000 and also executed PID 1255 (sh) under same GID/UID exactly after 2 minutes at  2014-02-25 05:12:28 UTC+0000

 

_________________________________________________________________________________
will be updating the further research

Leave a Reply

Your email address will not be published. Required fields are marked *