This post is just about analysing an Android memory dump which was taken when device was doing something malicious but not known to me. As I will go through the memory I’ll try to go as-deep-as I can to figure what malicious activities were going-on and how and when they were executed.
Memory Dump – “Will Provide Link”
- Linux Machine (I’ll be using my custom pentestOS linuxmint)
- Volatility with goldfish profile configured
Started analysing by dumping list of processes from the memory dump.
“vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_pslist”
Process with PIDs 47, 1255, 1454 and 1461 executed shells onto the Android phone. Last processes with PIDs 1454, 1461, 1468 executed insmod and can be ignored because they were created during the process of taking this memory dump for investigation from Android Phone.
PID 47 belongs to GID 1007 relates to media process (d.process.media) which runs shell when mobile device is connected to Android Debug Bridge, so this file looks like a part of creating dump and can be ignored.
PID 1255 belongs to GID 10061 which has another PID 1185 (org.jtb.httpmon) is the suspected process, lets proceed with in-depth of analysing this process.
Analysing process using List of files(Lsof)
“vol.py -f memory.dmp –profile=Linuxgoldfish-2_6_29ARM linux_lsof -p 1185”
Lsof list shows two suspicious jar files with FD – 39,40 being”/data/data/org.jtb.httpmon/files/UpdateService.jar” and FD – 41,42 being “/data/data/org.jtb.httpmon/files/rathrazdaeizaztaxchj.jar”
Android uses Google Play Store to update applications and widgets, it doesn’t require UpdateServices.jar to perform update for services.
So process PID 1185 (org.jtb.httpmon) with GID/UID 10061 was executed on 2014-02-25 05:10:56 UTC+0000 and also executed PID 1255 (sh) under same GID/UID exactly after 2 minutes at 2014-02-25 05:12:28 UTC+0000
will be updating the further research