ARTDroid: an easy-to-use framework for hooking under ART

02 Feb 2016 Cong Zheng android art dynamic-analysis gsoc hook malware
During Google Summer of Code 2015, in the Honeynet Project open-source org, Valerio Costamagna and Cong Zheng (mentor) worked on ARTDroid, an easy-to-use framework for hooking virtual-method under latest Android runtime (ART). Introduction We propose ARTDroid, a framework which allows to analyze Android apps without modifications to both Android framework and apps. The core technology is the library injection and virtual methods hooking by vtable tampering after getting the root privilege.

Is Android malware served in theatres more sophisticated?

09 Jan 2014 Felix Leder android apk decompilation malware reverse-engineering sandbox-evasion thug
Pietro wrote a nice post about him finding Android malware while visiting the theatre. Thanks to Thug (thank you Angelo) and HoneyProxy, he was able to get some interesting details about their infrastructure. I was curious what kind of malware you find in a theatre, so I quickly looked at one of the samples that he mentioned: f6ad9ced69913916038f5bb94433848d. Virus Total already provides some nice information for Android. The SEND_SMS permissions already gives a solid hint that this application is probably sending to premium numbers.

Malware-serving theaters for your android phones - Part 1

07 Jan 2014 Pietro Delsante android apk exploit malware thug
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site ( urging me to update my Flash Player.

Unveiling Dorothy2: a malware/botnet analysis framework written in Ruby.

09 Jun 2013 Marco Riccardi botnet dorothy malware sandbox
Howdy all, I’ve the pleasure to *finally* unveil the second version of Dorothy: a malware/botnet analysis framework written in Ruby. Dorothy2 is a framework created for mass malware analysis. Currently, it is mainly based on analyzing the network behavior of a virtual machine where a suspicious executable was executed. However, static binary analysis and system behavior analysis will be shortly introduced in further versions. Dorothy is a multi-thread framework: it is able to execute as many concurrent analysis processes as the number of the VMs present in vSphere.

Interesting Reads: Monday 25th June

25 Jun 2012 Matt Erasmus interesting malware monday news reading twitter
Another Monday has been and gone (on this side of the world at least). I thought I’d sit down again and share some of the interestingness (yes, that’s a word now) that came through my various news feeds over the course of the weekend. I’m hoping this week will be a little less malware focused, but I can’t make any promises. news.source == “twitter” @mboman: New blog post: MART - Malware Analyst Research Toolkit: Cuckoo Sandbox:

Interesting Reads: Monday 18th June

18 Jun 2012 Matt Erasmus interesting malware monday news reading
Good evening/morning folks. It’s been fairly busy here at HNP HQ for a number of reasons. That said, there were a number of interesting articles over the weekend I thought I’d hilight here for your reading pleasure. This week seems to be a week of malware so we will stick with that theme. STORIES ABOUT BOTNETS - PART 1 Malware Hunting with the Sysinternals Tools (video) Obfuscation #2: Playing entrypoint hide & seek game with dyld

Progress so far at the Network Analyzer

07 May 2012 Oguz Yarimtepe flow gsoc malware network-traffic protocols
Although it is still time for the official coding period start at GSoC 2012, i started to make my commits for the Network Analyzer project . The output of the project will be a web based traffic analyzer. It is aimed to let people upload their files from web interface and see the results. Instead of the detail header information, network analyzer will be focusing on applicaiton level data for display.

APKinspector : the alpha release of project 6.

26 Jul 2011 Cong Zheng apkinspector android malware static-analysis gsoc
The GUI tool for static analysis of Android malware is ready for an alpha release. For more details regarding this project, check here. In the alpha release, the following features have been finished. (1) Show the CFG (control flow graph) for a given method (2) Show the smali codes for a given method. (3) Show the Java codes for a given java file. (4) Show the betecodes for a given method.

The Honeynet Project Releases New Tool: Cuckoo

23 Feb 2011 Anton Chuvakin malware news tool
Here is another tool release from The Honeynet Project: Cuckoo Box by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here, grab the tool here – but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it.

TaiWan Malware Analysis Net

20 Dec 2010 Yi Lang Tsai malware taiwan twman
Basically, The TWMAN is an automated behavioral malware analysis environment to analyze the malware targeted at Microsoft Windows, and it can develop a free and open source software, and the environment is built around Joe Stewart’s TRUMAN sandnet. Although, there are many services of analysis malware behavioral, such as the Norman Sandbox, CWSandbox, Threat Expert, etc. For privacy and policy reasons, it must be treated as if they contain personally identifiable information.