Automating your .apk reverse engineering workflow
In a previous blog post we showed how you can reverse Android APK files into their original Java source code (https://medium.com/ouspg/cincan-vs-covidlock-ed4d076ec162). While this was relatively easy and only required few tools, as an analyst you might have to repeat everything multiple times during the day in a hurry. Wouldn’t it be nice if you could automate this process without having to write bash-scripts? Well with CinCan Minion you can!
Premises
Lets say I’m handed an encoded .zip containing a malicious .apk file. My typical workflow would consist of unzipping the file (the password most commonly is “infected”). Generating a hash of it to search if previous analysis exists and whether it is found in VirusTotal. Then I want to see the unobfuscated AndroidManifest.xml which will at the very least tell me the permissions the application requests. Finally I want to see the source code the .apk was compiled from.
Let’s build a minion rule set that will do all of this in one command.
Minion
Simply put Minion is a tool that can be used to automate your command-line based malware analysis workflow. Writing Minion rules is much like writing short shell script or makefile -like rules, but with the goal of being simpler and faster.
Check out https://gitlab.com/CinCan/minion for documentation and example rule sets!
Rules
Alright, so to automate my workflow I can use the following rule set.
The script will unzip the file with given password, generate sha256 sum and check if VirusTotal knows something about it and finally run apktool, dex2jar and jadx to the file.
To run Minion using the rules from above use the following command:
minion -D password=infected -D virustotal-api-key=mysecretapikeyplsdontsteal build minion.rules CovidLock.apk.zipYou can use parameter -D to pass variables to affect the build behaviour. Build tells minion to build all possible output files, which is basically “go through all the rules”. This should follow the rule set you wish to use and files that you wish to be analyzed. In this case the sample that will be an Android ransomware CovidLock.apk zipped with password ‘infected’.
BONUS: to get a neat terminal GUI, use parameter “--live-log”.
If everything worked you should end up with a couple folders containing a JSON of what VirusTotal thought of the sample, AndroidManifest.xml and the source code in Java, among other things.
This blog post was written as a part of the CinCan project.
One of the goals of the project is to build shareable, repeatable & history preserving malware analysis pipelines using your favorite tools + CI + git + containers.
For more information see our homepage: https://cincan.io/
