I need a full 1 page report about this topic (Memory-Based APK Files) including the references, but I can't find anything online about it.
Any ideas where I can find about it?
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 2 years ago.
Improve this question
I have several malware repositories however I am unable to get bin files to execute or files as windows classifies them. I have included some file names so you can see what I'm working with. I have been trying to mount some of the files which are Bin files with no luck.
Tank_3d.jar
b0ffb939b3df60f8561fadf2cbfa1733_WEXTRACT.EXE_
userinit.exe with a desktop.BIN
why the extra file with the executable?
13ce4cd747e450a129d900e842315328 and windows says type of file is file?
Any help you can provide would be greatly appreciated I have searched the web but I haven't found any sites that tell you how to execute these files for obvious reasons. I have changed some of the file extensions to .exe and some of them will execute in this manner. However, a lot of them still will not. I have conducted static analysis of these files prior to trying to do dynamic analysis. Also I forgot to add I'm doing this research for a university thank you
The question is not completely clear to me but as I understood from what you said, you have some files (probably related to some malware/ransomware) that you don't know how to execute them.
Before just starting to execute a malware or whatever suspicious file, you need to collect as much information as possible about your files. This step is called information gathering. So this is what you need to do:
(these are optional steps and can be changed based on your experience)
Calculate the MD5 hash of the file then search the MD5 value in VirusTotal or Hybrid-Analysis to check if these engines already analyzed this sample or not.
(or you can directly upload your sample to these engines without calculating the MD5 value)
Search on Google for whatever information you have about your file (even you can search the file name itself). You don't want to re-analyze the sample if someone already did that for you unless you are looking for some variants or some specific features. Even in that case, reading other related analysis report can help you do it faster.
Get the type of the file using whatever tool to extract the magic header (signature) of the file. I would say use Linux file command but you can use other tools as well.
Try to open the file in a hex editor/display software (you can find lots of them if you search), to see if there is anything interesting in the file.
use Linux Strings or Windows Strings commands to extract human-readable strings from the file to see what you can find.
Doing all the above mentioned steps, you will have the idea how you should deal with the file.
Use Peid or Die (Detect it easy) to extract the programming language and possible packer name/entropy of the file.
and finally, to execute different file formats:
If it's a .jar file: java -jar sample.jar
If it's a .dll file: use rundll32 or OllyDBG.
If you have an .exe file: just run it.
People who start learning malware analysis, they just try to execute the file or start with dynamic analysis but one needs to know that these steps are very helpful before executing the sample since most of the time you will get what you want from information gathering and static analysis.
If you explain better the problem, maybe people can help you better!
Edit:
I am going to add this part to the answer to cover the comments.
why are there additional files in the malware folder like an executable with a bin file?
This is a simple trick which has been used by malware writers for several years. For example, in one scenario, the main file of the malware can be an executable file (.exe) but it's actually not harmful at all!!!. All it is doing is to download another file (e.g., .dll file) which is the real malicious code (you can call it the payload). However, sending and receiving .dll files is also suspicious, so malware authors use other file extensions or whatever to hide the malicious content (like .bin file or even .png file in one of the variants of Emotet). The problem is that you CAN NOT execute these files just like that! since sometimes there are encrypted/encoded.
You need to know the procedure of executing them which is only possible to know if you reverse engineer the sample.
for example:
13ce4cd747e450a129d900e842315328 -> .DLL file
This means you may be able to analyze it using Ollydbg or any debugger + rundll32 but there is no guarantee!! it may be encrypted or encoded and only the parent file (.exe sample for example) can decrypt/decode it!
I am now interested in performing memory analysis of the malware which I possess. however the problem I encountered was how to execute a lot of the ransomware files I have to examine
I would say it would be nice to execute all of them using Win10 VM + cuckoo sandbox and dump the memory for further analysis. It's all automatic job and can be done nicely.
I've been working on my bachelors thesis in LyX for about a month without encountering any problems and today, all of a sudden, when creating a PDF LyX just loads indefinitely and even asks me at some point if I want to stop the PDF creating since it takes such a long time. Am I doing something wrong? I have about 100 pages and the PDFs I created lately have been around 100 mb large since they hold very high res images and a lot of them.
In case anyone is struggling with the "convert" functionality usage in Lyx, this is some additional info:
Initially I struggled to make eps to load and be displayed on screen as well as to get it exported to PDF file. I saw that the Lyx latest install had already all "convert blah-blah $$ii $$o" commands predefined and it was still not working.
Here is what worked for me:
sudo mv /etc/ImageMagick-6/policy.xml /etc/ImageMagick-6/policy.xmlout
Here there are two parts -
a) imagemagick needs to be installed on the machine as it provides most of the converters. Following command on terminal would check if imagemagick is installed or not on your system.
identify -version
b) Imagemagick tools should be "allowed" to run - "convert" being one of those. You need to relax some default security policies for that. That is what the above renaming of the policy file does. Detailed information is given in answer to this question on ubuntu forum.
Note - This security policy relaxation is not recommended for web-server machines. Only desktop users may take the risk.
I'm in the process of (finally!) setting up code coverage monitoring for my brand new C++ project. Due to the fact that I need some advanced C++20 features (read, coroutines), I am using clang 6 as compiler.
Now, I followed this guide on how to do basic code coverage for your project, and everything worked like magic. If I do:
clang++ -fprofile-instr-generate -fcoverage-mapping test.cpp -o test.out
LLVM_PROFILE_FILE="coverage/test.profraw" ./test.out
llvm-profdata merge -sparse coverage/test.profraw -o coverage/test.profdata
llvm-cov show ./test.out -instr-profile=coverage/test.profdata
I get a nice, colored report on my terminal that tells me what is covered and what is not.
So far so good! I thought I was close to what I wanted, but then the pain started when I tried to get the report uploaded to codecov.io.
I have tried a few things, including:
Running their https://codecov.io/bash script on my coverage folder in the hope that maybe it would catch on my test.profdata. No dice, and it makes sense, since even llvm-cov needs the path to the executable file to run.
Using the export functionality: when running llvm-cov export --instr-profile=coverage/test.profdata ./test.out I get a good-looking JSON file (via terminal). I tried throwing the output in a coverage.json file, which actually got uploaded, but then codecov just says that there was an error parsing it, with no further information.
I'm feeling completely lost. Everything seems so black-box-ish on their website that I just don't understand how to get anything done that doesn't by chance perfectly fit the cases that they can manage.
How can I get this working with codecov? If codecov can't handle my reports, is there any other equivalent online code coverage that I can use to get this to work?
It looks like the bash script codecov uses to upload coverage data to their site looks for files matching a wide range of patterns associated with formats that it understands. These are poorly documented, but you can at least see which patterns are viable by looking at the script on Github. Of course, this doesn't tell you what expectations codecov has about the format of files matching a given pattern, as you discovered when your coverage.json file was rejected.
Through trial and error I have found that the following produces a file that codecov will interpret correctly when you run the bash script:
llvm-cov show ./test.out -instr-profile=default.profdata > coverage.txt
I haven't extensively tested what file names are allowed, but it seems that you can put whatever additional characters you want between coverage and .txt in the name of the file that you're piping the coverage data to (e.g. you could call it coverage_my_file_name.txt).
EDIT: Just in case this is helpful to anyone, it turns out that an important corollary to the above is that it's critical that you avoid naming anything that isn't a coverage report something that matches this pattern. I just dealt with a scenario where I had a bunch of executables named coverage_[more_text_here].out that were getting uploaded with the reports. It turns out that attempting to parse assembly code as a coverage report can cause codecov to mysteriously fail without any useful errors.
Another option is to use GCOV profiling, which is a little less precise than source-based, but it is supported by codecov.io. You need the "--coverage" compiler flag to enable it.
You can use grcov (which you can also download from https://github.com/mozilla/grcov/releases) to parse the gcno/gcda files and upload them via the codecov.io bash uploader:
grcov OBJ_DIR -s SRC_DIR -t lcov --branch > lcov.info
bash codecov.sh -f "lcov.info"
I'm planning to add support for source-based reports to grcov, which will make it easier to support the format on codecov too.
So I upgraded to 1.4 for a project I am contributing to (in development/testing branch of course) and ran into some problems and thus we want to use Dart 1.3.6 again. However, I cannot find this.
Does anyone know where I could download it?
I have seen and starred https://code.google.com/p/dart/issues/detail?id=18323
as I was putting this question together, but of course seems like there is no more movement there just yet.
I think I pretty much ran into similar issues to what corgath described in comments on this question... looking for the right version in those "archives" where the "latest" is not really the latest anymore.
Update
There is now a nice page to select and download specific Dart versions https://www.dartlang.org/tools/download-archive/
Since a while there are also deb packages available which can be installed using
sudo apt-get install dart=1.7.0-dev.0.1.*
see https://www.dartlang.org/tools/debian.html for more details.
Original
You can download from
http://gsdview.appspot.com/dart-archive/channels/stable/release/
The list only contains the build number but each folder contains a file VERSION that contains detailed version information for this build.
dev channel releases can be found here
http://gsdview.appspot.com/dart-archive/channels/dev/release/
there are also unsigned raw builds (bleeding edge) but it is not recommended to use them.
http://gsdview.appspot.com/dart-archive/channels/be/raw/release/
With issues gathering on bitbucket, I'd like to have a way to gather and back them up in the event that I need an offline copy, or no longer use Bitbucket, or something else. The site doesn't offer this service. Is there an alternative mechanism I can use?
From now on you can Import/Export your Issues:
Goto: -> Administration -> Import/Export
Youtube-Video: Bitbucket Issue Export
You can get your issues via the Bitbucket API.
Here is an example URL to get the issues for one of my projects:
https://api.bitbucket.org/1.0/repositories/christianspecht/bitbucket-backup/issues/
However, this returns a list of the issues in JSON format.
I doubt that you can do anything useful with a list of issues in JSON, but I don't know if there's a better file format for issues.
I just asked exactly that here on StackOverflow, because I'm dealing with the same thing at the moment:
Is there a standard file format for exporting issues from an issue tracker?
Full disclosure I am the author of Issue2Markdown because I really needed it.
As mentioned previously you can export your issues from Bitbucket project by going to Settings->Issues->Import & Export and then downloading the resultant ZIP file.
Inside that ZIP file, you will find JSON file and attachments archive. You can import those into some other issue repository. Or if you are like me you may be working with a remote team that is reluctant to use an issue tracker and would like to be able to read a human-readable version of the issues.
That is where Issue2Markdown comes in. You can use that to render your issues as a single Markdown document. You can find pre-built binaries for Linux, Windows, and MacOS under releases.
I hope that helps the next person who could not find the solution.
There doesn't currently appear to be any way to export your issues :(
You could export issues from settings in the repository. Then download the and extract the zip file, that would give you a json that you just could parse any way you prefer
I wrote a small python script to convert issues json file to excel that you can find it here. Hope it gives you some ideas:
https://github.com/anath2/bitbucket-issues-to-excel