About 1.5 years ago my friend was (wrongly) accused of terrorism.
-
About 1.5 years ago my friend was (wrongly) accused of terrorism.
All of their electronic devices have been seized, plus my stash of hard drives (which were at their place for reasons).
Of course they didn't find any evidence. Culprit that framed my friend (and many others) [was arrested](https:// niebezpiecznik.pl/post/cyberpodszywacz-marcinnowak2080-zatrzymany-aresztowany-podszywacz/) (article in Polish).
Upon returning the hardware, I found that all of my harddrives have been destroyed, which made me (understandably) pissed.
We're very good friends, so I've been given their personal phone that was pwned with cellebrite. It hasn't been turned on since police extracted data from it so I decided to do some forensics on it.
As it turns out, police forgot to clean after themselves. Took a peek at the first-stage payload but it's too complex for me to reverse-engineer. It's clear it's full of obfuscations and is even using TLS to talk to Cellebrite box.
If you're a security researcher (or just curious nerd with more spoons than me) and you wanted to take a look at it - here you go.
Payload was uploaded onto the device on 2024-02-21.
If you want to re-create the environment it was executed on, you will need a:- Samsung Z Flip3 5G (SM-F711B)
- Android build SP2A_220305.013.F711BXXS2CVHF
Rough execution flow:
1. USB device plugged in (Cellebrite Cheetah) 2. USB controller switches to host mode 3. Gadget switching USB VID/PID to load kernel modules 4. Module 'hid_akeys' leaks memory 5. Screen unlocked 6. ADB key '82:E5:EA:F3:DC:D1:7D:CA:65:3C:D4:58:65:CD:81:8E' added to trusted keys on the device 7. First-stage payload '/data/local/tmp/falcon' copied onto the device. 8. Second-stage payload executed as root: - /data/local/tmp/chrome-command-line - /data/local/tmp/android-webview-command-line - /data/local/tmp/webview-command-line - /data/local/tmp/content-shell-command-line - /data/local/tmp/frida-server-16.1.4-android-arm64 - /data/local/tmp/init 9. Data extraction (photos, telegram, firefox, downloads) # Unanswered question: What the hell is "jtcb.sdylj.axpa" running as root? Seems to have been dropped around the same time...Have fun!
-
A a1ba@suya.place shared this topic
-
About 1.5 years ago my friend was (wrongly) accused of terrorism.
All of their electronic devices have been seized, plus my stash of hard drives (which were at their place for reasons).
Of course they didn't find any evidence. Culprit that framed my friend (and many others) [was arrested](https:// niebezpiecznik.pl/post/cyberpodszywacz-marcinnowak2080-zatrzymany-aresztowany-podszywacz/) (article in Polish).
Upon returning the hardware, I found that all of my harddrives have been destroyed, which made me (understandably) pissed.
We're very good friends, so I've been given their personal phone that was pwned with cellebrite. It hasn't been turned on since police extracted data from it so I decided to do some forensics on it.
As it turns out, police forgot to clean after themselves. Took a peek at the first-stage payload but it's too complex for me to reverse-engineer. It's clear it's full of obfuscations and is even using TLS to talk to Cellebrite box.
If you're a security researcher (or just curious nerd with more spoons than me) and you wanted to take a look at it - here you go.
Payload was uploaded onto the device on 2024-02-21.
If you want to re-create the environment it was executed on, you will need a:- Samsung Z Flip3 5G (SM-F711B)
- Android build SP2A_220305.013.F711BXXS2CVHF
Rough execution flow:
1. USB device plugged in (Cellebrite Cheetah) 2. USB controller switches to host mode 3. Gadget switching USB VID/PID to load kernel modules 4. Module 'hid_akeys' leaks memory 5. Screen unlocked 6. ADB key '82:E5:EA:F3:DC:D1:7D:CA:65:3C:D4:58:65:CD:81:8E' added to trusted keys on the device 7. First-stage payload '/data/local/tmp/falcon' copied onto the device. 8. Second-stage payload executed as root: - /data/local/tmp/chrome-command-line - /data/local/tmp/android-webview-command-line - /data/local/tmp/webview-command-line - /data/local/tmp/content-shell-command-line - /data/local/tmp/frida-server-16.1.4-android-arm64 - /data/local/tmp/init 9. Data extraction (photos, telegram, firefox, downloads) # Unanswered question: What the hell is "jtcb.sdylj.axpa" running as root? Seems to have been dropped around the same time...Have fun!
@elly you have a typo in the URL to the news article, it has a space before niebezpiecznik. -
A awoo@gts.apicrim.es shared this topic