F 231: Scanning an iPhone Backup for Malware (15 pts extra)

What You Need for This Project

A Windows computer

Purpose

To scan an iPhone backup for advanced malware, including Pegasus, using the Mobile Verification Toolkit, a tool from Amnesty International.

Downloading the Evidence File

In a Web browser, download this file:

iTunesBackup.zip

The file size is 420,118,802 bytes.

Installing Hashcalc

On your Windows analysis machine, if you don't have Hashcalc, get it here:

https://www.slavasoft.com/download.htm

Verifying the Hash Value

Calculate the SHA-256 hash of the iTunesBackup.zip file. Verify that it matches the image below.

Unzipping the Data

In your Downloads folder, right-click the iTunesBackup.zip file and click "Extract All...", Extract.

Installing Python 3

Click Start. Type COMMAND. Launch a Command Prompt.

Execute this command:

python

If you don't have Python installed, Windows Store will open and offer it to you. Install it.

If you have Python installed, it will open, as shown below.

Execute this command to exit from Python:

exit()

Installing the Mobile Verification Toolkit

In the Command Prompt, execute this command:

pip install mvt

A lot of messages scroll by, as shown below.

Fixing the Path

Python virtually never works properly on Windows (neither does Java) because it never sets the PATH correctly.

To test your installation, execute this command:

mvt-ios

It will probably fail, saying it is not recognized, as shown below.

If that happens, execute this command:

pip show mvt

This reveals the path where Python put the file, which is very long, highlighted in the image below.

To copy the path, carefully highlight the whole thing, as shown above, and then press the Enter key.

Click Start. Type ENVIRONMENT. In the search results, click "Edit environment variables for your account".

In the top pane, click Path. Then click the Edit... button, as shown below.

In the "Edit environment variable" box, click the New. button.

Paste in the long path you copied earlier, as shown below.

At the right end of that long path, delete "site-packages" and add

Scripts

as shown below.

Click OK. Click OK.

Close the Command Prompt window. Open a new Command Prompt window.

Execute this command:

mvt-ios

You should see a Usage message, as shown below.

Downloading Indicators of Compromise

In the Command Prompt, execute this command:

mvt-ios download-iocs

It downloads several recent packages including STIX2 files, which are Indicators of Compromise, as shown below.

Scanning the iPhone Files

In the Command Prompt, execute these commands:

cd Downloads\iTunesBackup mvt-ios check-backup --output out iTunesBackup dir out

The results show several files, but none of them end in "_detected", so none of these IOCs were detected, as shown below.

F 231.1: Timeline (15 pts)
To find the latest threat, named "Triangulation", search the timeline.csv file for "BackupAgent".
To search for all lines containing "ba", execute this command:
type out\timeline.csv | findstr ba
The flag is covered by a green rectangle in the image below.

References

iOS 13 Images….ImageS…Now Available!
New zero-click threat targets iPhones and iPads
MVT — Quick Start Guide

Posted 6-12-23