joemccray

CASP Malware Analysis

Jul 9th, 2020
446
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #############################
  2. ############################## # Day 1: Linux Fundamentals # ##############################
  3. #############################
  4.  
  5.  
  6. - Here is a good set of slides for getting started with Linux:
  7. http://www.slideshare.net/olafusimichael/linux-training-24086319
  8.  
  9.  
  10. - Here is a good tutorial that you should complete before doing the labs below:
  11. http://linuxsurvival.com/linux-tutorial-introduction/
  12.  
  13.  
  14. - I prefer to use Putty to SSH into my Linux host.
  15. - You can download Putty from here:
  16. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  17.  
  18. Here is the information to put into putty
  19.  
  20. Host Name: 149.28.201.171
  21. protocol: ssh
  22. port: 22
  23. username: casp
  24. password: casp!casp123!
  25.  
  26.  
  27. If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
  28.  
  29. Open a terminal, then type:
  30. -------------------------------
  31. ssh -l casp 149.28.201.171
  32. ------------------------------
  33.  
  34. ####################
  35. # Malware Analysis #
  36. ####################
  37.  
  38.  
  39.  
  40. - After logging please open a terminal window and type the following commands:
  41. ---------------------------Type This-----------------------------------
  42. file malware.exe
  43.  
  44. cp malware.exe malware.pdf
  45.  
  46. file malware.pdf
  47.  
  48. cp malware.pdf malware.exe
  49.  
  50. hexdump -n 2 -C malware.exe
  51. -----------------------------------------------------------------------
  52.  
  53.  
  54. ***What is '4d 5a' or 'MZ'***
  55. Reference:
  56. http://www.garykessler.net/library/file_sigs.html
  57.  
  58.  
  59.  
  60.  
  61.  
  62.  
  63.  
  64.  
  65. ---------------------------Type This-----------------------------------
  66. objdump -x malware.exe
  67.  
  68. strings malware.exe
  69.  
  70. strings --all malware.exe | head -n 6
  71.  
  72. strings malware.exe | grep -i dll
  73.  
  74. strings malware.exe | grep -i library
  75.  
  76. strings malware.exe | grep -i reg
  77.  
  78. strings malware.exe | grep -i hkey
  79.  
  80. strings malware.exe | grep -i hku
  81. -----------------------------------------------------------------------
  82. - We didn't see anything like HKLM, HKCU or other registry type stuff
  83.  
  84.  
  85. ---------------------------Type This-----------------------------------
  86. strings malware.exe | grep -i irc
  87.  
  88. strings malware.exe | grep -i join
  89.  
  90. strings malware.exe | grep -i admin
  91.  
  92. strings malware.exe | grep -i list
  93. -----------------------------------------------------------------------
  94.  
  95. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  96.  
  97. ---------------------------Type This-----------------------------------
  98. nano analyse_malware.py
  99.  
  100. python2 analyse_malware.py malware.exe
  101. -----------------------------------------------------------------------
  102.  
  103.  
  104.  
  105.  
  106.  
  107. ---------------------------Type This-----------------------------------
  108. objdump -x wannacry.exe
  109.  
  110. objdump -x wannacry.exe | less
  111. q
  112.  
  113. strings wannacry.exe
  114.  
  115. strings wannacry.exe | grep -i dll
  116.  
  117. strings wannacry.exe | grep -i library
  118.  
  119. strings wannacry.exe | grep -i reg
  120.  
  121. strings wannacry.exe | grep -i key
  122.  
  123. strings wannacry.exe | grep -i rsa
  124.  
  125. strings wannacry.exe | grep -i open
  126.  
  127. strings wannacry.exe | grep -i get
  128.  
  129. strings wannacry.exe | grep -i mutex
  130.  
  131. strings wannacry.exe | grep -i irc
  132.  
  133. strings wannacry.exe | grep -i join
  134.  
  135. strings wannacry.exe | grep -i admin
  136.  
  137. strings wannacry.exe | grep -i list
  138. ----------------------------------------------------------------------
  139.  
  140.  
  141.  
  142.  
  143. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  144.  
  145. Quick Google search for "wannacry ransomeware analysis"
  146.  
  147.  
  148. Reference
  149. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  150.  
  151. - Yara Rule -
  152.  
  153.  
  154. Strings:
  155. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  156. $s2 = “Wanna Decryptor” wide ascii nocase
  157. $s3 = “.wcry” wide ascii nocase
  158. $s4 = “WANNACRY” wide ascii nocase
  159. $s5 = “WANACRY!” wide ascii nocase
  160. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  161.  
  162.  
  163.  
  164.  
  165.  
  166.  
  167.  
  168.  
  169. Ok, let's look for the individual strings in our file
  170.  
  171.  
  172. ---------------------------Type This-----------------------------------
  173. strings wannacry.exe | grep -i ooops
  174.  
  175. strings wannacry.exe | grep -i wanna
  176.  
  177. strings wannacry.exe | grep -i wcry
  178.  
  179. strings wannacry.exe | grep -i wannacry
  180.  
  181. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  182. -----------------------------------------------------------------------
  183.  
  184.  
  185.  
  186.  
  187.  
  188. ################################
  189. # Good references for WannaCry #
  190. ################################
  191.  
  192. References:
  193.  
  194. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  195. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  196. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  197.  
  198.  
  199.  
  200.  
  201.  
  202.  
  203.  
  204.  
  205.  
  206.  
  207. ####################################
  208. # Tired of GREP - let's try Python #
  209. ####################################
  210. Decided to make my own script for this kind of stuff in the future. I
  211.  
  212. Reference1:
  213. https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
  214.  
  215. This is a really good script for the basics of static analysis
  216.  
  217. Reference:
  218. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  219.  
  220.  
  221. This is really good for showing some good signatures to add to the Python script
  222.  
  223. ---------------------------Type This-----------------------------------
  224. nano am.py
  225.  
  226. python3 am.py wannacry.exe
  227. -----------------------------------------------------------------------
Add Comment
Please, Sign In to add comment