CASP Malware Analysis

                               #############################
############################## # Day 1: Linux Fundamentals # ##############################
                               #############################


- Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319


- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/


- I prefer to use Putty to SSH into my Linux host.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name:          149.28.201.171
protocol:           ssh
port:               22
username:           casp
password:           casp!casp123!


If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)

Open a terminal, then type:
-------------------------------
ssh -l casp 149.28.201.171
------------------------------

####################
# Malware Analysis #
####################


- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
file malware.exe

cp malware.exe malware.pdf

file malware.pdf

cp malware.pdf malware.exe

hexdump -n 2 -C malware.exe
-----------------------------------------------------------------------


***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html


---------------------------Type This-----------------------------------
objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku
-----------------------------------------------------------------------
                            - We didn't see anything like HKLM, HKCU or other registry type stuff


---------------------------Type This-----------------------------------
strings malware.exe | grep -i irc

strings malware.exe | grep -i join

strings malware.exe | grep -i admin

strings malware.exe | grep -i list
-----------------------------------------------------------------------

                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

---------------------------Type This-----------------------------------
nano analyse_malware.py

python2 analyse_malware.py malware.exe
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
objdump -x wannacry.exe

objdump -x wannacry.exe | less
     q

strings wannacry.exe

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i get

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i join

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list
----------------------------------------------------------------------


Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"


Reference
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/

- Yara Rule -


Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase


Ok, let's look for the individual strings in our file


---------------------------Type This-----------------------------------
strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
 -----------------------------------------------------------------------


################################
# Good references for WannaCry #
################################

References:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html


####################################
# Tired of GREP - let's try Python #
####################################
Decided to make my own script for this kind of stuff in the future. I

Reference1:
https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py

This is a really good script for the basics of static analysis

Reference:
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html


This is really good for showing some good signatures to add to the Python script

---------------------------Type This-----------------------------------
nano am.py

python3 am.py wannacry.exe
-----------------------------------------------------------------------