Malware Analysis Basics

Here is the material from the Malware Analysis for Vets class:

Here is the class video:
https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv

Here is the courseware:
https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx

Malware Analysis Tools:
https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip

Software you may find useful:
https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip

Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip


Class virtual machines:

** Linux VM **
https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar
user: malware
pass: malware

** Windows VM **
https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar


Malware can only do 4 things:

1. Modify the filesystem
2. Modify the registry
3. Modify processes/services
4. Connect to the Internet/local network


Reverse Engineering malware is different:
1. Encryption/Obfuscation
2. Payload
3. Programming Style
4. Motive/Intent


Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware.

Here is a small database to play with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2
855MB file size - be sure to run in a VM


Good reference links:
http://www.garykessler.net/library/file_sigs.html 	<-- file headers

Things we did to the malware on the Windows VM:
- PEID
- StudPE
	- saw 'ABC0' as entry point and we thought that was strange
- Hex Editor
- Strings

Open a command prompt:
cd c:\Documents and Settings\Administrator\Desktop\Strings
copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" .
	- strings.exe malware.exe | findstr ".dll"
	- strings.exe malware.exe | more	<-- let's you page through the data by pressing the space bar
	- strings.exe malware.exe | findstr "ABC"
		-ABC0
		-ABC1
		-ABC2
		-ABC!
		-ABC^
	- strings.exe malware.exe | findstr ".dll"
		We googled ws2_32.dll and found out it does windows sockets
	- strings.exe malware.exe | findstr "IRC"
	- strings.exe malware.exe | findstr "JOIN"
		List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
	- strings.exe malware.exe | findstr "ADMIN"
	- strings.exe malware.exe | findstr "LIST"

Let's check to see if it modifies the registry
	- strings.exe malware.exe | findstr "REG"
	- strings.exe malware.exe | findstr "HKEY"
		We didn't see anything like HKLM, HKCU or other registry type stuff


##############################
# Moving to the Linux system #
##############################
Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

After logging please open a terminal window and type the following commands:

cd Desktop/


This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
wget http://www.beenuarora.com/code/analyse_malware.py

unzip malware-password-is-infected.zip
	infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***
Reference: http://www.garykessler.net/library/file_sigs.html


objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

							- We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join

strings malware.exe | grep -i admin

strings malware.exe | grep -i list


							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile

vi analyse_malware.py

python analyse_malware.py malware.exe


Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/

###############################
# Creating a Malware Database #
###############################

Creating a malware database (sqlite)
------------------------------------
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
	infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e


Creating a malware database (mysql)
-----------------------------------
Step 1: Installing MySQL database
Run the following command in the terminal:

sudo apt-get install mysql-server

Step 2: Installing Python MySQLdb module
Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb
sudo apt-get install python-mysqldb

Step 3: Logging in
Run the following command in the terminal:

mysql -u root -p					(set a password of 'malware')

Then create one database by running following command:

create database malware;


wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py -i			(fill in database connection information)

python mal_to_db.py -i

python mal_to_db.py -i -f malware.exe -u


mysql -u root -p
	malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;


##############################
# Lesson 32: Setting up Yara #
##############################


sudo apt-get install clamav clamav-freshclam

sudo freshclam

sudo Clamscan

sudo apt-get install libpcre3 libpcre3-dev

wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz

wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

tar -zxvf v3.1.0.tar.gz

cd yara-3.1.0/

./bootstrap.sh

./configure

make

make check

sudo make install

cd yara-python/

python setup.py build

sudo python setup.py install

cd ..

yara -v

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

sigtool -u /var/lib/clamav/main.cvd

python clamav_to_yara.py -f main.ndb -o clamav.yara

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
	infected

mkdir malcode/

mv malware.exe malcode/

vi testrule.yara
----------------
rule IsPE
{
meta:
description = "Windows executable file"

condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}

rule has_no_DEP
{
meta:
description = "DEP is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
}

rule has_no_ASLR
{
meta:
description = "ASLR is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
}
----------------


yara testrule.yara malcode/malware.exe

mkdir rules/

cd rules/

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara

cd ..

yara rules/ malcode/malware.exe

wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip

unzip master.zip

cd YaraGenerator-master/

python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"

cat Test-Rule-2.yar

wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

yara Test-Rule-2.yar putty.exe


####################
# Additional Tasks #
####################

- PE Scanner:
https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
http://www.beenuarora.com/code/analyse_malware.py

- AV submission:
http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py

- Malware Database Creation:
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py


cd /home/malware/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs


for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'


tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq


tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


whois rapidshare.com.eyu32.ru

whois sploitme.com.cn


tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'


cd /home/malware/Desktop/Banking\ Troubles/Volatility

python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
				***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
cd foremost-1.5.7/
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf


cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf
/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf
/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js


*****Sorry - no time to cover javascript de-obfuscation today*****


cd /home/malware/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done