Simple Malware Analysis

1. ################################
2. # Good references for WannaCry #
3. ################################
4.  
5. References:
6.  
7. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
8. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
9. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
10.  
11.  
12.  
13. ############################
14. # Download the Analysis VM #
15. ############################
16. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
17. user: infosecaddicts
18. pass: infosecaddicts
19.  
20.  
21.  
22. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
23.  
24.  
25.  
26.  
27.  
28.  
29. ################
30. # The Scenario #
31. ################
32. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
33.  
34.  
35. The fastest thing you can do is perform static analysis.
36.  
37.  
38.  
39. ###################
40. # Static Analysis #
41. ###################
42.  
43. - After logging please open a terminal window and type the following commands:
44.  
45. cd Desktop/
46.  
47. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
48.  
49. unzip wannacry.zip
50. infected
51.  
52. file wannacry.exe
53.  
54. mv wannacry.exe malware.pdf
55.  
56. file malware.pdf
57.  
58. mv malware.pdf wannacry.exe
59.  
60. hexdump -n 2 -C wannacry.exe
61.  
62.  
63.  
64.  
65. ***What is '4d 5a' or 'MZ'***
66. Reference:
67. http://www.garykessler.net/library/file_sigs.html
68.  
69.  
70.  
71.  
72.  
73. objdump -x wannacry.exe
74.  
75. strings wannacry.exe
76.  
77. strings --all wannacry.exe | head -n 6
78.  
79. strings wannacry.exe | grep -i dll
80.  
81. strings wannacry.exe | grep -i library
82.  
83. strings wannacry.exe | grep -i reg
84.  
85. strings wannacry.exe | grep -i key
86.  
87. strings wannacry.exe | grep -i rsa
88.  
89. strings wannacry.exe | grep -i open
90.  
91. strings wannacry.exe | grep -i get
92.  
93. strings wannacry.exe | grep -i mutex
94.  
95. strings wannacry.exe | grep -i irc
96.  
97. strings wannacry.exe | grep -i join
98.  
99. strings wannacry.exe | grep -i admin
100.  
101. strings wannacry.exe | grep -i list
102.  
103.  
104.  
105.  
106.  
107.  
108.  
109.  
110.  
111.  
112.  
113. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
114.  
115. Quick Google search for "wannacry ransomeware analysis"
116.  
117.  
118. Reference
119. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
120.  
121. - Yara Rule -
122.  
123.  
124. Strings:
125. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
126. $s2 = “Wanna Decryptor” wide ascii nocase
127. $s3 = “.wcry” wide ascii nocase
128. $s4 = “WANNACRY” wide ascii nocase
129. $s5 = “WANACRY!” wide ascii nocase
130. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
131.  
132.  
133.  
134.  
135.  
136.  
137.  
138.  
139. Ok, let's look for the individual strings
140.  
141.  
142.  
143. strings wannacry.exe | grep -i ooops
144.  
145. strings wannacry.exe | grep -i wanna
146.  
147. strings wannacry.exe | grep -i wcry
148.  
149. strings wannacry.exe | grep -i wannacry
150.  
151. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
152.  
153.  
154.  
155.  
156.  
157.  
158.  
159. ####################################
160. # Tired of GREP - let's try Python #
161. ####################################
162. Decided to make my own script for this kind of stuff in the future. I
163.  
164. Reference1:
165. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
166.  
167. This is a really good script for the basics of static analysis
168.  
169. Reference:
170. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
171.  
172.  
173. This is really good for showing some good signatures to add to the Python script
174.  
175.  
176. Here is my own script using the signatures (started this yesterday, but still needs work):
177. https://pastebin.com/guxzCBmP
178.  
179.  
180.  
181.  
182. sudo apt-get install -y python-pefile
183. strategicsec
184.  
185.  
186.  
187. wget https://pastebin.com/raw/guxzCBmP
188.  
189.  
190. mv guxzCBmP am.py
191.  
192.  
193. nano am.py
194.  
195. python am.py wannacry.exe
196.  
197.  
198.  
199.  
200.  
201.  
202. #######################
203. # External DB Lookups #
204. #######################
205.  
206. Creating a malware database (sqlite)
207. ------------------------------------
208. sudo apt-get install -y python-simplejson python-simplejson-dbg
209. strategicsec
210.  
211.  
212.  
213. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
214.  
215.  
216.  
217. python avsubmit.py -f wannacry.exe -e
218.  
219.  
220. Analysis of the file can be found at:
221. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549