Advertisement
joemccray

Simple Malware Analysis

May 30th, 2017
1,474
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.18 KB | None | 0 0
  1. ################################
  2. # Good references for WannaCry #
  3. ################################
  4.  
  5. References:
  6.  
  7. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  8. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  9. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  10.  
  11.  
  12.  
  13. ############################
  14. # Download the Analysis VM #
  15. ############################
  16. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  17. user: infosecaddicts
  18. pass: infosecaddicts
  19.  
  20.  
  21.  
  22. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
  23.  
  24.  
  25.  
  26.  
  27.  
  28.  
  29. ################
  30. # The Scenario #
  31. ################
  32. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  33.  
  34.  
  35. The fastest thing you can do is perform static analysis.
  36.  
  37.  
  38.  
  39. ###################
  40. # Static Analysis #
  41. ###################
  42.  
  43. - After logging please open a terminal window and type the following commands:
  44.  
  45. cd Desktop/
  46.  
  47. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  48.  
  49. unzip wannacry.zip
  50. infected
  51.  
  52. file wannacry.exe
  53.  
  54. mv wannacry.exe malware.pdf
  55.  
  56. file malware.pdf
  57.  
  58. mv malware.pdf wannacry.exe
  59.  
  60. hexdump -n 2 -C wannacry.exe
  61.  
  62.  
  63.  
  64.  
  65. ***What is '4d 5a' or 'MZ'***
  66. Reference:
  67. http://www.garykessler.net/library/file_sigs.html
  68.  
  69.  
  70.  
  71.  
  72.  
  73. objdump -x wannacry.exe
  74.  
  75. strings wannacry.exe
  76.  
  77. strings --all wannacry.exe | head -n 6
  78.  
  79. strings wannacry.exe | grep -i dll
  80.  
  81. strings wannacry.exe | grep -i library
  82.  
  83. strings wannacry.exe | grep -i reg
  84.  
  85. strings wannacry.exe | grep -i key
  86.  
  87. strings wannacry.exe | grep -i rsa
  88.  
  89. strings wannacry.exe | grep -i open
  90.  
  91. strings wannacry.exe | grep -i get
  92.  
  93. strings wannacry.exe | grep -i mutex
  94.  
  95. strings wannacry.exe | grep -i irc
  96.  
  97. strings wannacry.exe | grep -i join
  98.  
  99. strings wannacry.exe | grep -i admin
  100.  
  101. strings wannacry.exe | grep -i list
  102.  
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109.  
  110.  
  111.  
  112.  
  113. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  114.  
  115. Quick Google search for "wannacry ransomeware analysis"
  116.  
  117.  
  118. Reference
  119. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  120.  
  121. - Yara Rule -
  122.  
  123.  
  124. Strings:
  125. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  126. $s2 = “Wanna Decryptor” wide ascii nocase
  127. $s3 = “.wcry” wide ascii nocase
  128. $s4 = “WANNACRY” wide ascii nocase
  129. $s5 = “WANACRY!” wide ascii nocase
  130. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  131.  
  132.  
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139. Ok, let's look for the individual strings
  140.  
  141.  
  142.  
  143. strings wannacry.exe | grep -i ooops
  144.  
  145. strings wannacry.exe | grep -i wanna
  146.  
  147. strings wannacry.exe | grep -i wcry
  148.  
  149. strings wannacry.exe | grep -i wannacry
  150.  
  151. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  152.  
  153.  
  154.  
  155.  
  156.  
  157.  
  158.  
  159. ####################################
  160. # Tired of GREP - let's try Python #
  161. ####################################
  162. Decided to make my own script for this kind of stuff in the future. I
  163.  
  164. Reference1:
  165. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  166.  
  167. This is a really good script for the basics of static analysis
  168.  
  169. Reference:
  170. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  171.  
  172.  
  173. This is really good for showing some good signatures to add to the Python script
  174.  
  175.  
  176. Here is my own script using the signatures (started this yesterday, but still needs work):
  177. https://pastebin.com/guxzCBmP
  178.  
  179.  
  180.  
  181.  
  182. sudo apt-get install -y python-pefile
  183. strategicsec
  184.  
  185.  
  186.  
  187. wget https://pastebin.com/raw/guxzCBmP
  188.  
  189.  
  190. mv guxzCBmP am.py
  191.  
  192.  
  193. nano am.py
  194.  
  195. python am.py wannacry.exe
  196.  
  197.  
  198.  
  199.  
  200.  
  201.  
  202. #######################
  203. # External DB Lookups #
  204. #######################
  205.  
  206. Creating a malware database (sqlite)
  207. ------------------------------------
  208. sudo apt-get install -y python-simplejson python-simplejson-dbg
  209. strategicsec
  210.  
  211.  
  212.  
  213. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
  214.  
  215.  
  216.  
  217. python avsubmit.py -f wannacry.exe -e
  218.  
  219.  
  220. Analysis of the file can be found at:
  221. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement