Quick DCO stuff

1. ------------------------------------------------------------------
2. Step 1: Download Putty from here:
3. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
4.  
5.  
6.  
7.  
8. IP Address: 144.202.37.49
9. Protocol: ssh
10. Port: 22
11. username: np
12. password: n3ts1m123
13.  
14.  
15.  
16.  
17. ##############################################
18. # Log Analysis with Linux command-line tools #
19. ##############################################
20. The following command line executables are found in the Mac as well as most Linux Distributions.
21.  
22. cat – prints the content of a file in the terminal window
23. grep – searches and filters based on patterns
24. awk – can sort each row into fields and display only what is needed
25. sed – performs find and replace functions
26. sort – arranges output in an order
27. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
28.  
29.  
30. ##############
31. # Cisco Logs #
32. ##############
33.  
34. -----------------------------Type this-----------------------------------------
35. wget http://45.63.104.73/cisco.log
36. -------------------------------------------------------------------------------
37.  
38. AWK Basics
39. ----------
40. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
41.  
42. -----------------------------Type this-----------------------------------------
43. cat cisco.log | awk '{print $5}' | tail -n 4
44. -------------------------------------------------------------------------------
45.  
46.  
47.  
48. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
49.  
50. -----------------------------Type this-----------------------------------------
51. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
52. -------------------------------------------------------------------------------
53.  
54.  
55.  
56. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
57.  
58. -----------------------------Type this-----------------------------------------
59. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
60. -------------------------------------------------------------------------------
61.  
62.  
63.  
64.  
65. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
66.  
67. -----------------------------Type this-----------------------------------------
68. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
69.  
70. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
71.  
72. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
73.  
74. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
75. --------------------------------------------------------------------------------
76.  
77.  
78.  
79.  
80.  
81.  
82.  
83. ################
84. # The Scenario #
85. ################
86. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
87.  
88.  
89. The fastest thing you can do is perform static analysis.
90.  
91.  
92.  
93. ###################
94. # Static Analysis #
95. ###################
96.  
97. - After logging please open a terminal window and type the following commands:
98.  
99.  
100. ---------------------------Type This-----------------------------------
101.  
102.  
103. wget http://45.63.104.73/wannacry.zip
104.  
105. unzip wannacry.zip
106. infected
107.  
108. file wannacry.exe
109.  
110. mv wannacry.exe malware.pdf
111.  
112. file malware.pdf
113.  
114. mv malware.pdf wannacry.exe
115.  
116. hexdump -n 2 -C wannacry.exe
117.  
118. ----------------------------------------------------------------------
119.  
120.  
121.  
122. In a browser...go to: http://www.garykessler.net/library/file_sigs.html
123.  
124. ***What is '4d 5a' or 'MZ'***
125.  
126.  
127.  
128.  
129.  
130. ---------------------------Type This-----------------------------------
131. objdump -x wannacry.exe
132.  
133. strings wannacry.exe
134.  
135. strings wannacry.exe | grep -i dll
136.  
137. strings wannacry.exe | grep -i library
138.  
139. strings wannacry.exe | grep -i reg
140.  
141. strings wannacry.exe | grep -i key
142.  
143. strings wannacry.exe | grep -i rsa
144.  
145. strings wannacry.exe | grep -i open
146.  
147. strings wannacry.exe | grep -i get
148.  
149. strings wannacry.exe | grep -i mutex
150.  
151. strings wannacry.exe | grep -i irc
152.  
153. strings wannacry.exe | grep -i join
154.  
155. strings wannacry.exe | grep -i admin
156.  
157. strings wannacry.exe | grep -i list
158. ----------------------------------------------------------------------
159.  
160.  
161.  
162.  
163.  
164.  
165.  
166. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
167.  
168. Quick Google search for "wannacry ransomeware analysis"
169.  
170.  
171. Reference
172. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
173.  
174. - Yara Rule -
175.  
176.  
177. Strings:
178. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
179. $s2 = “Wanna Decryptor” wide ascii nocase
180. $s3 = “.wcry” wide ascii nocase
181. $s4 = “WANNACRY” wide ascii nocase
182. $s5 = “WANACRY!” wide ascii nocase
183. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
184.  
185.  
186.  
187.  
188.  
189.  
190.  
191.  
192. Ok, let's look for the individual strings
193.  
194.  
195. ---------------------------Type This-----------------------------------
196. strings wannacry.exe | grep -i ooops
197.  
198. strings wannacry.exe | grep -i wanna
199.  
200. strings wannacry.exe | grep -i wcry
201.  
202. strings wannacry.exe | grep -i wannacry
203.  
204. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
205. ----------------------------------------------------------------------
206.  
207.  
208.  
209.  
210.  
211.  
212.  
213.  
214.  
215.  
216.  
217.  
218.  
219.  
220.  
221.  
222. ####################################
223. # Tired of GREP - let's try Python #
224. ####################################
225. Decided to make my own script for this kind of stuff in the future. I
226.  
227. Reference1:
228. http://45.63.104.73/analyse_malware.py
229.  
230. This is a really good script for the basics of static analysis
231.  
232. Reference:
233. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
234.  
235.  
236. This is really good for showing some good signatures to add to the Python script
237.  
238.  
239. Here is my own script using the signatures (started this yesterday, but still needs work):
240. https://pastebin.com/guxzCBmP
241.  
242.  
243.  
244. ---------------------------Type This-----------------------------------
245. wget https://pastebin.com/raw/guxzCBmP
246.  
247.  
248. mv guxzCBmP am.py
249.  
250.  
251. cat am.py | less
252.  
253. python2.7 am.py wannacry.exe
254. ----------------------------------------------------------------------