Advertisement
joemccray

Quick DCO stuff

May 23rd, 2019
716
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.04 KB | None | 0 0
  1. ------------------------------------------------------------------
  2. Step 1: Download Putty from here:
  3. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  4.  
  5.  
  6.  
  7.  
  8. IP Address: 144.202.37.49
  9. Protocol: ssh
  10. Port: 22
  11. username: np
  12. password: n3ts1m123
  13.  
  14.  
  15.  
  16.  
  17. ##############################################
  18. # Log Analysis with Linux command-line tools #
  19. ##############################################
  20. The following command line executables are found in the Mac as well as most Linux Distributions.
  21.  
  22. cat – prints the content of a file in the terminal window
  23. grep – searches and filters based on patterns
  24. awk – can sort each row into fields and display only what is needed
  25. sed – performs find and replace functions
  26. sort – arranges output in an order
  27. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  28.  
  29.  
  30. ##############
  31. # Cisco Logs #
  32. ##############
  33.  
  34. -----------------------------Type this-----------------------------------------
  35. wget http://45.63.104.73/cisco.log
  36. -------------------------------------------------------------------------------
  37.  
  38. AWK Basics
  39. ----------
  40. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  41.  
  42. -----------------------------Type this-----------------------------------------
  43. cat cisco.log | awk '{print $5}' | tail -n 4
  44. -------------------------------------------------------------------------------
  45.  
  46.  
  47.  
  48. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  49.  
  50. -----------------------------Type this-----------------------------------------
  51. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  52. -------------------------------------------------------------------------------
  53.  
  54.  
  55.  
  56. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  57.  
  58. -----------------------------Type this-----------------------------------------
  59. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  60. -------------------------------------------------------------------------------
  61.  
  62.  
  63.  
  64.  
  65. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  66.  
  67. -----------------------------Type this-----------------------------------------
  68. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  69.  
  70. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  71.  
  72. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  73.  
  74. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  75. --------------------------------------------------------------------------------
  76.  
  77.  
  78.  
  79.  
  80.  
  81.  
  82.  
  83. ################
  84. # The Scenario #
  85. ################
  86. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  87.  
  88.  
  89. The fastest thing you can do is perform static analysis.
  90.  
  91.  
  92.  
  93. ###################
  94. # Static Analysis #
  95. ###################
  96.  
  97. - After logging please open a terminal window and type the following commands:
  98.  
  99.  
  100. ---------------------------Type This-----------------------------------
  101.  
  102.  
  103. wget http://45.63.104.73/wannacry.zip
  104.  
  105. unzip wannacry.zip
  106. infected
  107.  
  108. file wannacry.exe
  109.  
  110. mv wannacry.exe malware.pdf
  111.  
  112. file malware.pdf
  113.  
  114. mv malware.pdf wannacry.exe
  115.  
  116. hexdump -n 2 -C wannacry.exe
  117.  
  118. ----------------------------------------------------------------------
  119.  
  120.  
  121.  
  122. In a browser...go to: http://www.garykessler.net/library/file_sigs.html
  123.  
  124. ***What is '4d 5a' or 'MZ'***
  125.  
  126.  
  127.  
  128.  
  129.  
  130. ---------------------------Type This-----------------------------------
  131. objdump -x wannacry.exe
  132.  
  133. strings wannacry.exe
  134.  
  135. strings wannacry.exe | grep -i dll
  136.  
  137. strings wannacry.exe | grep -i library
  138.  
  139. strings wannacry.exe | grep -i reg
  140.  
  141. strings wannacry.exe | grep -i key
  142.  
  143. strings wannacry.exe | grep -i rsa
  144.  
  145. strings wannacry.exe | grep -i open
  146.  
  147. strings wannacry.exe | grep -i get
  148.  
  149. strings wannacry.exe | grep -i mutex
  150.  
  151. strings wannacry.exe | grep -i irc
  152.  
  153. strings wannacry.exe | grep -i join
  154.  
  155. strings wannacry.exe | grep -i admin
  156.  
  157. strings wannacry.exe | grep -i list
  158. ----------------------------------------------------------------------
  159.  
  160.  
  161.  
  162.  
  163.  
  164.  
  165.  
  166. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  167.  
  168. Quick Google search for "wannacry ransomeware analysis"
  169.  
  170.  
  171. Reference
  172. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  173.  
  174. - Yara Rule -
  175.  
  176.  
  177. Strings:
  178. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  179. $s2 = “Wanna Decryptor” wide ascii nocase
  180. $s3 = “.wcry” wide ascii nocase
  181. $s4 = “WANNACRY” wide ascii nocase
  182. $s5 = “WANACRY!” wide ascii nocase
  183. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  184.  
  185.  
  186.  
  187.  
  188.  
  189.  
  190.  
  191.  
  192. Ok, let's look for the individual strings
  193.  
  194.  
  195. ---------------------------Type This-----------------------------------
  196. strings wannacry.exe | grep -i ooops
  197.  
  198. strings wannacry.exe | grep -i wanna
  199.  
  200. strings wannacry.exe | grep -i wcry
  201.  
  202. strings wannacry.exe | grep -i wannacry
  203.  
  204. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  205. ----------------------------------------------------------------------
  206.  
  207.  
  208.  
  209.  
  210.  
  211.  
  212.  
  213.  
  214.  
  215.  
  216.  
  217.  
  218.  
  219.  
  220.  
  221.  
  222. ####################################
  223. # Tired of GREP - let's try Python #
  224. ####################################
  225. Decided to make my own script for this kind of stuff in the future. I
  226.  
  227. Reference1:
  228. http://45.63.104.73/analyse_malware.py
  229.  
  230. This is a really good script for the basics of static analysis
  231.  
  232. Reference:
  233. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  234.  
  235.  
  236. This is really good for showing some good signatures to add to the Python script
  237.  
  238.  
  239. Here is my own script using the signatures (started this yesterday, but still needs work):
  240. https://pastebin.com/guxzCBmP
  241.  
  242.  
  243.  
  244. ---------------------------Type This-----------------------------------
  245. wget https://pastebin.com/raw/guxzCBmP
  246.  
  247.  
  248. mv guxzCBmP am.py
  249.  
  250.  
  251. cat am.py | less
  252.  
  253. python2.7 am.py wannacry.exe
  254. ----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement