View difference between Paste ID: <a href="/fm00A12K">fm00A12K</a> and <a href="/Gdv2Mub4">Gdv2Mub4</a>

Here is the material from the Malware Analysis for Vets class:
1	-	Here is the material from the Malware Analysis for Vets class:
1	+	###############
2		# Class Video #
3	-	Here is the class video:
3	+	###############
4	-	https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv
4	+	https://s3.amazonaws.com/StrategicSec-Videos/2015-12-12+09.16+Hands-On+IT+Security+-+makeup.mp4
5
6	-	Here is the courseware:
6	+
7	-	https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx
7	+	##########
8		# VMWare #
9	-	Malware Analysis Tools:
9	+	##########
10	-	https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip
10	+	- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
11
12	-	Software you may find useful:
12	+	- A 30-day trial of Workstation 11 can be downloaded from here:
13	-	https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip
13	+	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
14
15	-	Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
15	+	- A 30-day trial of Fusion 7 can be downloaded from here:
16	-	https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
16	+	- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
17
18		- The newest version of VMWare Player can be downloaded from here:
19	-	Class virtual machines:
19	+	- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
20
21	-	Linux VM
21	+
22	-	https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar
22	+	- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
23
24
25		##########################
26	-	Windows VM
26	+	# Download the attack VM #
27	-	https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar
27	+	##########################
28		https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
29		user: malware
30		pass: malware
31
32
33	-	Malware can only do 4 things:
33	+
34
35	-	1. Modify the filesystem
35	+
36	-	2. Modify the registry
36	+
37	-	3. Modify processes/services
37	+
38	-	4. Connect to the Internet/local network
38	+
39
40		This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
41	-	Reverse Engineering malware is different:
41	+
42	-	1. Encryption/Obfuscation
42	+
43	-	2. Payload
43	+	wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
44	-	3. Programming Style
44	+
45	-	4. Motive/Intent
45	+
46		infected
47
48	-	Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware.
48	+
49
50	-	Here is a small database to play with:
50	+
51
52	-	855MB file size - be sure to run in a VM
52	+
53
54		mv malware.pdf malware.exe
55	-	Good reference links:
55	+
56	-	http://www.garykessler.net/library/file_sigs.html <-- file headers
56	+
57
58	-	Things we did to the malware on the Windows VM:
58	+
59	-	- PEID
59	+
60	-	- StudPE
60	+
61	-	- saw 'ABC0' as entry point and we thought that was strange
61	+
62	-	- Hex Editor
62	+
63	-	- Strings
63	+
64		strings malware.exe
65	-	Open a command prompt:
65	+
66	-	cd c:\Documents and Settings\Administrator\Desktop\Strings
66	+
67	-	copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" .
67	+
68	-	- strings.exe malware.exe \| findstr ".dll"
68	+
69	-	- strings.exe malware.exe \| more <-- let's you page through the data by pressing the space bar
69	+
70	-	- strings.exe malware.exe \| findstr "ABC"
70	+
71	-	-ABC0
71	+
72	-	-ABC1
72	+
73	-	-ABC2
73	+
74	-	-ABC!
74	+
75	-	-ABC^
75	+
76	-	- strings.exe malware.exe \| findstr ".dll"
76	+
77	-	We googled ws2_32.dll and found out it does windows sockets
77	+
78	-	- strings.exe malware.exe \| findstr "IRC"
78	+
79	-	- strings.exe malware.exe \| findstr "JOIN"
79	+
80	-	List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
80	+
81	-	- strings.exe malware.exe \| findstr "ADMIN"
81	+
82	-	- strings.exe malware.exe \| findstr "LIST"
82	+
83
84	-	Let's check to see if it modifies the registry
84	+
85	-	- strings.exe malware.exe \| findstr "REG"
85	+
86	-	- strings.exe malware.exe \| findstr "HKEY"
86	+
87	-	We didn't see anything like HKLM, HKCU or other registry type stuff
87	+
88
89		- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
90	-	##############################
90	+
91	-	# Moving to the Linux system #
91	+
92	-	##############################
92	+
93
94		python analyse_malware.py malware.exe
95
96
97		Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
98		http://derekmorton.name/files/malware_12-14-12.sql.bz2
99
100
101		Malware Repositories:
102		http://malshare.com/index.php
103	-	wget http://www.beenuarora.com/code/analyse_malware.py
103	+
104		http://www.virusign.com/
105		http://virusshare.com/
106		http://www.tekdefense.com/downloads/malware-samples/
107
108		###############################
109		# Creating a Malware Database #
110		###############################
111
112		Creating a malware database (sqlite)
113		------------------------------------
114		sudo apt-get install -y python-simplejson python-simplejson-dbg
115		wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
116		wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
117		unzip malware-password-is-infected.zip
118		infected
119		python avsubmit.py --init
120		python avsubmit.py -f malware.exe -e
121
122
123
124
125
126		Creating a malware database (mysql)
127		-----------------------------------
128		Step 1: Installing MySQL database
129		Run the following command in the terminal:
130
131		sudo apt-get install mysql-server
132
133		Step 2: Installing Python MySQLdb module
134		Run the following command in the terminal:
135
136		sudo apt-get build-dep python-mysqldb
137		sudo apt-get install python-mysqldb
138
139		Step 3: Logging in
140		Run the following command in the terminal:
141
142		mysql -u root -p (set a password of 'malware')
143
144		Then create one database by running following command:
145
146		create database malware;
147
148		exit;
149
150		wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
151
152		vi mal_to_db.py (fill in database connection information)
153
154		python mal_to_db.py -i
155
156		python mal_to_db.py -f malware.exe -u
157
158
159		mysql -u root -p
160		malware
161
162		mysql> use malware;
163
164		select id,md5,sha1,sha256,time FROM files;
165
166		mysql> quit;
167
168
169
170
171
172		########
173		# Yara #
174		########
175
176		sudo apt-get install -y yara libyara-dev libyara2 python-yara clamav clamav-freshclam libpcre3 libpcre3-dev
177
178		sudo freshclam
179
180		sudo Clamscan
181
182
183		yara -v
184
185		wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
186
187		sigtool -u /var/lib/clamav/main.cvd
188
189		python clamav_to_yara.py -f main.ndb -o clamav.yara
190
191		wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
192
193		unzip malware-password-is-infected.zip
194		infected
195
196
197		cd ~/Desktop/
198
199		mkdir malcode/
200
201		cp malware.exe malcode/
202
203		vi testrule.yara
204		----------------
205		rule IsPE
206		{
207		meta:
208		description = "Windows executable file"
209
210		condition:
211	-	vi mal_to_db.py -i (fill in database connection information)
211	+
212		uint16(0) == 0x5A4D and
213		// ... PE signature at offset stored in MZ header at 0x3C
214		uint32(uint32(0x3C)) == 0x00004550
215	-	python mal_to_db.py -i -f malware.exe -u
215	+
216		-----------------
217
218
219		yara testrule.yara malcode/malware.exe
220
221
222
223
224
225		vi testrule.yara
226		----------------
227		rule IsPE
228		{
229		meta:
230		description = "Windows executable file"
231	-	##############################
231	+
232	-	# Lesson 32: Setting up Yara #
232	+
233	-	##############################
233	+
234		uint16(0) == 0x5A4D and
235		// ... PE signature at offset stored in MZ header at 0x3C
236	-	sudo apt-get install clamav clamav-freshclam
236	+
237		}
238
239
240		rule has_no_DEP
241		{
242	-	sudo apt-get install libpcre3 libpcre3-dev
242	+
243		description = "DEP is not enabled"
244	-	wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
244	+
245		condition:
246	-	wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
246	+
247		uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
248	-	tar -zxvf v3.1.0.tar.gz
248	+
249
250	-	cd yara-3.1.0/
250	+	-----------------
251
252	-	./bootstrap.sh
252	+
253		yara testrule.yara malcode/malware.exe
254	-	./configure
254	+
255
256	-	make
256	+
257
258	-	make check
258	+
259
260	-	sudo make install
260	+
261
262	-	cd yara-python/
262	+
263		vi testrule.yara
264	-	python setup.py build
264	+
265		rule IsPE
266	-	sudo python setup.py install
266	+
267		meta:
268		description = "Windows executable file"
269
270		condition:
271		// MZ signature at offset 0 and ...
272		uint16(0) == 0x5A4D and
273		// ... PE signature at offset stored in MZ header at 0x3C
274		uint32(uint32(0x3C)) == 0x00004550
275		}
276
277
278		rule has_no_DEP
279		{
280		meta:
281		description = "DEP is not enabled"
282
283		condition:
284		IsPE and
285	-	mv malware.exe malcode/
285	+
286		}
287
288		rule has_no_ASLR
289		{
290		meta:
291		description = "ASLR is not enabled"
292
293		condition:
294		IsPE and
295		uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
296		}
297		-----------------
298
299
300		yara testrule.yara malcode/malware.exe
301
302
303
304
305
306
307
308		mkdir rules/
309
310		cd rules/
311
312		wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
313
314		wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
315
316		wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
317
318		cd ..
319
320
321		yara rules/capabilities.yara malcode/malware.exe
322
323		yara rules/magic.yara malcode/malware.exe
324
325		yara rules/packer.yara malcode/malware.exe
326
327
328
329		Would you like to run multiple rules against the malware?????
330
331		Option 1:
332		---------
333		cd rules/
334		for i in $( ls --hide=master.yara ); do echo include \"$i\";done > master.yara
335		cd ..
336		yara -w rules/master.yara malcode/malware.exe
337	-	yara rules/ malcode/malware.exe
337	+
338
339	-	wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
339	+	Option 2:
340		---------
341	-	unzip master.zip
341	+	Install latest version of Yara from source (it let's point yara at a directory of rules)
342
343	-	cd YaraGenerator-master/
343	+
344
345	-	python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
345	+
346
347	-	cat Test-Rule-2.yar
347	+
348
349	-	wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
349	+
350		# Additional Tasks #
351	-	yara Test-Rule-2.yar putty.exe
351	+
352
353		- PE Scanner:
354		https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
355		http://www.beenuarora.com/code/analyse_malware.py
356
357		- AV submission:
358		http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
359		https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
360
361		- Malware Database Creation:
362		https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
363
364
365
366
367		cd /home/malware/Desktop/Browser\ Forensics
368
369		ls \| grep pcap
370
371		perl chaosreader.pl suspicious-time.pcap
372
373		firefox index.html
374
375		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
376
377		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
378
379		sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
380
381
382
383
384		for i in session_00[0-9]*.www.html; do srcip=`cat "$i" \| grep 'www:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'www:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
385
386
387		tshark -r suspicious-time.pcap \| grep 'NB.20\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
388
389
390		tshark -r suspicious-time.pcap \| grep 'NB.1e\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
391
392
393		tshark -r suspicious-time.pcap arp \| grep has \| awk '{print $3," -> ",$9}' \| tr -d '?'
394
395
396		tshark –r suspicious-time.pcap -Tfields -e “eth.src” \| sort \| uniq
397
398
399		tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" \| uniq
400
401		tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \|uniq
402
403		tshark -r suspicious-time.pcap -qz ip_hosts,tree
404
405		tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
406
407		tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
408
409
410		whois rapidshare.com.eyu32.ru
411
412		whois sploitme.com.cn
413
414
415
416
417
418		tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
419
420		tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
421
422		tshark -r suspicious-time.pcap -qz http_req,tree
423
424		tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
425
426		tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
427
428
429
430
431
432		cd /home/malware/Desktop/Banking\ Troubles/Volatility
433
434		python volatility
435		python volatility pslist -f ../hn_forensics.vmem
436		python volatility connscan2 -f ../hn_forensics.vmem
437		python volatility memdmp -p 888 -f ../hn_forensics.vmem
438		python volatility memdmp -p 1752 -f ../hn_forensics.vmem
439		*Takes a few min*
440		strings 1752.dmp \| grep "^http://" \| sort \| uniq
441		strings 1752.dmp \| grep "Ahttps://" \| uniq -u
442		cd ..
443		foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
444		cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
445		cat audit.txt
446		cd pdf
447		ls
448		grep -i javascript *.pdf
449
450	-	cd foremost-1.5.7/
450	+
451
452		cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
453		wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
454		unzip pdf-parser_V0_6_4.zip
455		python pdf-parser.py -s javascript --raw 00600328.pdf
456		python pdf-parser.py --object 11 00600328.pdf
457		python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
458
459		cat malicious.js
460
461	-	/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf
461	+
462	-	/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf
462	+
463	-	/opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
463	+
464
465		cd /home/malware/Desktop/Banking\ Troubles/Volatility/
466		python volatility files -f ../hn_forensics.vmem > files
467		cat files \| less
468		python volatility malfind -f ../hn_forensics.vmem -d out
469		ls out/
470		python volatility hivescan -f ../hn_forensics.vmem
471		python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
472		for file in $(ls *.dmp); do echo $file; strings $file \| grep bankofamerica; done