Advertisement
joemccray

Advanced Malware Analysis V2

Aug 28th, 2015
2,055
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###############
  2. # Class Video #
  3. ###############
  4. https://s3.amazonaws.com/StrategicSec-Videos/2015-12-12+09.16+Hands-On+IT+Security+-+makeup.mp4
  5.  
  6.  
  7. ##########
  8. # VMWare #
  9. ##########
  10. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  11.  
  12. - A 30-day trial of Workstation 11 can be downloaded from here:
  13. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
  14.  
  15. - A 30-day trial of Fusion 7 can be downloaded from here:
  16. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
  17.  
  18. - The newest version of VMWare Player can be downloaded from here:
  19. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
  20.  
  21.  
  22. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  23.  
  24.  
  25. ##########################
  26. # Download the attack VM #
  27. ##########################
  28. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  29. user: malware
  30. pass: malware
  31.  
  32.  
  33. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  34.  
  35. After logging please open a terminal window and type the following commands:
  36.  
  37. cd Desktop/
  38.  
  39.  
  40. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  41.  
  42. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  43. wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
  44.  
  45. unzip malware-password-is-infected.zip
  46. infected
  47.  
  48. file malware.exe
  49.  
  50. mv malware.exe malware.pdf
  51.  
  52. file malware.pdf
  53.  
  54. mv malware.pdf malware.exe
  55.  
  56. hexdump -n 2 -C malware.exe
  57.  
  58. ***What is '4d 5a' or 'MZ'***
  59. Reference: http://www.garykessler.net/library/file_sigs.html
  60.  
  61.  
  62. objdump -x malware.exe
  63.  
  64. strings malware.exe
  65.  
  66. strings --all malware.exe | head -n 6
  67.  
  68. strings malware.exe | grep -i dll
  69.  
  70. strings malware.exe | grep -i library
  71.  
  72. strings malware.exe | grep -i reg
  73.  
  74. strings malware.exe | grep -i hkey
  75.  
  76. strings malware.exe | grep -i hku
  77.  
  78. - We didn't see anything like HKLM, HKCU or other registry type stuff
  79.  
  80. strings malware.exe | grep -i irc
  81.  
  82. strings malware.exe | grep -i join
  83.  
  84. strings malware.exe | grep -i admin
  85.  
  86. strings malware.exe | grep -i list
  87.  
  88.  
  89. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  90. sudo apt-get install -y python-pefile
  91.  
  92. vi analyse_malware.py
  93.  
  94. python analyse_malware.py malware.exe
  95.  
  96.  
  97. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  98. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  99.  
  100.  
  101. Malware Repositories:
  102. http://malshare.com/index.php
  103. http://www.malwareblacklist.com/
  104. http://www.virusign.com/
  105. http://virusshare.com/
  106. http://www.tekdefense.com/downloads/malware-samples/
  107.  
  108. ###############################
  109. # Creating a Malware Database #
  110. ###############################
  111.  
  112. Creating a malware database (sqlite)
  113. ------------------------------------
  114. sudo apt-get install -y python-simplejson python-simplejson-dbg
  115. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  116. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  117. unzip malware-password-is-infected.zip
  118. infected
  119. python avsubmit.py --init
  120. python avsubmit.py -f malware.exe -e
  121.  
  122.  
  123.  
  124.  
  125.  
  126. Creating a malware database (mysql)
  127. -----------------------------------
  128. Step 1: Installing MySQL database
  129. Run the following command in the terminal:
  130.  
  131. sudo apt-get install mysql-server
  132.  
  133. Step 2: Installing Python MySQLdb module
  134. Run the following command in the terminal:
  135.  
  136. sudo apt-get build-dep python-mysqldb
  137. sudo apt-get install python-mysqldb
  138.  
  139. Step 3: Logging in
  140. Run the following command in the terminal:
  141.  
  142. mysql -u root -p (set a password of 'malware')
  143.  
  144. Then create one database by running following command:
  145.  
  146. create database malware;
  147.  
  148. exit;
  149.  
  150. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  151.  
  152. vi mal_to_db.py (fill in database connection information)
  153.  
  154. python mal_to_db.py -i
  155.  
  156. python mal_to_db.py -f malware.exe -u
  157.  
  158.  
  159. mysql -u root -p
  160. malware
  161.  
  162. mysql> use malware;
  163.  
  164. select id,md5,sha1,sha256,time FROM files;
  165.  
  166. mysql> quit;
  167.  
  168.  
  169.  
  170.  
  171.  
  172. ########
  173. # Yara #
  174. ########
  175.  
  176. sudo apt-get install -y yara libyara-dev libyara2 python-yara clamav clamav-freshclam libpcre3 libpcre3-dev
  177.  
  178. sudo freshclam
  179.  
  180. sudo Clamscan
  181.  
  182.  
  183. yara -v
  184.  
  185. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  186.  
  187. sigtool -u /var/lib/clamav/main.cvd
  188.  
  189. python clamav_to_yara.py -f main.ndb -o clamav.yara
  190.  
  191. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  192.  
  193. unzip malware-password-is-infected.zip
  194. infected
  195.  
  196.  
  197. cd ~/Desktop/
  198.  
  199. mkdir malcode/
  200.  
  201. cp malware.exe malcode/
  202.  
  203. vi testrule.yara
  204. ----------------
  205. rule IsPE
  206. {
  207. meta:
  208. description = "Windows executable file"
  209.  
  210. condition:
  211. // MZ signature at offset 0 and ...
  212. uint16(0) == 0x5A4D and
  213. // ... PE signature at offset stored in MZ header at 0x3C
  214. uint32(uint32(0x3C)) == 0x00004550
  215. }
  216. -----------------
  217.  
  218.  
  219. yara testrule.yara malcode/malware.exe
  220.  
  221.  
  222.  
  223.  
  224.  
  225. vi testrule.yara
  226. ----------------
  227. rule IsPE
  228. {
  229. meta:
  230. description = "Windows executable file"
  231.  
  232. condition:
  233. // MZ signature at offset 0 and ...
  234. uint16(0) == 0x5A4D and
  235. // ... PE signature at offset stored in MZ header at 0x3C
  236. uint32(uint32(0x3C)) == 0x00004550
  237. }
  238.  
  239.  
  240. rule has_no_DEP
  241. {
  242. meta:
  243. description = "DEP is not enabled"
  244.  
  245. condition:
  246. IsPE and
  247. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  248. }
  249.  
  250. -----------------
  251.  
  252.  
  253. yara testrule.yara malcode/malware.exe
  254.  
  255.  
  256.  
  257.  
  258.  
  259.  
  260.  
  261.  
  262.  
  263. vi testrule.yara
  264. ----------------
  265. rule IsPE
  266. {
  267. meta:
  268. description = "Windows executable file"
  269.  
  270. condition:
  271. // MZ signature at offset 0 and ...
  272. uint16(0) == 0x5A4D and
  273. // ... PE signature at offset stored in MZ header at 0x3C
  274. uint32(uint32(0x3C)) == 0x00004550
  275. }
  276.  
  277.  
  278. rule has_no_DEP
  279. {
  280. meta:
  281. description = "DEP is not enabled"
  282.  
  283. condition:
  284. IsPE and
  285. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  286. }
  287.  
  288. rule has_no_ASLR
  289. {
  290. meta:
  291. description = "ASLR is not enabled"
  292.  
  293. condition:
  294. IsPE and
  295. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  296. }
  297. -----------------
  298.  
  299.  
  300. yara testrule.yara malcode/malware.exe
  301.  
  302.  
  303.  
  304.  
  305.  
  306.  
  307.  
  308. mkdir rules/
  309.  
  310. cd rules/
  311.  
  312. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  313.  
  314. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  315.  
  316. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  317.  
  318. cd ..
  319.  
  320.  
  321. yara rules/capabilities.yara malcode/malware.exe
  322.  
  323. yara rules/magic.yara malcode/malware.exe
  324.  
  325. yara rules/packer.yara malcode/malware.exe
  326.  
  327.  
  328.  
  329. Would you like to run multiple rules against the malware?????
  330.  
  331. Option 1:
  332. ---------
  333. cd rules/
  334. for i in $( ls --hide=master.yara ); do echo include \"$i\";done > master.yara
  335. cd ..
  336. yara -w rules/master.yara malcode/malware.exe
  337.  
  338.  
  339. Option 2:
  340. ---------
  341. Install latest version of Yara from source (it let's point yara at a directory of rules)
  342.  
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349. ####################
  350. # Additional Tasks #
  351. ####################
  352.  
  353. - PE Scanner:
  354. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  355. http://www.beenuarora.com/code/analyse_malware.py
  356.  
  357. - AV submission:
  358. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  359. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  360.  
  361. - Malware Database Creation:
  362. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  363.  
  364.  
  365.  
  366.  
  367. cd /home/malware/Desktop/Browser\ Forensics
  368.  
  369. ls | grep pcap
  370.  
  371. perl chaosreader.pl suspicious-time.pcap
  372.  
  373. firefox index.html
  374.  
  375. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  376.  
  377. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  378.  
  379. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  380.  
  381.  
  382.  
  383.  
  384. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  385.  
  386.  
  387. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  388.  
  389.  
  390. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  391.  
  392.  
  393. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  394.  
  395.  
  396. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  397.  
  398.  
  399. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  400.  
  401. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  402.  
  403. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  404.  
  405. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  406.  
  407. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  408.  
  409.  
  410. whois rapidshare.com.eyu32.ru
  411.  
  412. whois sploitme.com.cn
  413.  
  414.  
  415.  
  416.  
  417.  
  418. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  419.  
  420. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  421.  
  422. tshark -r suspicious-time.pcap -qz http_req,tree
  423.  
  424. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  425.  
  426. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  427.  
  428.  
  429.  
  430.  
  431.  
  432. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  433.  
  434. python volatility
  435. python volatility pslist -f ../hn_forensics.vmem
  436. python volatility connscan2 -f ../hn_forensics.vmem
  437. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  438. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  439. ***Takes a few min***
  440. strings 1752.dmp | grep "^http://" | sort | uniq
  441. strings 1752.dmp | grep "Ahttps://" | uniq -u
  442. cd ..
  443. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  444. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  445. cat audit.txt
  446. cd pdf
  447. ls
  448. grep -i javascript *.pdf
  449.  
  450.  
  451.  
  452. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  453. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  454. unzip pdf-parser_V0_6_4.zip
  455. python pdf-parser.py -s javascript --raw 00600328.pdf
  456. python pdf-parser.py --object 11 00600328.pdf
  457. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  458.  
  459. cat malicious.js
  460.  
  461.  
  462. *****Sorry - no time to cover javascript de-obfuscation today*****
  463.  
  464.  
  465. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  466. python volatility files -f ../hn_forensics.vmem > files
  467. cat files | less
  468. python volatility malfind -f ../hn_forensics.vmem -d out
  469. ls out/
  470. python volatility hivescan -f ../hn_forensics.vmem
  471. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  472. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement