Advanced Malware Analysis V2

1. ###############
2. # Class Video #
3. ###############
4. https://s3.amazonaws.com/StrategicSec-Videos/2015-12-12+09.16+Hands-On+IT+Security+-+makeup.mp4
5.  
6.  
7. ##########
8. # VMWare #
9. ##########
10. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
11.  
12. - A 30-day trial of Workstation 11 can be downloaded from here:
13. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
14.  
15. - A 30-day trial of Fusion 7 can be downloaded from here:
16. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
17.  
18. - The newest version of VMWare Player can be downloaded from here:
19. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
20.  
21.  
22. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
23.  
24.  
25. ##########################
26. # Download the attack VM #
27. ##########################
28. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
29. user: malware
30. pass: malware
31.  
32.  
33. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
34.  
35. After logging please open a terminal window and type the following commands:
36.  
37. cd Desktop/
38.  
39.  
40. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
41.  
42. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
43. wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
44.  
45. unzip malware-password-is-infected.zip
46. infected
47.  
48. file malware.exe
49.  
50. mv malware.exe malware.pdf
51.  
52. file malware.pdf
53.  
54. mv malware.pdf malware.exe
55.  
56. hexdump -n 2 -C malware.exe
57.  
58. ***What is '4d 5a' or 'MZ'***
59. Reference: http://www.garykessler.net/library/file_sigs.html
60.  
61.  
62. objdump -x malware.exe
63.  
64. strings malware.exe
65.  
66. strings --all malware.exe | head -n 6
67.  
68. strings malware.exe | grep -i dll
69.  
70. strings malware.exe | grep -i library
71.  
72. strings malware.exe | grep -i reg
73.  
74. strings malware.exe | grep -i hkey
75.  
76. strings malware.exe | grep -i hku
77.  
78. - We didn't see anything like HKLM, HKCU or other registry type stuff
79.  
80. strings malware.exe | grep -i irc
81.  
82. strings malware.exe | grep -i join
83.  
84. strings malware.exe | grep -i admin
85.  
86. strings malware.exe | grep -i list
87.  
88.  
89. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
90. sudo apt-get install -y python-pefile
91.  
92. vi analyse_malware.py
93.  
94. python analyse_malware.py malware.exe
95.  
96.  
97. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
98. http://derekmorton.name/files/malware_12-14-12.sql.bz2
99.  
100.  
101. Malware Repositories:
102. http://malshare.com/index.php
103. http://www.malwareblacklist.com/
104. http://www.virusign.com/
105. http://virusshare.com/
106. http://www.tekdefense.com/downloads/malware-samples/
107.  
108. ###############################
109. # Creating a Malware Database #
110. ###############################
111.  
112. Creating a malware database (sqlite)
113. ------------------------------------
114. sudo apt-get install -y python-simplejson python-simplejson-dbg
115. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
116. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
117. unzip malware-password-is-infected.zip
118. infected
119. python avsubmit.py --init
120. python avsubmit.py -f malware.exe -e
121.  
122.  
123.  
124.  
125.  
126. Creating a malware database (mysql)
127. -----------------------------------
128. Step 1: Installing MySQL database
129. Run the following command in the terminal:
130.  
131. sudo apt-get install mysql-server
132.  
133. Step 2: Installing Python MySQLdb module
134. Run the following command in the terminal:
135.  
136. sudo apt-get build-dep python-mysqldb
137. sudo apt-get install python-mysqldb
138.  
139. Step 3: Logging in
140. Run the following command in the terminal:
141.  
142. mysql -u root -p (set a password of 'malware')
143.  
144. Then create one database by running following command:
145.  
146. create database malware;
147.  
148. exit;
149.  
150. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
151.  
152. vi mal_to_db.py (fill in database connection information)
153.  
154. python mal_to_db.py -i
155.  
156. python mal_to_db.py -f malware.exe -u
157.  
158.  
159. mysql -u root -p
160. malware
161.  
162. mysql> use malware;
163.  
164. select id,md5,sha1,sha256,time FROM files;
165.  
166. mysql> quit;
167.  
168.  
169.  
170.  
171.  
172. ########
173. # Yara #
174. ########
175.  
176. sudo apt-get install -y yara libyara-dev libyara2 python-yara clamav clamav-freshclam libpcre3 libpcre3-dev
177.  
178. sudo freshclam
179.  
180. sudo Clamscan
181.  
182.  
183. yara -v
184.  
185. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
186.  
187. sigtool -u /var/lib/clamav/main.cvd
188.  
189. python clamav_to_yara.py -f main.ndb -o clamav.yara
190.  
191. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
192.  
193. unzip malware-password-is-infected.zip
194. infected
195.  
196.  
197. cd ~/Desktop/
198.  
199. mkdir malcode/
200.  
201. cp malware.exe malcode/
202.  
203. vi testrule.yara
204. ----------------
205. rule IsPE
206. {
207. meta:
208. description = "Windows executable file"
209.  
210. condition:
211. // MZ signature at offset 0 and ...
212. uint16(0) == 0x5A4D and
213. // ... PE signature at offset stored in MZ header at 0x3C
214. uint32(uint32(0x3C)) == 0x00004550
215. }
216. -----------------
217.  
218.  
219. yara testrule.yara malcode/malware.exe
220.  
221.  
222.  
223.  
224.  
225. vi testrule.yara
226. ----------------
227. rule IsPE
228. {
229. meta:
230. description = "Windows executable file"
231.  
232. condition:
233. // MZ signature at offset 0 and ...
234. uint16(0) == 0x5A4D and
235. // ... PE signature at offset stored in MZ header at 0x3C
236. uint32(uint32(0x3C)) == 0x00004550
237. }
238.  
239.  
240. rule has_no_DEP
241. {
242. meta:
243. description = "DEP is not enabled"
244.  
245. condition:
246. IsPE and
247. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
248. }
249.  
250. -----------------
251.  
252.  
253. yara testrule.yara malcode/malware.exe
254.  
255.  
256.  
257.  
258.  
259.  
260.  
261.  
262.  
263. vi testrule.yara
264. ----------------
265. rule IsPE
266. {
267. meta:
268. description = "Windows executable file"
269.  
270. condition:
271. // MZ signature at offset 0 and ...
272. uint16(0) == 0x5A4D and
273. // ... PE signature at offset stored in MZ header at 0x3C
274. uint32(uint32(0x3C)) == 0x00004550
275. }
276.  
277.  
278. rule has_no_DEP
279. {
280. meta:
281. description = "DEP is not enabled"
282.  
283. condition:
284. IsPE and
285. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
286. }
287.  
288. rule has_no_ASLR
289. {
290. meta:
291. description = "ASLR is not enabled"
292.  
293. condition:
294. IsPE and
295. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
296. }
297. -----------------
298.  
299.  
300. yara testrule.yara malcode/malware.exe
301.  
302.  
303.  
304.  
305.  
306.  
307.  
308. mkdir rules/
309.  
310. cd rules/
311.  
312. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
313.  
314. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
315.  
316. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
317.  
318. cd ..
319.  
320.  
321. yara rules/capabilities.yara malcode/malware.exe
322.  
323. yara rules/magic.yara malcode/malware.exe
324.  
325. yara rules/packer.yara malcode/malware.exe
326.  
327.  
328.  
329. Would you like to run multiple rules against the malware?????
330.  
331. Option 1:
332. ---------
333. cd rules/
334. for i in $( ls --hide=master.yara ); do echo include \"$i\";done > master.yara
335. cd ..
336. yara -w rules/master.yara malcode/malware.exe
337.  
338.  
339. Option 2:
340. ---------
341. Install latest version of Yara from source (it let's point yara at a directory of rules)
342.  
343.  
344.  
345.  
346.  
347.  
348.  
349. ####################
350. # Additional Tasks #
351. ####################
352.  
353. - PE Scanner:
354. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
355. http://www.beenuarora.com/code/analyse_malware.py
356.  
357. - AV submission:
358. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
359. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
360.  
361. - Malware Database Creation:
362. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
363.  
364.  
365.  
366.  
367. cd /home/malware/Desktop/Browser\ Forensics
368.  
369. ls | grep pcap
370.  
371. perl chaosreader.pl suspicious-time.pcap
372.  
373. firefox index.html
374.  
375. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
376.  
377. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
378.  
379. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
380.  
381.  
382.  
383.  
384. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
385.  
386.  
387. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
388.  
389.  
390. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
391.  
392.  
393. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
394.  
395.  
396. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
397.  
398.  
399. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
400.  
401. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
402.  
403. tshark -r suspicious-time.pcap -qz ip_hosts,tree
404.  
405. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
406.  
407. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
408.  
409.  
410. whois rapidshare.com.eyu32.ru
411.  
412. whois sploitme.com.cn
413.  
414.  
415.  
416.  
417.  
418. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
419.  
420. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
421.  
422. tshark -r suspicious-time.pcap -qz http_req,tree
423.  
424. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
425.  
426. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
427.  
428.  
429.  
430.  
431.  
432. cd /home/malware/Desktop/Banking\ Troubles/Volatility
433.  
434. python volatility
435. python volatility pslist -f ../hn_forensics.vmem
436. python volatility connscan2 -f ../hn_forensics.vmem
437. python volatility memdmp -p 888 -f ../hn_forensics.vmem
438. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
439. ***Takes a few min***
440. strings 1752.dmp | grep "^http://" | sort | uniq
441. strings 1752.dmp | grep "Ahttps://" | uniq -u
442. cd ..
443. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
444. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
445. cat audit.txt
446. cd pdf
447. ls
448. grep -i javascript *.pdf
449.  
450.  
451.  
452. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
453. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
454. unzip pdf-parser_V0_6_4.zip
455. python pdf-parser.py -s javascript --raw 00600328.pdf
456. python pdf-parser.py --object 11 00600328.pdf
457. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
458.  
459. cat malicious.js
460.  
461.  
462. *****Sorry - no time to cover javascript de-obfuscation today*****
463.  
464.  
465. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
466. python volatility files -f ../hn_forensics.vmem > files
467. cat files | less
468. python volatility malfind -f ../hn_forensics.vmem -d out
469. ls out/
470. python volatility hivescan -f ../hn_forensics.vmem
471. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
472. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done