SHARE
TWEET

Untitled

djtroby May 31st, 2017 45 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Here is the material from the Malware Analysis for Vets class:
  2.  
  3. Here is the class video:
  4. https://s3.amazonaws.com/StrategicSec-Videos/2014-01-18+09.16+Malware+Analysis+For+Vets.wmv
  5.  
  6. Here is the courseware:
  7. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Docs/Basic-Malware_Analysis_Labs.docx
  8.  
  9. Malware Analysis Tools:
  10. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/MalwareAnalysisTools.zip
  11.  
  12. Software you may find useful:
  13. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/Software.zip
  14.  
  15. Actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  16. https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  17.  
  18.  
  19. Class virtual machines:
  20.  
  21. ** Linux VM **
  22. https://s3.amazonaws.com/StrategicSec-VMs/Malware.vmwarevm.rar
  23. user: malware
  24. pass: malware
  25.  
  26. ** Windows VM **
  27. https://s3.amazonaws.com/StrategicSec-VMs/Malware_Windows.vmwarevm(1).rar
  28.  
  29.  
  30.  
  31.  
  32.  
  33. Malware can only do 4 things:
  34.  
  35. 1. Modify the filesystem
  36. 2. Modify the registry
  37. 3. Modify processes/services
  38. 4. Connect to the Internet/local network
  39.  
  40.  
  41. Reverse Engineering malware is different:
  42. 1. Encryption/Obfuscation
  43. 2. Payload
  44. 3. Programming Style
  45. 4. Motive/Intent
  46.  
  47.  
  48. Note: If you seriously want to do Reverse Engineering at work, then you need at least 10 million samples of malware.
  49.  
  50. Here is a small database to play with:
  51. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  52. 855MB file size - be sure to run in a VM
  53.  
  54.  
  55. Good reference links:
  56. http://www.garykessler.net/library/file_sigs.html   <-- file headers
  57.  
  58. Things we did to the malware on the Windows VM:
  59. - PEID
  60. - StudPE
  61.     - saw 'ABC0' as entry point and we thought that was strange
  62. - Hex Editor
  63. - Strings
  64.  
  65. Open a command prompt:
  66. cd c:\Documents and Settings\Administrator\Desktop\Strings
  67. copy "c:\Documents and Settings\Administrator\Desktop\malware\malware.exe" .
  68.     - strings.exe malware.exe | findstr ".dll"
  69.     - strings.exe malware.exe | more    <-- let's you page through the data by pressing the space bar
  70.     - strings.exe malware.exe | findstr "ABC"
  71.         -ABC0
  72.         -ABC1
  73.         -ABC2
  74.         -ABC!
  75.         -ABC^
  76.     - strings.exe malware.exe | findstr ".dll"
  77.         We googled ws2_32.dll and found out it does windows sockets
  78.     - strings.exe malware.exe | findstr "IRC"
  79.     - strings.exe malware.exe | findstr "JOIN"
  80.         List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  81.     - strings.exe malware.exe | findstr "ADMIN"
  82.     - strings.exe malware.exe | findstr "LIST"
  83.  
  84. Let's check to see if it modifies the registry
  85.     - strings.exe malware.exe | findstr "REG"
  86.     - strings.exe malware.exe | findstr "HKEY"
  87.         We didn't see anything like HKLM, HKCU or other registry type stuff
  88.  
  89.  
  90. ##############################
  91. # Moving to the Linux system #
  92. ##############################
  93. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  94.  
  95. After logging please open a terminal window and type the following commands:
  96.  
  97. cd Desktop/
  98.  
  99.  
  100. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  101.  
  102. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  103. wget http://www.beenuarora.com/code/analyse_malware.py
  104.  
  105. unzip malware-password-is-infected.zip
  106.     infected
  107.  
  108. file malware.exe
  109.  
  110. mv malware.exe malware.pdf
  111.  
  112. file malware.pdf
  113.  
  114. mv malware.pdf malware.exe
  115.  
  116. hexdump -n 2 -C malware.exe
  117.  
  118. ***What is '4d 5a' or 'MZ'***
  119. Reference: http://www.garykessler.net/library/file_sigs.html
  120.  
  121.  
  122. objdump -x malware.exe
  123.  
  124. strings malware.exe
  125.  
  126. strings --all malware.exe | head -n 6
  127.  
  128. strings malware.exe | grep -i dll
  129.  
  130. strings malware.exe | grep -i library
  131.  
  132. strings malware.exe | grep -i reg
  133.  
  134. strings malware.exe | grep -i hkey
  135.  
  136. strings malware.exe | grep -i hku
  137.  
  138.                             - We didn't see anything like HKLM, HKCU or other registry type stuff
  139.  
  140. strings malware.exe | grep -i irc
  141.  
  142. strings malware.exe | grep -i join         
  143.  
  144. strings malware.exe | grep -i admin
  145.  
  146. strings malware.exe | grep -i list
  147.  
  148.  
  149.                             - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  150. sudo apt-get install -y python-pefile
  151.  
  152. vi analyse_malware.py
  153.  
  154. python analyse_malware.py malware.exe
  155.  
  156.  
  157. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  158. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  159.  
  160.  
  161. Malware Repositories:
  162. http://malshare.com/index.php
  163. http://www.malwareblacklist.com/
  164. http://www.virusign.com/
  165. http://virusshare.com/
  166. http://www.tekdefense.com/downloads/malware-samples/
  167.  
  168. ###############################
  169. # Creating a Malware Database #
  170. ###############################
  171.  
  172. Creating a malware database (sqlite)
  173. ------------------------------------
  174. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  175. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  176. unzip malware-password-is-infected.zip
  177.     infected
  178. python avsubmit.py --init
  179. python avsubmit.py -f malware.exe -e
  180.  
  181.  
  182.  
  183.  
  184.  
  185. Creating a malware database (mysql)
  186. -----------------------------------
  187. Step 1: Installing MySQL database
  188. Run the following command in the terminal:
  189.  
  190. sudo apt-get install mysql-server
  191.      
  192. Step 2: Installing Python MySQLdb module
  193. Run the following command in the terminal:
  194.  
  195. sudo apt-get build-dep python-mysqldb
  196. sudo apt-get install python-mysqldb
  197.  
  198. Step 3: Logging in
  199. Run the following command in the terminal:
  200.  
  201. mysql -u root -p                    (set a password of 'malware')
  202.  
  203. Then create one database by running following command:
  204.  
  205. create database malware;
  206.  
  207.  
  208.  
  209. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  210.  
  211. vi mal_to_db.py -i          (fill in database connection information)
  212.  
  213. python mal_to_db.py -i
  214.  
  215. python mal_to_db.py -i -f malware.exe -u
  216.  
  217.  
  218. mysql -u root -p
  219.     malware
  220.  
  221. mysql> use malware;
  222.  
  223. select id,md5,sha1,sha256,time FROM files;
  224.  
  225. mysql> quit;
  226.  
  227.  
  228.  
  229.  
  230.  
  231. ##############################
  232. # Lesson 32: Setting up Yara #
  233. ##############################
  234.  
  235.  
  236. sudo apt-get install clamav clamav-freshclam
  237.  
  238. sudo freshclam
  239.  
  240. sudo Clamscan
  241.  
  242. sudo apt-get install libpcre3 libpcre3-dev
  243.  
  244. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  245.  
  246. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  247.  
  248. tar -zxvf v3.1.0.tar.gz
  249.  
  250. cd yara-3.1.0/
  251.  
  252. ./bootstrap.sh
  253.  
  254. ./configure
  255.  
  256. make
  257.  
  258. make check
  259.  
  260. sudo make install
  261.  
  262. cd yara-python/
  263.  
  264. python setup.py build
  265.  
  266. sudo python setup.py install
  267.  
  268. cd ..
  269.  
  270. yara -v
  271.  
  272. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  273.  
  274. sigtool -u /var/lib/clamav/main.cvd
  275.  
  276. python clamav_to_yara.py -f main.ndb -o clamav.yara
  277.  
  278. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  279.  
  280. unzip malware-password-is-infected.zip
  281.     infected
  282.  
  283. mkdir malcode/
  284.  
  285. mv malware.exe malcode/
  286.  
  287. vi testrule.yara
  288. ----------------
  289. rule IsPE
  290. {
  291. meta:
  292. description = "Windows executable file"
  293.  
  294. condition:
  295. // MZ signature at offset 0 and ...
  296. uint16(0) == 0x5A4D and
  297. // ... PE signature at offset stored in MZ header at 0x3C
  298. uint32(uint32(0x3C)) == 0x00004550
  299. }
  300.  
  301. rule has_no_DEP
  302. {
  303. meta:
  304. description = "DEP is not enabled"
  305.  
  306. condition:
  307. IsPE and
  308. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  309. }
  310.  
  311. rule has_no_ASLR
  312. {
  313. meta:
  314. description = "ASLR is not enabled"
  315.  
  316. condition:
  317. IsPE and
  318. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  319. }
  320. ----------------
  321.  
  322.  
  323. yara testrule.yara malcode/malware.exe
  324.  
  325. mkdir rules/
  326.  
  327. cd rules/
  328.  
  329. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  330.  
  331. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  332.  
  333. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  334.  
  335. cd ..
  336.  
  337. yara rules/ malcode/malware.exe
  338.  
  339. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  340.  
  341. unzip master.zip
  342.  
  343. cd YaraGenerator-master/
  344.  
  345. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  346.  
  347. cat Test-Rule-2.yar
  348.  
  349. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  350.  
  351. yara Test-Rule-2.yar putty.exe
  352.  
  353.  
  354.  
  355.  
  356. ####################
  357. # Additional Tasks #
  358. ####################
  359.  
  360. - PE Scanner:
  361. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  362. http://www.beenuarora.com/code/analyse_malware.py
  363.  
  364. - AV submission:
  365. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  366. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  367.  
  368. - Malware Database Creation:
  369. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  370.  
  371.  
  372.  
  373.  
  374. cd /home/malware/Desktop/Browser\ Forensics
  375.  
  376. ls | grep pcap
  377.  
  378. perl chaosreader.pl suspicious-time.pcap
  379.  
  380. firefox index.html
  381.  
  382. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  383.  
  384. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  385.  
  386. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs  
  387.  
  388.  
  389.  
  390.  
  391. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
  392.  
  393.  
  394. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  395.  
  396.  
  397. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  398.  
  399.  
  400. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  401.  
  402.  
  403. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  404.  
  405.  
  406. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  407.  
  408. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  409.  
  410. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  411.  
  412. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  413.  
  414. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  415.  
  416.  
  417. whois rapidshare.com.eyu32.ru
  418.  
  419. whois sploitme.com.cn
  420.  
  421.  
  422.  
  423.  
  424.  
  425. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  426.  
  427. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  428.  
  429. tshark -r suspicious-time.pcap -qz http_req,tree
  430.  
  431. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  432.  
  433. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  434.  
  435.  
  436.  
  437.  
  438.  
  439. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  440.  
  441. python volatility
  442. python volatility pslist -f ../hn_forensics.vmem
  443. python volatility connscan2 -f ../hn_forensics.vmem
  444. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  445. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  446.                 ***Takes a few min***
  447. strings 1752.dmp | grep "^http://" | sort | uniq
  448. strings 1752.dmp | grep "Ahttps://" | uniq -u
  449. cd ..
  450. cd foremost-1.5.7/
  451. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  452. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  453. cat audit.txt
  454. cd pdf
  455. ls
  456. grep -i javascript *.pdf
  457.  
  458.  
  459.  
  460. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  461. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py -s javascript --raw 00600328.pdf
  462. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 11 00600328.pdf
  463. /opt/Python-2.6.2/python /home/malware/Desktop/Banking\ Troubles/pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  464.  
  465. cat malicious.js
  466.  
  467.  
  468. *****Sorry - no time to cover javascript de-obfuscation today*****
  469.  
  470.  
  471. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  472. python volatility files -f ../hn_forensics.vmem > files
  473. cat files | less
  474. python volatility malfind -f ../hn_forensics.vmem -d out
  475. ls out/
  476. python volatility hivescan -f ../hn_forensics.vmem                                 
  477. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  478. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top