Advanced Malware Analysis V2

###############
# Class Video #
###############
https://s3.amazonaws.com/StrategicSec-Videos/2015-12-12+09.16+Hands-On+IT+Security+-+makeup.mp4


##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- A 30-day trial of Workstation 11 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0

- A 30-day trial of Fusion 7 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0

- The newest version of VMWare Player can be downloaded from here:
- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0


- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.


##########################
# Download the attack VM #
##########################
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
user: malware
pass: malware


Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

After logging please open a terminal window and type the following commands:

cd Desktop/


This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py

unzip malware-password-is-infected.zip
	infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***
Reference: http://www.garykessler.net/library/file_sigs.html


objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

							- We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join

strings malware.exe | grep -i admin

strings malware.exe | grep -i list


							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile

vi analyse_malware.py

python analyse_malware.py malware.exe


Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/

###############################
# Creating a Malware Database #
###############################

Creating a malware database (sqlite)
------------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
	infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e


Creating a malware database (mysql)
-----------------------------------
Step 1: Installing MySQL database
Run the following command in the terminal:

sudo apt-get install mysql-server

Step 2: Installing Python MySQLdb module
Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb
sudo apt-get install python-mysqldb

Step 3: Logging in
Run the following command in the terminal:

mysql -u root -p					(set a password of 'malware')

Then create one database by running following command:

create database malware;

exit;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py						(fill in database connection information)

python mal_to_db.py -i

python mal_to_db.py -f malware.exe -u


mysql -u root -p
	malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;


########
# Yara #
########

sudo apt-get install -y yara libyara-dev libyara2 python-yara clamav clamav-freshclam libpcre3 libpcre3-dev

sudo freshclam

sudo Clamscan


yara -v

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

sigtool -u /var/lib/clamav/main.cvd

python clamav_to_yara.py -f main.ndb -o clamav.yara

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
	infected


cd ~/Desktop/

mkdir malcode/

cp malware.exe malcode/

vi testrule.yara
----------------
rule IsPE
{
meta:
description = "Windows executable file"

condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}
-----------------


yara testrule.yara malcode/malware.exe


vi testrule.yara
----------------
rule IsPE
{
meta:
description = "Windows executable file"

condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}


rule has_no_DEP
{
meta:
description = "DEP is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
}

-----------------


yara testrule.yara malcode/malware.exe


vi testrule.yara
----------------
rule IsPE
{
meta:
description = "Windows executable file"

condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}


rule has_no_DEP
{
meta:
description = "DEP is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
}

rule has_no_ASLR
{
meta:
description = "ASLR is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
}
-----------------


yara testrule.yara malcode/malware.exe


mkdir rules/

cd rules/

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara

cd ..


yara rules/capabilities.yara malcode/malware.exe

yara rules/magic.yara malcode/malware.exe

yara rules/packer.yara malcode/malware.exe


Would you like to run multiple rules against the malware?????

Option 1:
---------
cd rules/
for i in $( ls --hide=master.yara ); do echo include \"$i\";done > master.yara
cd ..
yara -w rules/master.yara malcode/malware.exe


Option 2:
---------
Install latest version of Yara from source (it let's point yara at a directory of rules)


####################
# Additional Tasks #
####################

- PE Scanner:
https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
http://www.beenuarora.com/code/analyse_malware.py

- AV submission:
http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py

- Malware Database Creation:
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py


cd /home/malware/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs


for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'


tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq


tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


whois rapidshare.com.eyu32.ru

whois sploitme.com.cn


tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'


cd /home/malware/Desktop/Banking\ Troubles/Volatility

python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
				***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf


cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js


*****Sorry - no time to cover javascript de-obfuscation today*****


cd /home/malware/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done