SHOW:
|
|
- or go back to the newest paste.
1 | ############################ | |
2 | # Download the Analysis VM # | |
3 | ############################ | |
4 | - | https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip |
4 | + | https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip |
5 | user: infosecaddicts | |
6 | pass: infosecaddicts | |
7 | ||
8 | ||
9 | ||
10 | ||
11 | - Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
12 | ||
13 | - After logging please open a terminal window and type the following commands: | |
14 | - | ---------------------------Type This----------------------------------- |
14 | + | |
15 | cd Desktop/ | |
16 | - | ----------------------------------------------------------------------- |
16 | + | |
17 | ||
18 | - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
19 | ||
20 | - | ---------------------------Type This----------------------------------- |
20 | + | |
21 | cd /home/infosecaddicts/Desktop/ | |
22 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate |
22 | + | wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip --no-check-certificate |
23 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate |
23 | + | wget https://infosecaddictsfiles.blob.core.windows.net/files/analyse_malware.py --no-check-certificate |
24 | ||
25 | unzip malware-password-is-infected.zip | |
26 | infected | |
27 | ||
28 | file malware.exe | |
29 | ||
30 | mv malware.exe malware.pdf | |
31 | ||
32 | file malware.pdf | |
33 | ||
34 | mv malware.pdf malware.exe | |
35 | ||
36 | hexdump -n 2 -C malware.exe | |
37 | - | ----------------------------------------------------------------------- |
37 | + | |
38 | ***What is '4d 5a' or 'MZ'*** | |
39 | Reference: | |
40 | http://www.garykessler.net/library/file_sigs.html | |
41 | ||
42 | ||
43 | objdump -x malware.exe | |
44 | - | ---------------------------Type This----------------------------------- |
44 | + | |
45 | strings malware.exe | |
46 | ||
47 | strings --all malware.exe | head -n 6 | |
48 | ||
49 | strings malware.exe | grep -i dll | |
50 | ||
51 | strings malware.exe | grep -i library | |
52 | ||
53 | strings malware.exe | grep -i reg | |
54 | ||
55 | strings malware.exe | grep -i hkey | |
56 | ||
57 | strings malware.exe | grep -i hku | |
58 | ||
59 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
60 | - | ----------------------------------------------------------------------- |
60 | + | |
61 | strings malware.exe | grep -i irc | |
62 | ||
63 | strings malware.exe | grep -i join | |
64 | - | ---------------------------Type This----------------------------------- |
64 | + | |
65 | strings malware.exe | grep -i admin | |
66 | ||
67 | strings malware.exe | grep -i list | |
68 | ||
69 | ||
70 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
71 | ||
72 | - | ----------------------------------------------------------------------- |
72 | + | |
73 | malware | |
74 | ||
75 | vi analyse_malware.py | |
76 | - | ---------------------------Type This----------------------------------- |
76 | + | |
77 | python analyse_malware.py malware.exe | |
78 | ||
79 | ||
80 | ||
81 | ||
82 | Building a Malware Scanner | |
83 | - | ----------------------------------------------------------------------- |
83 | + | |
84 | ||
85 | mkdir ~/Desktop/malwarescanner | |
86 | ||
87 | cd ~/Desktop/malwarescanner | |
88 | - | ################################ |
88 | + | |
89 | - | # Good references for WannaCry # |
89 | + | |
90 | - | ################################ |
90 | + | |
91 | unzip master.zip | |
92 | - | References: |
92 | + | |
93 | cd malwarescanner-master/ | |
94 | - | https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 |
94 | + | |
95 | - | https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ |
95 | + | |
96 | - | https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html |
96 | + | |
97 | cat strings.txt | |
98 | ||
99 | cat hashes.txt | |
100 | ||
101 | - | ---------------------------Type This----------------------------------- |
101 | + | |
102 | ||
103 | cp ~/Desktop/malware.exe ~/Desktop/malcode | |
104 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip |
104 | + | |
105 | python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt | |
106 | - | unzip wannacry.zip |
106 | + | |
107 | cd ~/Desktop/ | |
108 | ||
109 | - | file wannacry.exe |
109 | + | |
110 | ||
111 | - | mv wannacry.exe malware.pdf |
111 | + | |
112 | # Analyzing Macro Embedded Malware # | |
113 | # Reference: # | |
114 | # https://jon.glass/analyzes-dridex-malware-p1/ # | |
115 | - | mv malware.pdf wannacry.exe |
115 | + | |
116 | cp ~/Desktop/ | |
117 | - | hexdump -n 2 -C wannacry.exe |
117 | + | |
118 | - | ----------------------------------------------------------------------- |
118 | + | - Create a FREE account on: |
119 | https://malwr.com/account/signup/ | |
120 | ||
121 | - Grab the malware from: | |
122 | https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/ | |
123 | - | Reference: |
123 | + | |
124 | file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
125 | ||
126 | cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin | |
127 | ||
128 | ||
129 | - | ---------------------------Type This----------------------------------- |
129 | + | |
130 | - | objdump -x wannacry.exe |
130 | + | |
131 | sudo pip install olefile | |
132 | - | strings wannacry.exe |
132 | + | |
133 | ||
134 | - | strings --all wannacry.exe | head -n 6 |
134 | + | |
135 | ||
136 | - | strings wannacry.exe | grep -i dll |
136 | + | |
137 | ||
138 | - | strings wannacry.exe | grep -i library |
138 | + | |
139 | ||
140 | - | strings wannacry.exe | grep -i reg |
140 | + | |
141 | ||
142 | - | strings wannacry.exe | grep -i key |
142 | + | cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin . |
143 | ||
144 | - | strings wannacry.exe | grep -i rsa |
144 | + | mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc |
145 | ||
146 | - | strings wannacry.exe | grep -i open |
146 | + | |
147 | ----------------------------------------------------------------------------------------------------------------------------------- | |
148 | - | strings wannacry.exe | grep -i get |
148 | + | |
149 | ||
150 | - | strings wannacry.exe | grep -i mutex |
150 | + | |
151 | sudo pip install olefile | |
152 | - | strings wannacry.exe | grep -i irc |
152 | + | |
153 | ||
154 | - | strings wannacry.exe | grep -i join |
154 | + | |
155 | ||
156 | - | strings wannacry.exe | grep -i admin |
156 | + | |
157 | ||
158 | - | strings wannacry.exe | grep -i list |
158 | + | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip |
159 | - | ----------------------------------------------------------------------- |
159 | + | |
160 | unzip 064016.zip | |
161 | infected | |
162 | ||
163 | python oledump.py 064016.doc | |
164 | ||
165 | python oledump.py 064016.doc -s A4 -v | |
166 | ||
167 | - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. | |
168 | - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. | |
169 | ||
170 | - | Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry" |
170 | + | |
171 | python oledump.py 064016.doc -s A5 -v | |
172 | - | Quick Google search for "wannacry ransomeware analysis" |
172 | + | |
173 | - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners. | |
174 | ||
175 | - | Reference |
175 | + | |
176 | - | https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ |
176 | + | |
177 | ||
178 | - | - Yara Rule - |
178 | + | |
179 | ||
180 | 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B | |
181 | - | Strings: |
181 | + | |
182 | - | $s1 = “Ooops, your files have been encrypted!” wide ascii nocase |
182 | + | |
183 | - | $s2 = “Wanna Decryptor” wide ascii nocase |
183 | + | |
184 | - | $s3 = “.wcry” wide ascii nocase |
184 | + | |
185 | - | $s4 = “WANNACRY” wide ascii nocase |
185 | + | |
186 | - | $s5 = “WANACRY!” wide ascii nocase |
186 | + | |
187 | - | $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase |
187 | + | |
188 | ############## | |
189 | # Yara Ninja # | |
190 | ############## | |
191 | sudo apt-get remove -y yara | |
192 | malware | |
193 | ||
194 | wget https://github.com/plusvic/yara/archive/v3.4.0.zip | |
195 | ||
196 | - | Ok, let's look for the individual strings |
196 | + | |
197 | malware | |
198 | ||
199 | - | ---------------------------Type This----------------------------------- |
199 | + | |
200 | - | strings wannacry.exe | grep -i ooops |
200 | + | |
201 | cd yara-3.4.0 | |
202 | - | strings wannacry.exe | grep -i wanna |
202 | + | |
203 | ./bootstrap.sh | |
204 | - | strings wannacry.exe | grep -i wcry |
204 | + | |
205 | ./configure | |
206 | - | strings wannacry.exe | grep -i wannacry |
206 | + | |
207 | make | |
208 | - | strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm..... |
208 | + | |
209 | - | ----------------------------------------------------------------------- |
209 | + | |
210 | malware | |
211 | ||
212 | yara -v | |
213 | ||
214 | cd .. | |
215 | ||
216 | - | #################################### |
216 | + | |
217 | - | # Tired of GREP - let's try Python # |
217 | + | |
218 | - | #################################### |
218 | + | |
219 | - | Decided to make my own script for this kind of stuff in the future. I |
219 | + | |
220 | cd ~/Desktop | |
221 | - | Reference1: |
221 | + | |
222 | - | https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py |
222 | + | |
223 | ||
224 | - | This is a really good script for the basics of static analysis |
224 | + | |
225 | Places to get more Yara rules: | |
226 | - | Reference: |
226 | + | |
227 | - | https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html |
227 | + | |
228 | https://github.com/kevthehermit/YaraRules | |
229 | https://github.com/VectraThreatLab/reyara | |
230 | - | This is really good for showing some good signatures to add to the Python script |
230 | + | |
231 | ||
232 | ||
233 | - | Here is my own script using the signatures (started this yesterday, but still needs work): |
233 | + | |
234 | - | https://pastebin.com/guxzCBmP |
234 | + | |
235 | https://github.com/mkayoh/yarasorter | |
236 | ||
237 | ||
238 | - | ---------------------------Type This----------------------------------- |
238 | + | |
239 | - | sudo apt install -y python-pefile |
239 | + | |
240 | - | infosecaddicts |
240 | + | |
241 | cd ~/Desktop/ | |
242 | yara rules-master/master.yar malcode/malware.exe | |
243 | ||
244 | - | wget https://pastebin.com/raw/guxzCBmP |
244 | + | |
245 | ||
246 | ||
247 | - | mv guxzCBmP am.py |
247 | + | |
248 | ||
249 | ||
250 | - | vi am.py |
250 | + | |
251 | ||
252 | - | python am.py wannacry.exe |
252 | + | |
253 | - | ----------------------------------------------------------------------- |
253 | + | |
254 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
255 | ||
256 | ||
257 | Malware Repositories: | |
258 | http://malshare.com/index.php | |
259 | http://www.malwareblacklist.com/ | |
260 | http://www.virusign.com/ | |
261 | http://virusshare.com/ | |
262 | http://www.tekdefense.com/downloads/malware-samples/ | |
263 | ||
264 | - | ---------------------------Type This----------------------------------- |
264 | + | |
265 | ||
266 | ||
267 | ############################### | |
268 | # Creating a Malware Database # | |
269 | ############################### | |
270 | ||
271 | Creating a malware database (sqlite) | |
272 | ------------------------------------ | |
273 | sudo apt-get install -y python-simplejson python-simplejson-dbg | |
274 | malware | |
275 | ||
276 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
277 | wget wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip | |
278 | ||
279 | unzip malware-password-is-infected.zip | |
280 | infected | |
281 | ||
282 | python avsubmit.py --init | |
283 | ||
284 | python avsubmit.py -f malware.exe -e | |
285 | - | python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt |
285 | + | |
286 | ||
287 | ||
288 | - | ----------------------------------------------------------------------- |
288 | + | |
289 | ||
290 | Creating a malware database (mysql) | |
291 | ----------------------------------- | |
292 | - Step 1: Installing MySQL database | |
293 | - Run the following command in the terminal: | |
294 | ||
295 | sudo apt-get install mysql-server | |
296 | - | ---------------------------Type This----------------------------------- |
296 | + | |
297 | ||
298 | - Step 2: Installing Python MySQLdb module | |
299 | - Run the following command in the terminal: | |
300 | ||
301 | - | |
301 | + | |
302 | malware | |
303 | ||
304 | sudo apt-get install python-mysqldb | |
305 | malware | |
306 | ||
307 | Step 3: Logging in | |
308 | Run the following command in the terminal: | |
309 | ||
310 | mysql -u root -p (set a password of 'malware') | |
311 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip |
311 | + | |
312 | - Then create one database by running following command: | |
313 | ||
314 | create database malware; | |
315 | ||
316 | exit; | |
317 | ||
318 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
319 | - | ----------------------------------------------------------------------- |
319 | + | |
320 | vi mal_to_db.py (fill in database connection information) | |
321 | ||
322 | python mal_to_db.py -i | |
323 | ||
324 | ------- check it to see if the files table was created ------ | |
325 | ||
326 | - | ---------------------------Type This----------------------------------- |
326 | + | |
327 | malware | |
328 | - | ----------------------------------------------------------------------- |
328 | + | |
329 | show databases; | |
330 | ||
331 | use malware; | |
332 | - | ---------------------------Type This----------------------------------- |
332 | + | |
333 | show tables; | |
334 | ||
335 | describe files; | |
336 | ||
337 | exit; | |
338 | ||
339 | --------------------------------- | |
340 | ||
341 | ||
342 | - Now add the malicious file to the DB | |
343 | ||
344 | python mal_to_db.py -f malware.exe -u | |
345 | ||
346 | ||
347 | ||
348 | - | ---------------------------Type This----------------------------------- |
348 | + | |
349 | ||
350 | mysql -u root -p | |
351 | malware | |
352 | ||
353 | mysql> use malware; | |
354 | ||
355 | select id,md5,sha1,sha256,time FROM files; | |
356 | ||
357 | mysql> quit; | |
358 | ||
359 | ||
360 | ||
361 | ||
362 | ||
363 | ################# | |
364 | # PCAP Analysis # | |
365 | ################# | |
366 | cd /home/infosecaddicts/Desktop/Browser\ Forensics | |
367 | ||
368 | ls | grep pcap | |
369 | ||
370 | perl chaosreader.pl suspicious-time.pcap | |
371 | ||
372 | firefox index.html | |
373 | ||
374 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | |
375 | ||
376 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr | |
377 | ||
378 | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs | |
379 | malware | |
380 | ||
381 | - | ----------------------------------------------------------------------- |
381 | + | |
382 | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | |
383 | ||
384 | ||
385 | ||
386 | ||
387 | ||
388 | ############################# | |
389 | # PCAP Analysis with tshark # | |
390 | ############################# | |
391 | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
392 | ||
393 | ||
394 | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
395 | ||
396 | - | ---------------------------Type This----------------------------------- |
396 | + | |
397 | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' | |
398 | ||
399 | ||
400 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq | |
401 | - | ----------------------------------------------------------------------- |
401 | + | |
402 | ||
403 | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq | |
404 | ||
405 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq | |
406 | ||
407 | tshark -r suspicious-time.pcap -qz ip_hosts,tree | |
408 | ||
409 | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq | |
410 | ||
411 | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" | |
412 | ||
413 | ||
414 | whois rapidshare.com.eyu32.ru | |
415 | ||
416 | whois sploitme.com.cn | |
417 | ||
418 | ||
419 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | |
420 | ||
421 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' | |
422 | ||
423 | tshark -r suspicious-time.pcap -qz http_req,tree | |
424 | ||
425 | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst | |
426 | ||
427 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' | |
428 | ||
429 | ||
430 | - | ---------------------------Type This----------------------------------- |
430 | + | |
431 | ###################################### | |
432 | # PCAP Analysis with forensicPCAP.py # | |
433 | ###################################### | |
434 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py |
434 | + | |
435 | - | wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip |
435 | + | |
436 | ||
437 | sudo easy_install cmd2 | |
438 | malware | |
439 | ||
440 | python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap | |
441 | ||
442 | ForPCAP >>> help | |
443 | - | ----------------------------------------------------------------------- |
443 | + | |
444 | ||
445 | Prints stats about PCAP | |
446 | ForPCAP >>> stat | |
447 | ||
448 | ||
449 | Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
450 | ForPCAP >>> dns | |
451 | ||
452 | - | ---------------------------Type This----------------------------------- |
452 | + | |
453 | ||
454 | ||
455 | Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command. | |
456 | ForPCAP >>> dstports | |
457 | ||
458 | - | ---------------------------Type This----------------------------------- |
458 | + | |
459 | ||
460 | ||
461 | Prints the number of ip source and store them. | |
462 | ForPCAP >>> ipsrc | |
463 | ||
464 | - | ----------------------------------------------------------------------- |
464 | + | |
465 | ||
466 | ||
467 | Prints the number of web's requests and store them | |
468 | - | ---------------------------Type This----------------------------------- |
468 | + | |
469 | ||
470 | ForPCAP >>> show | |
471 | ||
472 | - | ---------------------------Type This----------------------------------- |
472 | + | |
473 | ForPCAP >>> mail | |
474 | ||
475 | ForPCAP >>> show | |
476 | ||
477 | ||
478 | ################### | |
479 | # Memory Analysis # | |
480 | ################### | |
481 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility | |
482 | - | ----------------------------------------------------------------------- |
482 | + | |
483 | python volatility | |
484 | python volatility pslist -f ../hn_forensics.vmem | |
485 | python volatility connscan2 -f ../hn_forensics.vmem | |
486 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
487 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
488 | ***Takes a few min*** | |
489 | strings 1752.dmp | grep "^http://" | sort | uniq | |
490 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
491 | cd .. | |
492 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
493 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
494 | cat audit.txt | |
495 | cd pdf | |
496 | ls | |
497 | grep -i javascript *.pdf | |
498 | ||
499 | ||
500 | ||
501 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
502 | wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip | |
503 | - | ---------------------------Type This----------------------------------- |
503 | + | |
504 | python pdf-parser.py -s javascript --raw 00600328.pdf | |
505 | - | ----------------------------------------------------------------------- |
505 | + | |
506 | python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
507 | ||
508 | cat malicious.js | |
509 | - | ---------------------------Type This----------------------------------- |
509 | + | |
510 | ||
511 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
512 | ||
513 | ||
514 | cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/ | |
515 | python volatility files -f ../hn_forensics.vmem > files | |
516 | cat files | less | |
517 | python volatility malfind -f ../hn_forensics.vmem -d out | |
518 | - | ------------------------------------------------------------------------ |
518 | + | ls out/ |
519 | python volatility hivescan -f ../hn_forensics.vmem | |
520 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
521 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |