Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1
Update: In an attempt to get the link for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the "oops" :)
Ok ok the "System" on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools.
For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis:
1) Malware.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py
1) Pescanner.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py
2) Adobe Malware Classifier - http://blogs.adobe.com/asset/tag/malware-classification
3) sigcheck.exe (via Wine) - http://technet.microsoft.com/en-us/sysinternals/bb897441
The first tool is from the great book Malware Cookbook, and the authors made all the code available via Google Code. It is a collection of python scripts used during the several chapters. The one I will show here is called PescannerMalware.py.
This PescannerMalware.py script will give you several pieces of information that will help you on your static analysis.
The following example is the output of a known malware:
Meta-data
============================================================
File: wire-report.pdf.exe
Size: 190464 bytes
MD5: 0a0b73f2652f242e255ac9c1a7724dda
SHA1: 5ad43440eaf1c30b9e320a0ea06754ad67e9d66f
Date: 0x29EB59F0 [Tue Apr 14 22:17:20 1992 UTC] [SUSPICIOUS]
EP: 0x402a00 (.text)
Resource entries
============================================================
Name RVA Size Type
------------------------------------------------------------
RT_VERSION 0x3b058 0x3ec
Suspicious IAT alerts
============================================================
CreateProcessW
CreateProcessA
Sections
============================================================
Name VirtAddr VirtSize RawSize Entropy
------------------------------------------------------------
.text 0x1000 0x7000 0x7000 2.397724
.rdata 0x8000 0x2e000 0x23800 7.231950 [SUSPICIOUS]
.data 0x36000 0x3000 0x2600 2.536738
.ndata 0x39000 0x1000 0x800 3.405680
.ndata 0x3a000 0x1000 0x800 3.405680
.rsrc 0x3b000 0x444 0x600 3.980035
Version info
============================================================
LegalCopyright: Copyright (C) 2000-2010 TightVNC Group
InternalName: vncviewer
FileVersion: 1.5.2.0
CompanyName: TightVNC Group
PrivateBuild:
LegalTrademarks:
Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.
ProductName: TightVNC Win32 Viewer
SpecialBuild:
ProductVersion: 1.5.2.0
FileDescription: vncviewer
OriginalFilename: vncviewer.exe
Translation: 0x0409 0x04b0
---
This report shows a weird creation date, of 1992. Second, it shows a high entropy on the second PE section of this file, suggesting that it may be packed. Third, while the file name is Wire-report.pdf.exe, the version section shows information as it is a VNC application...
This script also allows you to integrate with YARA if you want, making it even more powerful.
Also, if you want to check the Packer, you may want to consider the Python script that the fellow Handler Jim Clausing created a few years ago: http://handlers.sans.org/jclausing/packerid.py
--
The second tool was created by a former co-worker, now working at Adobe. He created another python script that checks different characteristics of the PE file, and returns one of the three different results:
1,0,Unknown.
According the Adobe page, the "Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” "
Example:
pedros-MacBook-Pro:samples ppbuen0$ python AdobeMalwareClassifier.py -f wire-report.pdf.exe
1
Which means Malicious.
---
The third tool is a tool from Sysinternals. It is called Sigcheck. This tool helps you to identify file signed or not and help you on your assessment.
If you want to run it on Linux together with the other Python tools, you may want to consider Wine :) .
The output below is from our same exe from previous examples:
Verified: Unsigned
File date: 10:59 AM 8/9/2011
Publisher: TightVNC Group
Description: vncviewer
Product: TightVNC Win32 Viewer
Version: 1.5.2.0
File version: 1.5.2.0
Strong Name: Unsigned
Original Name: vncviewer.exe
Internal Name: vncviewer
Copyright: Copyright (C) 2000-2010 TightVNC Group
Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.
Just to compare, these are two outputs from other files:
1) Malware:
Verified: Unsigned
File date: 5:41 AM 9/28/2012
Publisher: Microsoft Corporation
Description: Microsoft (R) Internet Common
Product: Microsoft(R) Windows(R) Operating System
Version: 6, 0, 2900, 3138
File version: 6, 0, 2900, 3138
2) Windows ARP:
Verified: Signed
Signing date: 10:07 PM 4/13/2008
Publisher: Microsoft Corporation
Description: TCP/IP Arp Command
Product: Microsoft« Windows« Operating System
Version: 5.1.2600.0
File version: 5.1.2600.0 (xpclient.010817-1148)
--
Hopefully this will help you to start your own analysis system. The next part of this diary we will check tools/scripts for non-PE files, and integrate them.
--
Pedro Bueno (pbueno /%%/ isc. sans. org)
Twitter: http://twitter.com/besecure
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago