Cyber Security Awareness Month - Day 14 - Poor Man's File Analysis System - Part 1

Published: 2012-10-14
Last Updated: 2012-10-14 23:57:58 UTC
by Pedro Bueno (Version: 1)
2 comment(s)

 

Update: In an attempt to get the link  for the first script, I mistakenly put the link for another script. Fixed now. Thanks Michael for the "oops" :)

Ok ok the "System" on the title may be a bit too much for what this diary will show, but it will give you a nice idea on how to start to build your own analysis system using open source and free tools.

For the first part of this Diary we will focus on PE files, using three different tools for Static Analysis:

1) Malware.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py

1) Pescanner.py - http://code.google.com/p/malwarecookbook/source/browse/trunk/3/8/pescanner.py

2) Adobe Malware Classifier - http://blogs.adobe.com/asset/tag/malware-classification

3) sigcheck.exe (via Wine) - http://technet.microsoft.com/en-us/sysinternals/bb897441

The first tool is from the great book Malware Cookbook, and the authors made all the code available via Google Code. It is a collection of python scripts used during the several chapters. The one I will show here is called PescannerMalware.py.

This PescannerMalware.py script will give you several pieces of information that will help you on your static analysis. 

The following example is the output of a known malware:

 

 

Meta-data

============================================================

File:    wire-report.pdf.exe

Size:    190464 bytes

MD5:     0a0b73f2652f242e255ac9c1a7724dda

SHA1:    5ad43440eaf1c30b9e320a0ea06754ad67e9d66f

Date:    0x29EB59F0 [Tue Apr 14 22:17:20 1992 UTC] [SUSPICIOUS]

EP:      0x402a00 (.text)

 

Resource entries

============================================================

Name               RVA          Size         Type

------------------------------------------------------------

RT_VERSION         0x3b058      0x3ec

 

Suspicious IAT alerts

============================================================

CreateProcessW

CreateProcessA

 

Sections

============================================================

Name       VirtAddr     VirtSize     RawSize      Entropy

------------------------------------------------------------

.text      0x1000       0x7000       0x7000       2.397724

.rdata     0x8000       0x2e000      0x23800      7.231950    [SUSPICIOUS]

.data      0x36000      0x3000       0x2600       2.536738

.ndata     0x39000      0x1000       0x800        3.405680

.ndata     0x3a000      0x1000       0x800        3.405680

.rsrc      0x3b000      0x444        0x600        3.980035

 

Version info

============================================================

LegalCopyright: Copyright (C) 2000-2010 TightVNC Group

InternalName: vncviewer

FileVersion: 1.5.2.0

CompanyName: TightVNC Group

PrivateBuild:

LegalTrademarks:

Comments: Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.

ProductName: TightVNC Win32 Viewer

SpecialBuild:

ProductVersion: 1.5.2.0

FileDescription: vncviewer

OriginalFilename: vncviewer.exe

Translation: 0x0409 0x04b0

 ---

 

This report shows a weird creation date, of 1992. Second, it shows a high entropy on the second PE section of this file, suggesting that it may be packed. Third, while the file name is Wire-report.pdf.exe, the version section shows information as  it is a VNC application...

This script also allows you to integrate with YARA if you want, making it even more powerful.

Also, if you want to check the Packer, you may want to consider the Python script that the fellow Handler Jim Clausing created a few years ago: http://handlers.sans.org/jclausing/packerid.py

--

The second tool was created by a former co-worker, now working at Adobe. He created another python script that checks different characteristics of the PE file, and returns one of the three different results:

1,0,Unknown. 

 

According the Adobe page, the "Malware Classifier uses machine learning algorithms to classify Win32 binaries – EXEs and DLLs – into three classes: 0 for “clean,” 1 for “malicious,” or “UNKNOWN.” "

 

Example:

pedros-MacBook-Pro:samples ppbuen0$ python AdobeMalwareClassifier.py -f wire-report.pdf.exe

1

Which means Malicious.

---

The third tool is a tool from Sysinternals. It is called Sigcheck. This tool helps you to identify file signed or not and help you on your assessment.

If you want to run it on Linux together with the other Python tools, you may want to consider Wine :) .

The output below is from our same exe from previous examples:

 

        Verified:       Unsigned

        File date:      10:59 AM 8/9/2011

        Publisher:      TightVNC Group

        Description:    vncviewer

        Product:        TightVNC Win32 Viewer

        Version:        1.5.2.0

        File version:   1.5.2.0

        Strong Name:    Unsigned

        Original Name:  vncviewer.exe

        Internal Name:  vncviewer

        Copyright:      Copyright (C) 2000-2010 TightVNC Group

        Comments:       Based on VNC by AT&T Research Labs Cambridge, RealVNC Ltd.

Just to compare, these are two outputs from other files:

 

1) Malware:

        Verified:       Unsigned

        File date:      5:41 AM 9/28/2012

        Publisher:      Microsoft Corporation

        Description:    Microsoft (R) Internet Common

        Product:        Microsoft(R) Windows(R) Operating System

        Version:        6, 0, 2900, 3138

        File version:   6, 0, 2900, 3138

2) Windows ARP:

        Verified:       Signed

        Signing date:   10:07 PM 4/13/2008

        Publisher:      Microsoft Corporation

        Description:    TCP/IP Arp Command

        Product:        Microsoft« Windows« Operating System

        Version:        5.1.2600.0

        File version:   5.1.2600.0 (xpclient.010817-1148)

 

--

Hopefully this will help you to start your own analysis system. The next part of this diary we will check tools/scripts for non-PE files, and integrate them.

 

--

Pedro Bueno (pbueno /%%/ isc. sans. org)

Twitter: http://twitter.com/besecure

2 comment(s)

Comments

What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
https://defineprogramming.com/
https://defineprogramming.com/
Enter comment here... a fake TeamViewer page, and that page led to a different type of malware. This week's infection involved a downloaded JavaScript (.js) file that led to Microsoft Installer packages (.msi files) containing other script that used free or open source programs.
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
Enter corthrthmment here...

Diary Archives