Malware.Analysis.Utils
- Tools

Malware.Analysis.Utils

The tools I daily use on my research

Tools

Tool's description

Pcap2Json

A tool to parse pcap files in order to find suspicious actions. The parsed data is dumped on JSON format, as shown below:

"HTTP": [{
		"Host": "bailXXXX.com",
		"Protocol": "HTTP",
		"IPdst": "209.99.Y.Z",
		"Path": "/Faculdade/Walts.zip",
		"PortDST": 80,
		"IPsrc": "192.168.1.1",
		"PortSRC": 49169,
		"Method": "GET"
	  }],
"DNS": [{"entry": [ {
		"Protocol": "DNS", 
		"IPdst": "192.168.1.1", 
		"PortDST": 53, 
		"IPsrc": "192.168.1.1", 
		"Type": "QUERY", 
		"PortSRC": 55604, 
		"Name": "time.windows.com."
	  }]},],

Honeypot2Run

A tool for scheduling samples for analysis procedures as soon as they are trapped by a honeypot. The tool is Inotify based and is intended to be running on background. The tool can span many analysis procedures at time, as shown below:

[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware1 PATHNAME:
/tmp/malware/malware1
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware2 PATHNAME:
/tmp/malware/malware2
[Thread 1]: malware1 popped for analysis 
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malware3 PATHNAME:
/tmp/malware/malware3
[Thread 2]: malware2 popped for analysis 
[INOTIFY] IN_CLOSE_WRITE called. PATH: /tmp/malware NAME: malwareN PATHNAME:
/tmp/malware/malwareN
[Thread 3]: malware3 popped for analysis

Hasher

A tool to calculate all hashes of a given binary, so you can check on internet if the given threat is already known. An execution example is shown below:

Hashes of /bin/bash
[SSDEEP]  :
12288:khRO05dvtF0rztLGcXNnxX3BlJDd1XLsNbb8ckf9PSKMedh50jn58r0mUX:kXR5dvY/tLGcXNB3Bldnobu7MedbSnh
[CRC32]   :    0x594e4450
[MD5]     :    164ebd6889588da166a52ca0d57b9004
[SHA1]    :    8e3aa19fdc42e87659746f6dc8ea3af74ab30362
[SHA224]  :    ad640f0e92c5f2df008518269196925be0cc0f7679fcd6ce8ddc1dea
[SHA256]  :    8c4d49445d0050884e0703571f187338b10c7836b08ed822cc5fc6cf15ac76b0
[SHA384]  :
6be640b6fe9fe9e077b2f7bf5f85c446f70aa635ceb88a993e148ee0eee2caad9725a4a12c3eefc50961ea5a0a048769
[SHA512]  :
cc7cb38021a7604f2fd5a54a3013e15bba3b752f7815c11e64638234b386dd91c5d970a6d1c73d4af9945a2c258048486632d6a69b44f4c8448f7f8d4e

PE2Json

Retrieves PE informationg of a given binary, using pefile, and prints it on JSON format, as shown below:

 "Imports": [
    {
     "Name ": "Sleep", 
     "Address": "0x140003028"
    }, 
    {
     "Name ": "GetSystemTimeAsFileTime", 
     "Address": "0x140003030"
    }, 
    {
     "Name ": "GetCurrentThreadId", 
     "Address": "0x140003038"
    }, 
    {
     "Name ": "QueryPerformanceCounter", 
     "Address": "0x140003040"
    },

SetPrivileges

A privilege elevation tool to perform analysis using higher privileges.

MalwareInBash (MiB)

A set of bash functions which help static malware analysis. Currently, the following functions are available:

is_pe: Determines if the given file is in the Portable Executable (PE) file-format.
is_pe32: Determines if the given file is a 32-bit PE.
is_pe64: Determines if the given file is a 64-bit PE.
is_dll: Determines if the given file has DLL image characteristics.
is_dotnet: Determines if the given file is a .Net application.
get_ext: Retrieves the last file extension format from the filename.
get_section: Get binary sections from objdump disasm of the given file.

You can use the functions by executing the following command on your bash: source MiB.sh

Usage Example. Printing all x64 files in a directory:

for i in `ls`; do 
	if [ `is_pe64 $i` == "True" ]; then 
		echo $i;
	 fi;
done;

The example above is from one of available print functions, such as:

print_is_pe: Prints all PE files on the current directory.
print_is_pe32: Prints all PE32 files on the current directory.
print_is_pe64: Prints all PE+ files on the current directory.
print_is_dll: Prints all DLL files on the current directory.
print_is_dotnet: Prints all .Net files on the current directory.

TCPDUMP-rules-generator

A script which generates rules for tcpdump:

Usage:

[TRG] No Interface Supplied
[TRG] python TCPDUMP.rules.generator/trg.py --interface <iface> (required) --options
[TRG] Options: --host <host list> --exclude-host <host_list> --port <port_list> --exclude-port <port_list --protocol <protocol_list> --exclude-protocol <protocol_list> --out <outfile>
[TRG] Type -h for help

Input:

IFACE='eth0'
HOST='192.168.1.1 192.168.1.2'
EHOST='192.168.1.3 192.168.1.4'
PORT='1 2 3'
EPORT='4 5 6'
PROTO='tcp'
EPROTO='arp'
OUT='mypcap.pcap'
python trg.py --interface $IFACE --host "$HOST" --exclude-host "EHOST" --port "$PORT" --exclude-port "$PORT" --protocol "$PROTO" --exclude-protocol "$EPROTO" --out "$OUT"

Output:

tcpdump -i eth0 host 192.168.1.1 and host 192.168.1.2 and not host EHOST and port 1 and port 2 and port 3 and not port 1 and not port 2 and not port 3 and tcp and not arp -w mypcap.pcap

IPTABLES-rules-generator

Generates IPTABLES rules

Usage:

Usage: python irg.py <config_file>

Config File:

[forward]
enabled = Yes
[maskerade]
enabled = Yes
iface = eth0
[ports]
accept=1,tcp,2,tcp,3,udp,4,udp
reject=5,6,7,8
[routing]
route = 10.0.0.1,tcp

Output:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -p tcp --dport 1 -j ACCEPT
iptables -A FORWARD -p tcp --dport 2 -j ACCEPT
iptables -A FORWARD -p udp --dport 3 -j ACCEPT
iptables -A FORWARD -p udp --dport 4 -j ACCEPT
iptables -A FORWARD -p 6 --dport 5 -j REJECT
iptables -A FORWARD -p 8 --dport 7 -j REJECT
iptables -t nat -A -p tcp -j DNAT --to 10.0.0.1

TSHARK-filter-generator

A tool for helping pcap's stats generation:

Usage:

[TFG] python tfg.py <pcap_file> (required) --options
[TFG] Options: --all <ip> (exclusive) --ip-src --ip-dst --tcp-src --tcp-dst --udp-src --udp-dst
[TFG] Type -h for help

Input:

python tfg.py /tmp/teste.pcap --ip-src --ip-dst --tcp-src --tcp-dst --udp-src --udp-dst

Output:

tshark -r /tmp/teste.pcap -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e udp.srcport -e udp.dstport -T fields

Tshark result:

192.168.0.104	200.147.A.B	43880	443		
200.147.A.B	192.168.0.104	443	43880		
192.168.0.104	255.255.255.255	17500	17500
192.168.0.104	192.168.0.255	17500	17500
192.168.0.104	91.189.A.B	39583	123

VMM

The Virtual Machine Management module:

xml_parser

Virtual Machine data at XML format.

XML file:

<Machines>
	<VM name="VM1">
		<ip>192.168.1.1</ip>
		<port>12345</port>
		<snapshot>Snap1</snapshot>
	</VM>
</Machines>

Implemented Functions:

find_all: Get all VM info.
find_snap: Get snapshot name.
find_add: Get IP address.
find_port: Get VM open port.
find_name: Find VM name.

Output Example:

VM NAME: VM1
VM IP: 192.168.1.1
VM PORT: 12345
VM SNAPSHOT: Snap1

VM NAME: VM2
VM IP: 192.168.1.2
VM PORT: 54321
VM SNAPSHOT: Snap2

snapshot

Given a VM-id, restore its snapshot and executes the analysis routine.

Usage:

python snapshot.py <vm_number>

VM 1 Output:

[VM 1] None - Reverting Snapshot Snap2.
Put your code here!

marcusbotacin / malware.analysis.utils Goto Github PK