Malware Analysis - 13cubed

(incomplete)

Some Assembly required

Payload Distribution Format

pdfid

• analyze PDF files

pdfid.py {file_name}

look out for:

• JavaScript / JS

• OpenAction - take some action upon opening a file

• RichMedia - flash program embedded

• Launch - external or embedded software

• URI - interaction with a website

pdf-parser

• extract embedded file contained within pdf

PDF Structure

• Objects section in body contains text, fonts, graphics etc.

• Xref Table maps the offsets of the files objects.

pdf-parser.py {file_name} | more

• Object with Type: /EmbeddedFile has a specified length and Filter that says FlatDecode. This is the encoded file (MSword) embedded within the PDF.

pdf-parser.py {file_name} --object 8 --filter --raw --dump out.doc

• filter : decode the string, raw: display without escaping special characters

file out.doc

• Composite Document

oledump

• extract the embedded VBA macros from within ole or composite document format files (older MS Office file format)

oledump.py {file_name}

• "m" - indicates VBA macros are present, but only composed of attribute or option statements

• "M" - contains macros

oledump.py {file_name} --select 7 --vbadecompress | more

• you can see a file is being opened and a sequence of bytes are written to it which could be malicious code

Juicy PDFs

pdfextract

from Origami framework

pdfextract {file_name}

• streams, sccripts, fonts, attachments, images will be extracted to a folder

• in the attachments, you can see the doc file that we extracted manually using pdf-parser

If a PDF contains images, the EXIF data of those images is still attached to them within the pdf.

exiftool *.jpg | more

Visual analysis with ProcDOT

ProcMon

• use filters to filter out the data

• to export the data to ProcDot, use the following settings:

  • disable “Enable Advanced Output” in Filter

  • disable “Show Resolved Network Addresses” in Options

  • under “Select columns” in Options, enable “Thread ID” and disable “Sequence Number”

• File → Save and export as CSV

ProcDOT

• import procmon logfile and wireshark pcap file

• select the process from which you want the graph to be focussed

at the bottom, you can see FilmStrip option → choose the fps and you can see the process in real time

Finding Evil with YARA

• Rule-based approach to create descriptions of malware families based on textual or binary patterns.

• Can be used to run against and quickly look for IOCs in multiple endpoints across multiple files.

• Can be used alongside Volatility to analyze a memory image. YARA rules are also supported by other tools like crowdstrike etc.

Example rules

rule Example1 {
	meta:
		description = "description"
		author = "Neeraj"
		date = "2023-06-16"

	strings:
		$domain1 = "badsite1.com" nocase
		$domain2 = "badsite2.com" nocase
		$domain3 = "badsite3.com" nocase
		$ip = /([0-9]{1,3}\\.){3}[0-9]{1,3}/ wide ascii

	condition:
		2 of ($domain1, $domain2, $domain3) and 
		$ip and 
		filesize < 1KB

• meta: description of the author

• wide: search for strings encoded with 2 bytes per char

• wide ascii: search for ascii only strings with 2 bytes per char fullword ascii: string will match only if it appears in the file delimited by non-alphanumeric characters

rule upx_packed {
	meta:
		description = "detect a UPX packed file"

	strings:
		$mz = "MZ"
		$upx0 = {55505830000000}
		$upx1 = {55505831000000}
		$upx_sig = "UPX!"

	condition:
		$mz at 0 and $upx in (0..1024) and $upx1 in (0..1024) 
			and $upx_sig in (0..1024)

Running YARA rules

yara {yara_rule_file} {binary_file} -s

-s : show the strings matched -r : recursively search through a directory

Memory Forensics

yarascan : built-in plugin for volatility

python volatility/vol.py -f {memory_image} --profile=win10x17763 yarascan -y {rule_file}