Malware Analysis - 13cubed

(incomplete)

Some Assembly required

Payload Distribution Format

pdfid

  • analyze PDF files

pdfid.py {file_name}

look out for:

  • JavaScript / JS

  • OpenAction - take some action upon opening a file

  • RichMedia - flash program embedded

  • Launch - external or embedded software

  • URI - interaction with a website

pdf-parser

  • extract embedded file contained within pdf

PDF Structure

  • Objects section in body contains text, fonts, graphics etc.

  • Xref Table maps the offsets of the files objects.

pdf-parser.py {file_name} | more

  • Object with Type: /EmbeddedFile has a specified length and Filter that says FlatDecode. This is the encoded file (MSword) embedded within the PDF.

pdf-parser.py {file_name} --object 8 --filter --raw --dump out.doc

  • filter : decode the string, raw: display without escaping special characters

file out.doc

  • Composite Document

oledump

  • extract the embedded VBA macros from within ole or composite document format files (older MS Office file format)

oledump.py {file_name}

  • "m" - indicates VBA macros are present, but only composed of attribute or option statements

  • "M" - contains macros

oledump.py {file_name} --select 7 --vbadecompress | more

  • you can see a file is being opened and a sequence of bytes are written to it which could be malicious code

Juicy PDFs

pdfextract

from Origami framework

pdfextract {file_name}

  • streams, sccripts, fonts, attachments, images will be extracted to a folder

  • in the attachments, you can see the doc file that we extracted manually using pdf-parser

If a PDF contains images, the EXIF data of those images is still attached to them within the pdf.

exiftool *.jpg | more

Visual analysis with ProcDOT

ProcMon

  • use filters to filter out the data

  • to export the data to ProcDot, use the following settings:

    • disable “Enable Advanced Output” in Filter

    • disable “Show Resolved Network Addresses” in Options

    • under “Select columns” in Options, enable “Thread ID” and disable “Sequence Number”

  • File → Save and export as CSV

ProcDOT

  • import procmon logfile and wireshark pcap file

  • select the process from which you want the graph to be focussed

at the bottom, you can see FilmStrip option → choose the fps and you can see the process in real time

Finding Evil with YARA

  • Rule-based approach to create descriptions of malware families based on textual or binary patterns.

  • Can be used to run against and quickly look for IOCs in multiple endpoints across multiple files.

  • Can be used alongside Volatility to analyze a memory image. YARA rules are also supported by other tools like crowdstrike etc.

Example rules

rule Example1 {
	meta:
		description = "description"
		author = "Neeraj"
		date = "2023-06-16"

	strings:
		$domain1 = "badsite1.com" nocase
		$domain2 = "badsite2.com" nocase
		$domain3 = "badsite3.com" nocase
		$ip = /([0-9]{1,3}\\.){3}[0-9]{1,3}/ wide ascii

	condition:
		2 of ($domain1, $domain2, $domain3) and 
		$ip and 
		filesize < 1KB

  • meta: description of the author

  • wide: search for strings encoded with 2 bytes per char

  • wide ascii: search for ascii only strings with 2 bytes per char fullword ascii: string will match only if it appears in the file delimited by non-alphanumeric characters

rule upx_packed {
	meta:
		description = "detect a UPX packed file"

	strings:
		$mz = "MZ"
		$upx0 = {55505830000000}
		$upx1 = {55505831000000}
		$upx_sig = "UPX!"

	condition:
		$mz at 0 and $upx in (0..1024) and $upx1 in (0..1024) 
			and $upx_sig in (0..1024)

Running YARA rules

yara {yara_rule_file} {binary_file} -s

-s : show the strings matched -r : recursively search through a directory

Memory Forensics

yarascan : built-in plugin for volatility

python volatility/vol.py -f {memory_image} --profile=win10x17763 yarascan -y {rule_file}

PreviousTriagingNextgdb

Last updated