Malware Analysis - 13cubed
(incomplete)
Some Assembly required
Payload Distribution Format
pdfid
analyze PDF files
pdfid.py {file_name}
look out for:
JavaScript / JS
OpenAction - take some action upon opening a file
RichMedia - flash program embedded
Launch - external or embedded software
URI - interaction with a website
pdf-parser
extract embedded file contained within pdf
PDF Structure
Objects section in body contains text, fonts, graphics etc.
Xref Table maps the offsets of the files objects.
pdf-parser.py {file_name} | more
Object with Type: /EmbeddedFile has a specified length and Filter that says FlatDecode. This is the encoded file (MSword) embedded within the PDF.
pdf-parser.py {file_name} --object 8 --filter --raw --dump out.doc
filter : decode the string, raw: display without escaping special characters
file out.doc
Composite Document
oledump
extract the embedded VBA macros from within ole or composite document format files (older MS Office file format)
oledump.py {file_name}
"m" - indicates VBA macros are present, but only composed of attribute or option statements
"M" - contains macros
oledump.py {file_name} --select 7 --vbadecompress | more
you can see a file is being opened and a sequence of bytes are written to it which could be malicious code
Juicy PDFs
pdfextract
from Origami framework
pdfextract {file_name}
streams, sccripts, fonts, attachments, images will be extracted to a folder
in the attachments, you can see the doc file that we extracted manually using pdf-parser
If a PDF contains images, the EXIF data of those images is still attached to them within the pdf.
exiftool *.jpg | more
Visual analysis with ProcDOT
ProcMon
use filters to filter out the data
to export the data to ProcDot, use the following settings:
disable “Enable Advanced Output” in Filter
disable “Show Resolved Network Addresses” in Options
under “Select columns” in Options, enable “Thread ID” and disable “Sequence Number”
File → Save and export as CSV
ProcDOT
import procmon logfile and wireshark pcap file
select the process from which you want the graph to be focussed
at the bottom, you can see FilmStrip option → choose the fps and you can see the process in real time
Finding Evil with YARA
Rule-based approach to create descriptions of malware families based on textual or binary patterns.
Can be used to run against and quickly look for IOCs in multiple endpoints across multiple files.
Can be used alongside Volatility to analyze a memory image. YARA rules are also supported by other tools like crowdstrike etc.
Example rules
meta: description of the author
wide: search for strings encoded with 2 bytes per char
wide ascii: search for ascii only strings with 2 bytes per char fullword ascii: string will match only if it appears in the file delimited by non-alphanumeric characters
Running YARA rules
yara {yara_rule_file} {binary_file} -s
-s
: show the strings matched
-r
: recursively search through a directory
Memory Forensics
yarascan
: built-in plugin for volatility
python volatility/vol.py -f {memory_image} --profile=win10x17763 yarascan -y {rule_file}
Last updated