-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmalware_file_analysis.py
228 lines (176 loc) · 11.8 KB
/
malware_file_analysis.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
#!/usr/bin/env python3
import os,sys,re,string
### This function checks to see if we have the correct libraries installed
def checkconfig():
try:
import pefile,peutils
except(ImportError):
print ("\n[!] PE Module Missing.")
print ("\n[!] For Debian/Ubuntu/Mint please run: sudo apt-get install -y python3-pefile")
print ("\n[!] For RHEL/CentOS/Fedora please run: sudo yum install -y python3-pefile")
sys.exit(0)
# This function checks to see what platform we are on
# def platform_clear_screen():
# if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin' or sys.platform == 'linux':
# SysCls = 'clear'
# elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
# SysCls = 'cls'
# else:
# SysCls = 'unknown'
# os.system(SysCls)
# This function clears the screen based on what platform we are on
def platform_clear_screen():
os.system('cls' if os.name == 'nt' else 'clear')
# This is the list that we use to check if a function has been performed or not
performed=[]
# This is the command-line argument number for the file name
malware=sys.argv[1]
# These are my lists that contain the signatures I'm looking for in the malware
Uses_Microsoft_Enhanced_Cryptographic_Provider = ["CryptImportKey","CryptDecrypt","CryptDestroyKey",
"CryptReleaseContext","EntryPoint",
"CryptAcquireContextA","lstrcpyW","lstrlenW",
"lstrcatW","CloseHandle","lstrcmpiA","RegOpenKeyExA",
"lstrlenA","RegSetValueExA","RegCloseKey",
"RegQueryValueExA","GetLastError",
"GetEnvironmentVariableA","ShellExecuteA","Sleep",
"CryptGenKey","CryptExportKey","CryptEncrypt",
"KiUserExceptionDispatcher","RtlZeroMemory",
"MultiByteToWideChar","lstrcatA","RegCreateKeyA",
"SHChangeNotify","SetErrorMode","CryptGenKey",
"CryptImportKey"]
AntiDebugging = ["IsDebuggerPresent","OutputDebugStringW","CreateToolhelp32Snapshot","Process32FirstW",
"lstrcmpiW","lstrlenW","GetCurrentProcessId","OpenProcess","TerminateProcess",
"Process32NextW","__crtSetUnhandledExceptionFilter","GetProcessHeap","RtlAllocateHeap",
"socket","htons","select","memset","recv","htons","HeapFree","closesocket",
"IsDebuggerPresent","OutputDebugString"]
File_Interaction=["GetFileAttributesW","CopyFileA","CreateFileW","WriteFile","SetFileAttributesW",
"GlobalFree","GetModuleFileNameA","GetSystemTimeAsFileTime","FileTimeToSystemTime",
"GetDateFormatA","CreateFileA","MoveFileW","MoveFileW","CreateFileMappingA",
"MapViewOfFile","UnmapViewOfFile","SetFilePointerEx","GetModuleFileNameA"]
Network_Connection=["connect", "bind", "gethostbyname", "gethostbyaddr", "getaddrinfo", "socket",
"http", "https","WS2_32.dll", "WSOCK32.dll"]
MSFT_BANNED_FUCNTIONS = ["strcpy", "strcpyA", "strcpyW", "wcscpy", "_tcscpy", "_mbscpy", "StrCpy",
"StrCpyA", "StrCpyW", "lstrcpy", "lstrcpyA", "lstrcpyW", "_tccpy", "_mbccpy",
"_ftcscpy", "strncpy", "wcsncpy", "_tcsncpy", "_mbsncpy", "_mbsnbcpy",
"StrCpyN", "StrCpyNA", "StrCpyNW", "StrNCpy", "strcpynA", "StrNCpyA",
"StrNCpyW", "lstrcpyn", "lstrcpynA", "lstrcpynW", "strcat", "strcatA",
"strcatW", "wcscat", "_tcscat", "_mbscat", "StrCat", "StrCatA", "StrCatW",
"lstrcat", "lstrcatA", "lstrcatW", "StrCatBuff", "StrCatBuffA", "StrCatBuffW",
"StrCatChainW", "_tccat", "_mbccat", "_ftcscat", "strncat", "wcsncat",
"_tcsncat", "_mbsncat", "_mbsnbcat", "StrCatN", "StrCatNA", "StrCatNW",
"StrNCat", "StrNCatA", "StrNCatW", "lstrncat", "lstrcatnA", "lstrcatnW",
"lstrcatn", "sprintfW", "sprintfA", "wsprintf", "wsprintfW", "wsprintfA",
"sprintf", "swprintf", "_stprintf", "wvsprintf", "wvsprintfA", "wvsprintfW",
"vsprintf", "_vstprintf", "vswprintf", "wnsprintf", "wnsprintfA", "wnsprintfW",
"_snwprintf", "snprintf", "sntprintf _vsnprintf", "vsnprintf", "_vsnwprintf",
"_vsntprintf", "wvnsprintf", "wvnsprintfA", "wvnsprintfW", "_snwprintf",
"_snprintf", "_sntprintf", "nsprintf", "wvsprintf", "wvsprintfA", "wvsprintfW",
"vsprintf", "_vstprintf", "vswprintf", "_vsnprintf", "_vsnwprintf",
"_vsntprintf", "wvnsprintf", "wvnsprintfA", "wvnsprintfW", "strncpy",
"wcsncpy", "_tcsncpy", "_mbsncpy", "_mbsnbcpy", "StrCpyN", "StrCpyNA",
"StrCpyNW", "StrNCpy", "strcpynA", "StrNCpyA", "StrNCpyW", "lstrcpyn",
"lstrcpynA", "lstrcpynW", "_fstrncpy", "strncat", "wcsncat", "_tcsncat",
"_mbsncat", "_mbsnbcat", "StrCatN", "StrCatNA", "StrCatNW", "StrNCat",
"StrNCatA", "StrNCatW", "lstrncat", "lstrcatnA", "lstrcatnW", "lstrcatn",
"_fstrncat", "snscanf", "snwscanf", "_sntscanf", "_itoa", "_itow", "_i64toa",
"_i64tow", "_ui64toa", "_ui64tot", "_ui64tow", "_ultoa", "_ultot", "_ultow",
"memcpy", "RtlCopyMemory", "CopyMemory", "wmemcpy"]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","HKCU","HKLM", "RegCloseKey","HKEY_CURRENT_CONFIG","HKEY_USERS"]
Uses_IRC =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
def start_analysis_crypto(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in Uses_Microsoft_Enhanced_Cryptographic_Provider:
if re.search(string, line):
if not string in performed:
print("[+]This file uses Microsoft enchanced Cryptographic Provided: ", string)
performed.append(string)
def start_analysis_debug(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in AntiDebugging:
if re.search(string, line):
if not string in performed:
print ("[+] This file uses Debugging: ", string)
performed.append(string)
def start_analysis_file_interaction(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in File_Interaction:
if re.search(string, line):
if not string in performed:
print ("[+] This file uses File Interaction: ", string)
performed.append(string)
def network_connection(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in Network_Connection:
if re.search(string, line):
if not string in performed:
print ("[+] This file uses Network Connection: ", string)
performed.append(string)
def start_analysis_banned(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in MSFT_BANNED_FUCNTIONS:
if re.search(string, line):
if not string in performed:
print ("[+] This file uses Microsoft Banned Functions: ", string)
performed.append(string)
def start_analysis_regcalls(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in REGISTRY_CALLS:
if re.search(string, line):
if not string in performed:
print ("[+] This file modifies the registry: ", string)
performed.append(string)
def start_analysis_IRC(malware):
performed=[]
for line in open(malware, encoding="ISO-8859-1"):
for string in Uses_IRC:
if re.search(string, line):
if not string in performed:
print ("[+] This file use IRC communication: ", string)
performed.append(string)
def help_function():
if (len (sys.argv) <2):
print ("\n Usage: ./analyse_malware.py <MALWARE FILENAME>\n")
print ("\t\t Example: ./analyse_malware.py malware.exe\n")
print ("\tFor Help: ./analyse_malware.py --help\n")
sys.exit(0)
for arg in sys.argv:
if arg=='--help':
print (" To Perform Complete Analysis: Usage: ./analyse_malware.py [Malware FIle]\n ")
#print (" To Generate ASCII Dump: Usage: ./analyse_malware.py [Malware File] --Ascii\n")
#print (" To View Dlls Loaded: Usage: ./analyse_malware.py [Malware File] --Dll\n")
#print (" To View the PE Areas: Usage: ./analyse_mwlare.py [Malware File] --Header\n")
#print ("\n\t Example: ./analyse_malware.py malware.exe --Dll\n")
sys.exit(0)
def validate_malware(malware):
try:
hosts = open(malware,'rb').readlines()
except (IOError):
print (" \n\n[!]Malware Missing .Exiting.\n")
sys.exit(0)
#Main page function
def apps_start():
checkconfig() #attempts import of pe file libraries
platform_clear_screen() # verifies the users platform for applicable commands
help_function() # addresses user input where no maleware was added to program call
validate_malware(malware) # confirms the ability to open the malware sample
print ("\n[!] Checking to see if the file uses Microsoft Enhanced Cryptographic Provider\n")
start_analysis_crypto(malware)
print ("\n[!] Checking to see if the file uses AntiDebugging\n")
start_analysis_debug(malware)
print ("\n[!] Checking to see if the file uses File Interaction\n")
start_analysis_file_interaction(malware)
print ("\n[!] Checking to see if the file is network aware\n")
network_connection(malware)
print ("\n[!] Checking to see if the file uses banned functions\n")
start_analysis_banned(malware)
print ("\n[!] Checking to see if the file modifies the registry\n")
start_analysis_regcalls(malware)
print ("\n[!] Checking to see if the file uses IRC communication\n")
start_analysis_IRC(malware)
apps_start()