Sponsor

Use code SecuraBit_Tek05 for 5% off any SANS course in any format.

SANS is the most trusted and by far the largest source for information security training in the world

Security Videos
« Automater 1.2 Released | Main | Tektip ep22 - Helge's Switchblade Portable Malware Analysis »
Friday
Feb222013

Tektip ep23 - MASTIFF with a splash of Maltrieve

In this episode of TekTip we take a look at performing basic static analysis with MASTIFF.  While that is the focus of this episode I wanted to delve into Maltrieve first.

Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video.  Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well.

Once downloaded you run maltrieve without any options, as seen below:

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 
2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory
2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file
2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file
2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file
2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue
2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue
2013-02-23 20:33:03 -1241515200 Fetched URL http://famagatra.ru:8080/forum/links/public_version.php from queue
2013-02-23 20:33:03 -1249907904 Fetched URL http://fzukungda.ru:8080/forum/links/column.php from queue
2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: da1ac7b773f2b96e5d2a31549a347a63
2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: 421ae9afed094a1b2ee1977507175dfc
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&gt%2F;&&&&gt%2F;&&&&lt%2F;%2Fbr%2F&&&&lt, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: ddb8eec9f195d191f05c793ca8f23e4f
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=http:%2Fdownload2.microapp.com%2Ftelechargement%2Feval%2F10001_eval.exetitle=compil&&&ampampampampampamp&&&ampampampampampampampamp&&&ampampa, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: cb932f33a7fa52e3e88bba3d5073d26f
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=hxxp:%2Fdownltbr%2Fgtload2.microapp.com%2Ftelechargement%2Feval%2F10275_eval.exeltbr%2Fgttitle=enigmes, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: a1fe3bca05487621dd876af0e8a31408
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=3dhttp:%<br%2F>2fdownlo, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: 7cd588413684f019d52a304f78a6538e

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-

This will download the malware to a default directory of /tmp/malware

*Make sure this directory exists or change the path in the python script to match what you want


So, with Maltrieve done and a bunch of samples downloaded it is time to see the power of MASTIFF.

MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program.  Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now.  

What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database.

Some of the benefits of this framework are:

  • Easily Extensible: Built very modular so adding to the functionality is easy
  • Consistent: When you have a team of analyst working on malware it is important that everyone speak the same language. MASTIFF gives a consistent standard approach to static analysis.
  • Quick: Manual static analysis can take a long time. With MASTIFF I can run through hundreds of samples in minutes.
  • Documented: As a consequence of being a DARPA funded program the creator was forced to ensure that the framework was documented well. The documentation goes beyond the normal installation and usage covering workflow and methodology.

I do not cover installation in the video as it would take to long and be very boring but I will mention that installation is relatively easy.  The only real pain is ensuring you have all of the third party tools installed. The pdf inside the archive for MASTIFF has great documentation to get you up and running. Once the dependencies and MASTIFF are installed though ensure that you modify the mastiff.conf file to reference the appropriate paths for where you installed the third party tools.

Now that the config is good and MASTIFF is installed you are ready to start analyzing malware. running mas.py will show you usage.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ mas.py 

Usage: mas.py [options] FILE

 

Options:

  -c CONFIG_FILE, --conf=CONFIG_FILE

                        Use an alternate config file. The default is

                        './mastiff.conf'.

  -h, --help            Show the help message and exit.

  -l PLUGIN_TYPE, --list=PLUGIN_TYPE

                        List all available plug-ins of the specified type and

                        exit. Type must be one of 'analysis' or 'cat'.

  -o OVERRIDE, --option=OVERRIDE

                        Override a config file option. Configuration options

                        should be specified as 'Section.Key=Value' and should

                        be quoted if any whitespace is present. Multiple

                        overrides can be specified by using multiple '-o'

                        options.

  -p PLUGIN_NAME, --plugin=PLUGIN_NAME

                        Only run the specified analysis plug-in. Name must be

                        quoted if it contains whitespace.

  -q, --quiet           Only log errors.

  -t FTYPE, --type=FTYPE

                        Force file to be analyzed with plug-ins from the

                        specified category (e.g., EXE, PDF, etc.). Run with

                        '-l cat' to list all available category plug-ins.

  -V, --verbose         Print verbose logs.

  -v, --version         Show program's version number and exit.

To run mastiff against a single file simply sudo mas.py filename

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo mas.py /tmp/malware/86658467c74b39210de96111ee6f66d5 

[2013-02-23 21:47:40,945] [INFO] [Mastiff] : Starting analysis on /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,954] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/86658467c74b39210de96111ee6f66d5.

[2013-02-23 21:47:40,955] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:41,084] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 21:47:41,175] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 21:47:41,176] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 21:47:41,326] [INFO] [Mastiff.Plugins.Digital Signatures] : Signature extracted.

[2013-02-23 21:47:41,347] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 21:47:41,413] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 21:47:41,506] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 21:47:41,507] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 21:47:41,544] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 21:47:41,545] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 21:47:41,624] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 21:47:41,625] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 21:47:41,625] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 21:47:41,644] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 21:47:41,645] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 21:47:41,645] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/86658467c74b39210de96111ee6f66d5.

Navigate to the directory you have set as the work log in the mastiff.conf to see the results

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ ls -l

total 424

-rw-r--r-- 1 root root 267312 Feb 23 21:47 86658467c74b39210de96111ee6f66d5.VIR

-rw-r--r-- 1 root root    137 Feb 23 21:47 fuzzy.txt

-rw-r--r-- 1 root root   3440 Feb 23 21:47 mastiff.log

-rw-r--r-- 1 root root   1024 Feb 23 21:47 mastiff-run.config

-rw-r--r-- 1 root root  42100 Feb 23 21:47 peinfo-full.txt

-rw-r--r-- 1 root root  13317 Feb 23 21:47 peinfo-quick.txt

drwxr-xr-x 2 root root   4096 Feb 23 21:47 resources

-rw-r--r-- 1 root root   1332 Feb 23 21:47 resources.txt

-rw-r--r-- 1 root root   7704 Feb 23 21:47 sig.der

-rw-r--r-- 1 root root  27152 Feb 23 21:47 sig.txt

-rw-r--r-- 1 root root  42606 Feb 23 21:47 strings.txt

Nice, it looks like we pulled certificate info based on the sig.txt being there. To give you an example of the type of data you get, here is a cat of the peinfo-quick.txt:

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ cat peinfo-quick.txt 

PE Header Information

Quick Info:

TimeDateStamp: Tue Aug 30 15:46:24 2011

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Number of Sections: 7

Section Name    Entropy  Flags                                   

-----------------------------------------------------------------

.text           5.96     IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.data           1.1803   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rdata          5.309    IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.bss            0.0      IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.idata          5.2371   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.ndata          0.0      IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rsrc           5.8707   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

 

Parser Warnings:

File Information:

LegalCopyright      : (c) 2010 (2013-02-05 11:20)             

ProductName         : 3d-world-map                            

FileVersion         : 2.2.0.0                                 

FileDescription     : 3d-world-map                            

Translation         : 0x0000 0x04e4                           

 

Imports:

DLL                 API                           Address   

----------------------------------------------------------------------

ADVAPI32.DLL         RegCloseKey                   0x428340  

ADVAPI32.DLL         RegCreateKeyExA               0x428344  

ADVAPI32.DLL         RegDeleteKeyA                 0x428348  

ADVAPI32.DLL         RegDeleteValueA               0x42834c  

ADVAPI32.DLL         RegEnumKeyA                   0x428350  

ADVAPI32.DLL         RegEnumValueA                 0x428354  

ADVAPI32.DLL         RegOpenKeyExA                 0x428358  

ADVAPI32.DLL         RegQueryValueExA               0x42835c  

ADVAPI32.DLL         RegSetValueExA                 0x428360  

COMCTL32.DLL         ImageList_AddMasked           0x428368  

COMCTL32.DLL         ImageList_Create               0x42836c  

COMCTL32.DLL         ImageList_Destroy             0x428370  

COMCTL32.DLL         InitCommonControls             0x428374  

GDI32.dll           CreateBrushIndirect           0x42837c  

GDI32.dll           CreateFontIndirectA           0x428380  

GDI32.dll           DeleteObject                   0x428384  

GDI32.dll           GetDeviceCaps                 0x428388  

GDI32.dll           SelectObject                   0x42838c  

GDI32.dll           SetBkColor                     0x428390  

GDI32.dll           SetBkMode                     0x428394  

GDI32.dll           SetTextColor                   0x428398  

KERNEL32.dll         CloseHandle                   0x4283a0  

KERNEL32.dll         CompareFileTime               0x4283a4  

KERNEL32.dll         CopyFileA                     0x4283a8  

KERNEL32.dll         CreateDirectoryA               0x4283ac  

KERNEL32.dll         CreateFileA                   0x4283b0  

KERNEL32.dll         CreateProcessA                 0x4283b4  

KERNEL32.dll         CreateThread                   0x4283b8  

KERNEL32.dll         DeleteFileA                   0x4283bc  

KERNEL32.dll         ExitProcess                   0x4283c0  

KERNEL32.dll         ExpandEnvironmentStringsA     0x4283c4  

KERNEL32.dll         FindClose                     0x4283c8  

KERNEL32.dll         FindFirstFileA                 0x4283cc  

KERNEL32.dll         FindNextFileA                 0x4283d0  

KERNEL32.dll         FreeLibrary                   0x4283d4  

KERNEL32.dll         GetCommandLineA               0x4283d8  

KERNEL32.dll         GetCurrentProcess             0x4283dc  

KERNEL32.dll         GetDiskFreeSpaceA             0x4283e0  

KERNEL32.dll         GetExitCodeProcess             0x4283e4  

KERNEL32.dll         GetFileAttributesA             0x4283e8  

KERNEL32.dll         GetFileSize                   0x4283ec  

KERNEL32.dll         GetFullPathNameA               0x4283f0  

KERNEL32.dll         GetLastError                   0x4283f4  

KERNEL32.dll         GetModuleFileNameA             0x4283f8  

KERNEL32.dll         GetModuleHandleA               0x4283fc  

KERNEL32.dll         GetPrivateProfileStringA       0x428400  

KERNEL32.dll         GetProcAddress                 0x428404  

KERNEL32.dll         GetShortPathNameA             0x428408  

KERNEL32.dll         GetSystemDirectoryA           0x42840c  

KERNEL32.dll         GetTempFileNameA               0x428410  

KERNEL32.dll         GetTempPathA                   0x428414  

KERNEL32.dll         GetTickCount                   0x428418  

KERNEL32.dll         GetVersion                     0x42841c  

KERNEL32.dll         GetWindowsDirectoryA           0x428420  

KERNEL32.dll         GlobalAlloc                   0x428424  

KERNEL32.dll         GlobalFree                     0x428428  

KERNEL32.dll         GlobalLock                     0x42842c  

KERNEL32.dll         GlobalUnlock                   0x428430  

KERNEL32.dll         LoadLibraryA                   0x428434  

KERNEL32.dll         LoadLibraryExA                 0x428438  

KERNEL32.dll         MoveFileA                     0x42843c  

KERNEL32.dll         MulDiv                         0x428440  

KERNEL32.dll         MultiByteToWideChar           0x428444  

KERNEL32.dll         ReadFile                       0x428448  

KERNEL32.dll         RemoveDirectoryA               0x42844c  

KERNEL32.dll         SearchPathA                   0x428450  

KERNEL32.dll         SetCurrentDirectoryA           0x428454  

KERNEL32.dll         SetErrorMode                   0x428458  

KERNEL32.dll         SetFileAttributesA             0x42845c  

KERNEL32.dll         SetFilePointer                 0x428460  

KERNEL32.dll         SetFileTime                   0x428464  

KERNEL32.dll         Sleep                         0x428468  

KERNEL32.dll         WaitForSingleObject           0x42846c  

KERNEL32.dll         WriteFile                     0x428470  

KERNEL32.dll         WritePrivateProfileStringA     0x428474  

KERNEL32.dll         lstrcatA                       0x428478  

KERNEL32.dll         lstrcmpA                       0x42847c  

KERNEL32.dll         lstrcmpiA                     0x428480  

KERNEL32.dll         lstrcpynA                     0x428484  

KERNEL32.dll         lstrlenA                       0x428488  

OLE32.dll           CoCreateInstance               0x428490  

OLE32.dll           CoTaskMemFree                 0x428494  

OLE32.dll           OleInitialize                 0x428498  

OLE32.dll           OleUninitialize               0x42849c  

SHELL32.DLL         SHBrowseForFolderA             0x4284a4  

SHELL32.DLL         SHFileOperationA               0x4284a8  

SHELL32.DLL         SHGetFileInfoA                 0x4284ac  

SHELL32.DLL         SHGetPathFromIDListA           0x4284b0  

SHELL32.DLL         SHGetSpecialFolderLocation     0x4284b4  

SHELL32.DLL         ShellExecuteA                 0x4284b8  

USER32.dll           AppendMenuA                   0x4284c0  

USER32.dll           BeginPaint                     0x4284c4  

USER32.dll           CallWindowProcA               0x4284c8  

USER32.dll           CharNextA                     0x4284cc  

USER32.dll           CharPrevA                     0x4284d0  

USER32.dll           CheckDlgButton                 0x4284d4  

USER32.dll           CloseClipboard                 0x4284d8  

USER32.dll           CreateDialogParamA             0x4284dc  

USER32.dll           CreatePopupMenu               0x4284e0  

USER32.dll           CreateWindowExA               0x4284e4  

USER32.dll           DefWindowProcA                 0x4284e8  

USER32.dll           DestroyWindow                 0x4284ec  

USER32.dll           DialogBoxParamA               0x4284f0  

USER32.dll           DispatchMessageA               0x4284f4  

USER32.dll           DrawTextA                     0x4284f8  

USER32.dll           EmptyClipboard                 0x4284fc  

USER32.dll           EnableMenuItem                 0x428500  

USER32.dll           EnableWindow                   0x428504  

USER32.dll           EndDialog                     0x428508  

USER32.dll           EndPaint                       0x42850c  

USER32.dll           ExitWindowsEx                 0x428510  

USER32.dll           FillRect                       0x428514  

USER32.dll           FindWindowExA                 0x428518  

USER32.dll           GetClassInfoA                 0x42851c  

USER32.dll           GetClientRect                 0x428520  

USER32.dll           GetDC                         0x428524  

USER32.dll           GetDlgItem                     0x428528  

USER32.dll           GetDlgItemTextA               0x42852c  

USER32.dll           GetMessagePos                 0x428530  

USER32.dll           GetSysColor                   0x428534  

USER32.dll           GetSystemMenu                 0x428538  

USER32.dll           GetSystemMetrics               0x42853c  

USER32.dll           GetWindowLongA                 0x428540  

USER32.dll           GetWindowRect                 0x428544  

USER32.dll           InvalidateRect                 0x428548  

USER32.dll           IsWindow                       0x42854c  

USER32.dll           IsWindowEnabled               0x428550  

USER32.dll           IsWindowVisible               0x428554  

USER32.dll           LoadBitmapA                   0x428558  

USER32.dll           LoadCursorA                   0x42855c  

USER32.dll           LoadImageA                     0x428560  

USER32.dll           MessageBoxIndirectA           0x428564  

USER32.dll           OpenClipboard                 0x428568  

USER32.dll           PeekMessageA                   0x42856c  

USER32.dll           PostQuitMessage               0x428570  

USER32.dll           RegisterClassA                 0x428574  

USER32.dll           ScreenToClient                 0x428578  

USER32.dll           SendMessageA                   0x42857c  

USER32.dll           SendMessageTimeoutA           0x428580  

USER32.dll           SetClassLongA                 0x428584  

USER32.dll           SetClipboardData               0x428588  

USER32.dll           SetCursor                     0x42858c  

USER32.dll           SetDlgItemTextA               0x428590  

USER32.dll           SetForegroundWindow           0x428594  

USER32.dll           SetTimer                       0x428598  

USER32.dll           SetWindowLongA                 0x42859c  

USER32.dll           SetWindowPos                   0x4285a0  

USER32.dll           SetWindowTextA                 0x4285a4  

USER32.dll           ShowWindow                     0x4285a8  

USER32.dll           SystemParametersInfoA         0x4285ac  

USER32.dll           TrackPopupMenu                 0x4285b0  

USER32.dll           wsprintfA                     0x4285b4  

VERSION.dll         GetFileVersionInfoA           0x4285bc  

VERSION.dll         GetFileVersionInfoSizeA       0x4285c0  

VERSION.dll         VerQueryValueA                 0x4285c4  

MASTIFF does not currently have a native method to scan multiple files at once.  While that is on the horizon for the project that is not a problem for us as we can just script out a quick program to do this. Of course you can always use mine.

#!/usr/bin/python
 
import os
 
# MASTIFF Autorun
# @TekDefense
# www.TekDefense.com
# Quick script to autorun samples from maltrieve to MASTIFF
 
malwarePath = '/tmp/malware/'
 
for r, d, f in os.walk(malwarePath):
  for files in f:
malware = malwarePath + files
print malware
os.system ('mas.py' + ' ' + malware)

Simply change the directory in the script to point to where you have the samples and run the python program. Also be sure to keep this script in the same directory as mas.py.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo python autoRunMas.py 

/tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,296] [INFO] [Mastiff] : Starting analysis on /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,318] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

[2013-02-23 22:00:55,326] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,494] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:55,518] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:55,519] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:55,682] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:55,838] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:55,839] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:55,874] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:55,875] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:55,995] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:55,996] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:55,996] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,010] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,011] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,011] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

/tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,257] [INFO] [Mastiff] : Starting analysis on /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,259] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

[2013-02-23 22:00:56,268] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,375] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:56,408] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:56,409] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:56,471] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:56,472] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:56,546] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:56,596] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:56,600] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:56,614] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:56,615] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:56,673] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:56,674] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:56,675] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,697] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,698] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,698] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

/tmp/malware/a544ffb08f6177f6382df6101f78bfdc

Now that you have performed analysis against a bunch of samples you can analyze the results, or open up the sqllite database to pull some statistics.

 

 

As you can probably tell by now, I am really enjoying MASTIFF, in fact I am looking for any excuse to run it daily. Last week I was given a perfect event to apply MASTIFF too and that was Mandiant's report on APT1. VirusShare @VXShare was able to quickly compile a bunch of samples which a lot of folks started playing around with. I decided to run 20 or so of the samples through MASTIFF.  If you would like to download those results you can get them in the download section.

I mentioned in the video that I was getting an error when running MASTIFF.  I am not sure what is generating the error exactly quite yet, as I have checked that all the appropriate imports are in place. Once I figure it out I'll let you guys know what is going on. The error is below:

[2013-02-23 21:47:40,904] [ERROR] [yapsy] : Unable to import plugin: /opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/Yapsy-1.10.1_pythons2n3-py2.7.egg/yapsy/PluginManager.py", line 486, in loadPlugins

    candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))

  File "/opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring.py", line 52, in <module>

    from distorm3 import Decode, Decode32Bits

  File "/usr/local/lib/python2.7/dist-packages/distorm3-3-py2.7.egg/distorm3/__init__.py", line 47, in <module>

    raise ImportError("Error loading the diStorm dynamic library (or cannot load library into process).")

ImportError: Error loading the diStorm dynamic library (or cannot load library into process).

MASTIFF seems to be running fine even with the error though.

Look for MASTIFF to be in the next release of HoneyDrive.  Thanks @ikoniaris!

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>