TekDefense

Entries in MASTIFF (3)

Sunday

Mar102013

Installing MASTIFF

Sunday, March 10, 2013 at 2:09PM

So we have talked about using SecShoggoth 's MASTIFF (here, here, and here), but haven't really gone through the installation. Here goes...

I am assuming a base installation of Ubuntu 12.10 (because its easy and you can run it free on AWS). The first thing that we should do is update the base OS and install ssh for remote management.

sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y; sudo apt-get autoremove -y; sudo apt-get install openssh-server -y; sudo shutdown -r now later

Once that is back online we will begin installing the necessary packages for MASTIFF. I am running through the dependencies as they are introduced in the documentation. First lets get the python dependencies out of the way, as well as an editor (nano is fine...albeit evil)

sudo apt-get install python python-dev python-magic python-sqlite python-setuptools python-pip build-essential vim -y

Install yapsy from pip

sudo pip install yapsy

Now, I tend to pull the majority of my software to /opt out of habit. You do not need to do the same but if you change the location be sure to update to commands below. First I will ensure that the user and group that I am currently using have access to /opt so I can write to that directory.

sudo chown -R `whoami`:`groups | awk '{print $1}'` /opt

Install TrID, download and run the TrID database updater.

cd /opt

mkdir /opt/trid

cd /opt/trid

wget wget http://mark0.net/download/trid_linux.zip

unzip trid_linux.zip

rm -f unzip trid_linux.zip

chmod +x trid

wget http://goo.gl/RQXV8

unzip RQXV8

rm -f RQXV8

chmod +x tridupdate.py

python tridupdate.py

*Note* if you are running this on a 64 bit machine you will need to install ia32-libs

sudo aptitude install ia32-libs

Next we will pull the dependencies down for ssdeep and pyssdeep and then install those packages

sudo apt-get install subversion libpcre3 libpcre3-dev libpcre++-dev -y

cd /opt/

wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.9/ssdeep-2.9.tar.gz

tar -xvzf ssdeep-2.9.tar.gz

rm -f ssdeep-2.9.tar.gz

mv ssdeep-2.9 ssdeep

cd /opt/ssdeep

./configure

make

sudo make install

sudo ldconfig

svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep

cd /opt/ssdeep/pyssdeep

python setup.py build

sudo python setup.py install

Next up is automake and yara:

sudo apt-get install automake -y

cd /opt

svn checkout http://yara-project.googlecode.com/svn/trunk/ yara

cd /opt/yara

sudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12

./configure

make

sudo make install

cd yara-python

python setup.py build

sudo python setup.py install

Now install simplejson from soure (NOT the APT repo)

sudo apt-get install git -y

cd /opt

git clone https://github.com/simplejson/simplejson simplejson

cd /opt/simplejson

python setup.py build

sudo python setup.py build install

Pull down Didier Stevens awesome pdf tools

mkdir /opt/pdftools

cd /opt/pdftools

wget http://didierstevens.com/files/software/pdf-parser_V0_3_9.zip

unzip pdf-parser_V0_3_9.zip

rm -f pdf-parser_V0_3_9.zip

chmod +x pdf-parser.py

wget http://didierstevens.com/files/software/pdfid_v0_0_12.zip

unzip pdfid_v0_0_12.zip

rm -f pdfid_v0_0_12.zip

chmod +x pdfid.py

Exiftool

cd /opt

wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.22.tar.gz

tar -xvzf Image-ExifTool-9.22.tar.gz

rm Image-ExifTool-9.22.tar.gz

mv Image-ExifTool-9.22 exiftool

PE-File (again NOT from the apt repo)

cd /opt

svn checkout http://pefile.googlecode.com/svn/trunk/ pefile

cd /opt/pefile

python setup.py build

sudo python setup.py build install

Disitool

mkdir /opt/disitool

cd /opt/disitool

wget http://www.didierstevens.com/files/software/disitool_v0_3.zip

unzip disitool_v0_3.zip

rm disitool_v0_3.zip

Openssl

sudo apt-get install openssl -y

pyOLEScanner

mkdir /opt/pyOLEScanner

cd /opt/pyOLEScanner

wget https://github.com/Evilcry/PythonScripts/raw/master/pyOLEScanner.zip

unzip pyOLEScanner.zip

rm pyOLEScanner.zip

chmod +x pyOLEScanner.py

Distorm

cd /opt

svn checkout http://distorm.googlecode.com/svn/trunk/ distorm

cd /opt/distorm

python setup.py build

sudo python setup.py build install

And finally MASTIFF itself

cd /opt

wget http://downloads.sourceforge.net/project/mastiff/mastiff/0.5.0/mastiff-0.5.0.tar.gz

tar -xvzf mastiff-0.5.0.tar.gz

rm mastiff-0.5.0.tar.gz

mv mastiff-0.5.0/ mastiff

cd /opt/mastiff

sudo make install

Now that MASTIFF is good to go we will want to ensure that the config file is created / edited properly. Ensure that you read through the config file as you will want to add the appropriate VirusTotal API key. Also if you installed the dependencies to different locations now is the time to correct those paths.

mkdir /etc/mastiff

cd /etc/mastiff

cat > /opt/mastiff/mastiff.conf.TEST <<EOF

# This is the configuration file for mastiff.

#

# Comments are preceded by a # or ;

#

[Dir]

# log_dir is the base directory where the logs generated will

# be placed in.

#log_dir = /usr/local/mastiff/log

log_dir = ./work/log

# plugin_dir is a list of directories plugins may be present in.

# should be comma-separated.

plugin_dir = ./plugins, /etc/mastiff

[Misc]

# verbose = [on|off]

verbose = off

[Sqlite]

# Sqlite database options

# db_file = Name of the database file

db_file = mastiff.db

[File ID]

# trid is the location of the TrID binary

# trid_db is the location of the TrID database

#trid = /usr/local/bin/trid

trid = /opt/trid/trid

#trid_db = /usr/local/etc/triddefs.trd

trid_db = /opt/trid/triddefs.trd

[Embedded Strings Plugin]

# Options for the Embedded Strings Plugin.

# strcmd is the path to the strings command

strcmd = /usr/bin/strings

[VirusTotal]

# Options for the VirusTotal Submission Plug-in.

# api_key is your API key from virustotal.com

# - Leave this empty if you wish to disable this plug-in

api_key = GET_YOUR_OWN

# submit [on|off] - submit binary to VirusTotal

submit = off

[pdfid]

# Options to run Didier Stevens pdfid.py script

# pdfid_cmd = Path to the pdfid.py script

# - Leave blank if you want the script disabled.

# pdfid_opts = Options for program.

# - Do not put multiple options in quotes.

# Note: pdfid.py has bugs that may cause errors when examining

# malformed PDFs when using the -e option.

pdfid_cmd = /opt/pdftools/pdfid.py

#pdfid_opts = -e

pdfid_opts =

[pdf-parser]

# Options to run Didier Stevens pdf-parser.py script

# pdf_cmd = Path to pdf-parser.py.

pdf_cmd = /opt/pdftools/pdf-parser.py

[PDF Metadata]

# Options for PDF Metadata script

# exiftool = path to exitfool

exiftool = /opt/exiftool/exiftool

[yara]

# Options for the Yara signature plug-in

# yara_sigs = Base path to Yara signatures. This path will be recursed

# to find additional signatures.

# Leave blank to disable the plug-in.

yara_sigs = /opt/yara

[Digital Signatures]

# Options to extract the digital signatures

#

# disitool - path to disitool.py script.

# openssl - path to openssl binary

disitool = /opt/disitool/disitool.py

openssl = /usr/bin/openssl

[Office Metadata]

# Options for Office Metadata script

# exiftool = path to exitfool

exiftool = /opt/exiftool/exiftool

[Single-Byte Strings]

# options for single-byte string extraction plug-in

# length - Minimum length to extract

length = 3

# raw - print raw characters instead of formatted ones (e.g. \\n vs. \n)

raw = False

[ZipExtract]

# options for Zip archive file extraction plug-in

# enabled: [on|off] - Extract files or not

# password: Password to use for zip file. OK to leave blank.

enabled = on

password = infected

[Office pyOLEScanner]

# olecmd = Path to pyOLEScanner.py

olecmd=/opt/pyOLEScanner/pyOLEScanner.py

EOF

Now testing MASTIFF out is as simple as:

cd /opt/mastiff

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.exe

[2013-03-10 15:11:47,324] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.exe

[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.exe.

[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/c69ffb3057b2077fcaecc99b9f16c7c8

[2013-03-10 15:11:47,417] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'EXE']

[2013-03-10 15:11:47,506] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'EXE'].

[2013-03-10 15:11:47,507] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:11:47,521] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:11:48,722] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-03-10 15:11:48,774] [INFO] [Mastiff.Plugins.Single-Byte Strings] : Starting execution.

[2013-03-10 15:11:48,813] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-03-10 15:11:48,926] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-03-10 15:11:48,975] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-03-10 15:11:48,976] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.exe.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.pdf

[2013-03-10 15:12:36,299] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.pdf

[2013-03-10 15:12:36,299] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.pdf.

[2013-03-10 15:12:36,300] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/3f53a4bf0097f9075ff641b03bb176f5

[2013-03-10 15:12:36,381] [INFO] [Mastiff.DB.Insert] : Adding ['PDF', 'Generic']

[2013-03-10 15:12:36,468] [INFO] [Mastiff.Analysis] : File categories are ['PDF', 'Generic'].

[2013-03-10 15:12:36,469] [INFO] [Mastiff.Plugins.pdf-parser] : Starting execution.

[2013-03-10 15:12:36,470] [INFO] [Mastiff.Plugins.pdf-parser.uncompress] : Uncompressing PDF.

[2013-03-10 15:12:36,563] [INFO] [Mastiff.Plugins.pdf-parser.get_objects] : Extracting interesting objects.

[2013-03-10 15:12:37,532] [INFO] [Mastiff.Plugins.PDF Metadata] : Starting execution.

[2013-03-10 15:12:37,643] [INFO] [Mastiff.Plugins.pdfid] : Starting execution.

[2013-03-10 15:12:37,729] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:12:37,741] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:12:37,819] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:12:37,820] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:12:37,909] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:12:37,910] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:12:38,392] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.pdf.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.doc

[2013-03-10 15:12:53,882] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.doc

[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.doc.

[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/759f7e53f54df03f2ae06fcec25e8ac3

[2013-03-10 15:12:53,973] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'Office', 'ZIP']

[2013-03-10 15:12:54,076] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'Office', 'ZIP'].

[2013-03-10 15:12:54,078] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:12:54,088] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:12:55,239] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:12:55,244] [INFO] [Mastiff.Plugins.Office pyOLEScanner] : Starting execution.

[2013-03-10 15:12:57,497] [INFO] [Mastiff.Plugins.Office Metadata] : Starting execution.

[2013-03-10 15:12:57,681] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.

[2013-03-10 15:12:57,682] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting [Content_Types].xml.

[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting _rels/.rels.

[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/themeManager.xml.

[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/theme1.xml.

[2013-03-10 15:12:57,685] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/_rels/themeManager.xml.rels.

[2013-03-10 15:12:57,685] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.doc.

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.

test.doc test.exe test.pdf test.zip

zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.zip

[2013-03-10 15:13:22,856] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.zip

[2013-03-10 15:13:22,870] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.zip.

[2013-03-10 15:13:22,871] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/033d488bbe65e8aececb2c55bdfbc2fd

[2013-03-10 15:13:23,035] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'ZIP']

[2013-03-10 15:13:23,106] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'ZIP'].

[2013-03-10 15:13:23,107] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-03-10 15:13:23,115] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.

[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-03-10 15:13:23,445] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.

[2013-03-10 15:13:23,446] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.bin.

[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.txt.

[2013-03-10 15:13:23,448] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.zip.

If you did not receive any errors / warnings you should be good to go. Now that MASTIFF is up and running we can download MASTIFF2HTML on Github.

wget https://raw.github.com/1aN0rmus/TekDefense/master/MASTIFF2HTML.py

chmod +x MASTIFF2HTML.py

python MASTIFF2HTML.py -f /opt/mastiff/work/log/ -d mastiff.db

cd /opt/mastiff/work/log/www/

python -m SimpleHTTPServer

Now if you browse to 127.0.0.1:8000/mastiff.html you should be seeing the results for your analysis.

If you run into any issues... please leave a comment so we can address / update as necessary.

Cheers

Joshua Gauthier |

12 Comments |

tagged

Install,

MASTIFF,

Malware,

Malware analysis in

News

Friday

Mar012013

MASTIFF2HTML Demo

Friday, March 1, 2013 at 4:01PM

I have been spending my nights this week working on a script that will generate a web front end for the results that MASTIFF produces. It has been a blast creating so far, but I would really like to hear from the community what suggestions they have for it.

You can download MASTIFF2HTML on Github.

Here is a video demo of what it looks like right now:

And some pics:

Admin |

1 Comment |

tagged

MASTIFF,

Malware analysis,

Static,

python in

News

Friday

Feb222013

Tektip ep23 - MASTIFF with a splash of Maltrieve

Friday, February 22, 2013 at 10:03PM

In this episode of TekTip we take a look at performing basic static analysis with MASTIFF. While that is the focus of this episode I wanted to delve into Maltrieve first.

Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video. Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well.

Once downloaded you run maltrieve without any options, as seen below:

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py

2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory

2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file

2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file

2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file

2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue

2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue

2013-02-23 20:33:03 -1241515200 Fetched URL http://famagatra.ru:8080/forum/links/public_version.php from queue

2013-02-23 20:33:03 -1249907904 Fetched URL http://fzukungda.ru:8080/forum/links/column.php from queue

2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: da1ac7b773f2b96e5d2a31549a347a63

2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: 421ae9afed094a1b2ee1977507175dfc

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&gt%2F;&&&&gt%2F;&&&&lt%2F;%2Fbr%2F&&&&lt, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: ddb8eec9f195d191f05c793ca8f23e4f

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=http:%2Fdownload2.microapp.com%2Ftelechargement%2Feval%2F10001_eval.exetitle=compil&&&ampampampampampamp&&&ampampampampampampampamp&&&ampampa, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: cb932f33a7fa52e3e88bba3d5073d26f

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=hxxp:%2Fdownltbr%2Fgtload2.microapp.com%2Ftelechargement%2Feval%2F10275_eval.exeltbr%2Fgttitle=enigmes, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: a1fe3bca05487621dd876af0e8a31408

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=3dhttp:%<br%2F>2fdownlo, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: 7cd588413684f019d52a304f78a6538e

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-

This will download the malware to a default directory of /tmp/malware

*Make sure this directory exists or change the path in the python script to match what you want

So, with Maltrieve done and a bunch of samples downloaded it is time to see the power of MASTIFF.

MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program. Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now.

What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database.

Some of the benefits of this framework are:

Easily Extensible: Built very modular so adding to the functionality is easy
Consistent: When you have a team of analyst working on malware it is important that everyone speak the same language. MASTIFF gives a consistent standard approach to static analysis.
Quick: Manual static analysis can take a long time. With MASTIFF I can run through hundreds of samples in minutes.
Documented: As a consequence of being a DARPA funded program the creator was forced to ensure that the framework was documented well. The documentation goes beyond the normal installation and usage covering workflow and methodology.

I do not cover installation in the video as it would take to long and be very boring but I will mention that installation is relatively easy. The only real pain is ensuring you have all of the third party tools installed. The pdf inside the archive for MASTIFF has great documentation to get you up and running. Once the dependencies and MASTIFF are installed though ensure that you modify the mastiff.conf file to reference the appropriate paths for where you installed the third party tools.

Now that the config is good and MASTIFF is installed you are ready to start analyzing malware. running mas.py will show you usage.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ mas.py

Usage: mas.py [options] FILE

Options:

-c CONFIG_FILE, --conf=CONFIG_FILE

Use an alternate config file. The default is

'./mastiff.conf'.

-h, --help Show the help message and exit.

-l PLUGIN_TYPE, --list=PLUGIN_TYPE

List all available plug-ins of the specified type and

exit. Type must be one of 'analysis' or 'cat'.

-o OVERRIDE, --option=OVERRIDE

Override a config file option. Configuration options

should be specified as 'Section.Key=Value' and should

be quoted if any whitespace is present. Multiple

overrides can be specified by using multiple '-o'

options.

-p PLUGIN_NAME, --plugin=PLUGIN_NAME

Only run the specified analysis plug-in. Name must be

quoted if it contains whitespace.

-q, --quiet Only log errors.

-t FTYPE, --type=FTYPE

Force file to be analyzed with plug-ins from the

specified category (e.g., EXE, PDF, etc.). Run with

'-l cat' to list all available category plug-ins.

-V, --verbose Print verbose logs.

-v, --version Show program's version number and exit.

To run mastiff against a single file simply sudo mas.py filename

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo mas.py /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,945] [INFO] [Mastiff] : Starting analysis on /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,954] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/86658467c74b39210de96111ee6f66d5.

[2013-02-23 21:47:40,955] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:41,084] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 21:47:41,175] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 21:47:41,176] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 21:47:41,326] [INFO] [Mastiff.Plugins.Digital Signatures] : Signature extracted.

[2013-02-23 21:47:41,347] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 21:47:41,413] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 21:47:41,506] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 21:47:41,507] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 21:47:41,544] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 21:47:41,545] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 21:47:41,624] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 21:47:41,625] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 21:47:41,625] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 21:47:41,644] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 21:47:41,645] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 21:47:41,645] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/86658467c74b39210de96111ee6f66d5.

Navigate to the directory you have set as the work log in the mastiff.conf to see the results

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ ls -l

total 424

-rw-r--r-- 1 root root 267312 Feb 23 21:47 86658467c74b39210de96111ee6f66d5.VIR

-rw-r--r-- 1 root root 137 Feb 23 21:47 fuzzy.txt

-rw-r--r-- 1 root root 3440 Feb 23 21:47 mastiff.log

-rw-r--r-- 1 root root 1024 Feb 23 21:47 mastiff-run.config

-rw-r--r-- 1 root root 42100 Feb 23 21:47 peinfo-full.txt

-rw-r--r-- 1 root root 13317 Feb 23 21:47 peinfo-quick.txt

drwxr-xr-x 2 root root 4096 Feb 23 21:47 resources

-rw-r--r-- 1 root root 1332 Feb 23 21:47 resources.txt

-rw-r--r-- 1 root root 7704 Feb 23 21:47 sig.der

-rw-r--r-- 1 root root 27152 Feb 23 21:47 sig.txt

-rw-r--r-- 1 root root 42606 Feb 23 21:47 strings.txt

Nice, it looks like we pulled certificate info based on the sig.txt being there. To give you an example of the type of data you get, here is a cat of the peinfo-quick.txt:

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ cat peinfo-quick.txt

PE Header Information

Quick Info:

TimeDateStamp: Tue Aug 30 15:46:24 2011

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Number of Sections: 7

Section Name Entropy Flags

-----------------------------------------------------------------

.text 5.96 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.data 1.1803 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rdata 5.309 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.bss 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.idata 5.2371 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.ndata 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rsrc 5.8707 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

Parser Warnings:

File Information:

LegalCopyright : (c) 2010 (2013-02-05 11:20)

ProductName : 3d-world-map

FileVersion : 2.2.0.0

FileDescription : 3d-world-map

Translation : 0x0000 0x04e4

Imports:

DLL API Address

----------------------------------------------------------------------

ADVAPI32.DLL RegCloseKey 0x428340

ADVAPI32.DLL RegCreateKeyExA 0x428344

ADVAPI32.DLL RegDeleteKeyA 0x428348

ADVAPI32.DLL RegDeleteValueA 0x42834c

ADVAPI32.DLL RegEnumKeyA 0x428350

ADVAPI32.DLL RegEnumValueA 0x428354

ADVAPI32.DLL RegOpenKeyExA 0x428358

ADVAPI32.DLL RegQueryValueExA 0x42835c

ADVAPI32.DLL RegSetValueExA 0x428360

COMCTL32.DLL ImageList_AddMasked 0x428368

COMCTL32.DLL ImageList_Create 0x42836c

COMCTL32.DLL ImageList_Destroy 0x428370

COMCTL32.DLL InitCommonControls 0x428374

GDI32.dll CreateBrushIndirect 0x42837c

GDI32.dll CreateFontIndirectA 0x428380

GDI32.dll DeleteObject 0x428384

GDI32.dll GetDeviceCaps 0x428388

GDI32.dll SelectObject 0x42838c

GDI32.dll SetBkColor 0x428390

GDI32.dll SetBkMode 0x428394

GDI32.dll SetTextColor 0x428398

KERNEL32.dll CloseHandle 0x4283a0

KERNEL32.dll CompareFileTime 0x4283a4

KERNEL32.dll CopyFileA 0x4283a8

KERNEL32.dll CreateDirectoryA 0x4283ac

KERNEL32.dll CreateFileA 0x4283b0

KERNEL32.dll CreateProcessA 0x4283b4

KERNEL32.dll CreateThread 0x4283b8

KERNEL32.dll DeleteFileA 0x4283bc

KERNEL32.dll ExitProcess 0x4283c0

KERNEL32.dll ExpandEnvironmentStringsA 0x4283c4

KERNEL32.dll FindClose 0x4283c8

KERNEL32.dll FindFirstFileA 0x4283cc

KERNEL32.dll FindNextFileA 0x4283d0

KERNEL32.dll FreeLibrary 0x4283d4

KERNEL32.dll GetCommandLineA 0x4283d8

KERNEL32.dll GetCurrentProcess 0x4283dc

KERNEL32.dll GetDiskFreeSpaceA 0x4283e0

KERNEL32.dll GetExitCodeProcess 0x4283e4

KERNEL32.dll GetFileAttributesA 0x4283e8

KERNEL32.dll GetFileSize 0x4283ec

KERNEL32.dll GetFullPathNameA 0x4283f0

KERNEL32.dll GetLastError 0x4283f4

KERNEL32.dll GetModuleFileNameA 0x4283f8

KERNEL32.dll GetModuleHandleA 0x4283fc

KERNEL32.dll GetPrivateProfileStringA 0x428400

KERNEL32.dll GetProcAddress 0x428404

KERNEL32.dll GetShortPathNameA 0x428408

KERNEL32.dll GetSystemDirectoryA 0x42840c

KERNEL32.dll GetTempFileNameA 0x428410

KERNEL32.dll GetTempPathA 0x428414

KERNEL32.dll GetTickCount 0x428418

KERNEL32.dll GetVersion 0x42841c

KERNEL32.dll GetWindowsDirectoryA 0x428420

KERNEL32.dll GlobalAlloc 0x428424

KERNEL32.dll GlobalFree 0x428428

KERNEL32.dll GlobalLock 0x42842c

KERNEL32.dll GlobalUnlock 0x428430

KERNEL32.dll LoadLibraryA 0x428434

KERNEL32.dll LoadLibraryExA 0x428438

KERNEL32.dll MoveFileA 0x42843c

KERNEL32.dll MulDiv 0x428440

KERNEL32.dll MultiByteToWideChar 0x428444

KERNEL32.dll ReadFile 0x428448

KERNEL32.dll RemoveDirectoryA 0x42844c

KERNEL32.dll SearchPathA 0x428450

KERNEL32.dll SetCurrentDirectoryA 0x428454

KERNEL32.dll SetErrorMode 0x428458

KERNEL32.dll SetFileAttributesA 0x42845c

KERNEL32.dll SetFilePointer 0x428460

KERNEL32.dll SetFileTime 0x428464

KERNEL32.dll Sleep 0x428468

KERNEL32.dll WaitForSingleObject 0x42846c

KERNEL32.dll WriteFile 0x428470

KERNEL32.dll WritePrivateProfileStringA 0x428474

KERNEL32.dll lstrcatA 0x428478

KERNEL32.dll lstrcmpA 0x42847c

KERNEL32.dll lstrcmpiA 0x428480

KERNEL32.dll lstrcpynA 0x428484

KERNEL32.dll lstrlenA 0x428488

OLE32.dll CoCreateInstance 0x428490

OLE32.dll CoTaskMemFree 0x428494

OLE32.dll OleInitialize 0x428498

OLE32.dll OleUninitialize 0x42849c

SHELL32.DLL SHBrowseForFolderA 0x4284a4

SHELL32.DLL SHFileOperationA 0x4284a8

SHELL32.DLL SHGetFileInfoA 0x4284ac

SHELL32.DLL SHGetPathFromIDListA 0x4284b0

SHELL32.DLL SHGetSpecialFolderLocation 0x4284b4

SHELL32.DLL ShellExecuteA 0x4284b8

USER32.dll AppendMenuA 0x4284c0

USER32.dll BeginPaint 0x4284c4

USER32.dll CallWindowProcA 0x4284c8

USER32.dll CharNextA 0x4284cc

USER32.dll CharPrevA 0x4284d0

USER32.dll CheckDlgButton 0x4284d4

USER32.dll CloseClipboard 0x4284d8

USER32.dll CreateDialogParamA 0x4284dc

USER32.dll CreatePopupMenu 0x4284e0

USER32.dll CreateWindowExA 0x4284e4

USER32.dll DefWindowProcA 0x4284e8

USER32.dll DestroyWindow 0x4284ec

USER32.dll DialogBoxParamA 0x4284f0

USER32.dll DispatchMessageA 0x4284f4

USER32.dll DrawTextA 0x4284f8

USER32.dll EmptyClipboard 0x4284fc

USER32.dll EnableMenuItem 0x428500

USER32.dll EnableWindow 0x428504

USER32.dll EndDialog 0x428508

USER32.dll EndPaint 0x42850c

USER32.dll ExitWindowsEx 0x428510

USER32.dll FillRect 0x428514

USER32.dll FindWindowExA 0x428518

USER32.dll GetClassInfoA 0x42851c

USER32.dll GetClientRect 0x428520

USER32.dll GetDC 0x428524

USER32.dll GetDlgItem 0x428528

USER32.dll GetDlgItemTextA 0x42852c

USER32.dll GetMessagePos 0x428530

USER32.dll GetSysColor 0x428534

USER32.dll GetSystemMenu 0x428538

USER32.dll GetSystemMetrics 0x42853c

USER32.dll GetWindowLongA 0x428540

USER32.dll GetWindowRect 0x428544

USER32.dll InvalidateRect 0x428548

USER32.dll IsWindow 0x42854c

USER32.dll IsWindowEnabled 0x428550

USER32.dll IsWindowVisible 0x428554

USER32.dll LoadBitmapA 0x428558

USER32.dll LoadCursorA 0x42855c

USER32.dll LoadImageA 0x428560

USER32.dll MessageBoxIndirectA 0x428564

USER32.dll OpenClipboard 0x428568

USER32.dll PeekMessageA 0x42856c

USER32.dll PostQuitMessage 0x428570

USER32.dll RegisterClassA 0x428574

USER32.dll ScreenToClient 0x428578

USER32.dll SendMessageA 0x42857c

USER32.dll SendMessageTimeoutA 0x428580

USER32.dll SetClassLongA 0x428584

USER32.dll SetClipboardData 0x428588

USER32.dll SetCursor 0x42858c

USER32.dll SetDlgItemTextA 0x428590

USER32.dll SetForegroundWindow 0x428594

USER32.dll SetTimer 0x428598

USER32.dll SetWindowLongA 0x42859c

USER32.dll SetWindowPos 0x4285a0

USER32.dll SetWindowTextA 0x4285a4

USER32.dll ShowWindow 0x4285a8

USER32.dll SystemParametersInfoA 0x4285ac

USER32.dll TrackPopupMenu 0x4285b0

USER32.dll wsprintfA 0x4285b4

VERSION.dll GetFileVersionInfoA 0x4285bc

VERSION.dll GetFileVersionInfoSizeA 0x4285c0

VERSION.dll VerQueryValueA 0x4285c4

MASTIFF does not currently have a native method to scan multiple files at once. While that is on the horizon for the project that is not a problem for us as we can just script out a quick program to do this. Of course you can always use mine.

#!/usr/bin/python
 
import os
 
# MASTIFF Autorun
# @TekDefense
# www.TekDefense.com
# Quick script to autorun samples from maltrieve to MASTIFF
 
malwarePath = '/tmp/malware/'
 
for r, d, f in os.walk(malwarePath):
  for files in f:
		malware = malwarePath + files
		print malware
		os.system ('mas.py' + ' ' + malware)

Simply change the directory in the script to point to where you have the samples and run the python program. Also be sure to keep this script in the same directory as mas.py.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo python autoRunMas.py

/tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,296] [INFO] [Mastiff] : Starting analysis on /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,318] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

[2013-02-23 22:00:55,326] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,494] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:55,518] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:55,519] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:55,682] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:55,838] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:55,839] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:55,874] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:55,875] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:55,995] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:55,996] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:55,996] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,010] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,011] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,011] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

/tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,257] [INFO] [Mastiff] : Starting analysis on /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,259] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

[2013-02-23 22:00:56,268] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,375] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:56,408] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:56,409] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:56,471] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:56,472] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:56,546] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:56,596] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:56,600] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:56,614] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:56,615] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:56,673] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:56,674] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:56,675] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,697] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,698] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,698] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

/tmp/malware/a544ffb08f6177f6382df6101f78bfdc

Now that you have performed analysis against a bunch of samples you can analyze the results, or open up the sqllite database to pull some statistics.

As you can probably tell by now, I am really enjoying MASTIFF, in fact I am looking for any excuse to run it daily. Last week I was given a perfect event to apply MASTIFF too and that was Mandiant's report on APT1. VirusShare @VXShare was able to quickly compile a bunch of samples which a lot of folks started playing around with. I decided to run 20 or so of the samples through MASTIFF. If you would like to download those results you can get them in the download section.

I mentioned in the video that I was getting an error when running MASTIFF. I am not sure what is generating the error exactly quite yet, as I have checked that all the appropriate imports are in place. Once I figure it out I'll let you guys know what is going on. The error is below:

[2013-02-23 21:47:40,904] [ERROR] [yapsy] : Unable to import plugin: /opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring

Traceback (most recent call last):

File "/usr/local/lib/python2.7/dist-packages/Yapsy-1.10.1_pythons2n3-py2.7.egg/yapsy/PluginManager.py", line 486, in loadPlugins

candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))

File "/opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring.py", line 52, in <module>

from distorm3 import Decode, Decode32Bits

File "/usr/local/lib/python2.7/dist-packages/distorm3-3-py2.7.egg/distorm3/__init__.py", line 47, in <module>

raise ImportError("Error loading the diStorm dynamic library (or cannot load library into process).")

ImportError: Error loading the diStorm dynamic library (or cannot load library into process).

MASTIFF seems to be running fine even with the error though.

Look for MASTIFF to be in the next release of HoneyDrive. Thanks @ikoniaris!

Admin |

Links

Entries in MASTIFF (3)

Installing MASTIFF

MASTIFF2HTML Demo

Tektip ep23 - MASTIFF with a splash of Maltrieve