Malware
Last updated
Last updated
AnyRun Per the site, "Analyze a network, file, module, and the registry activity. Interact with the OS directly from a browser. See the feedback from your actions immediately".
Hybrid Analysis This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
Joe Sandbox Live Interaction, URL Analysis & AI based Phishing Detection, Yara and Sigma rules support, MITRE ATT&CK matrix, AI based malware detection, Mail Monitor, Threat Hunting & Intelligence, Automated User Behavior, Dynamic VBA/JS/JAR instrumentation, Execution Graphs, Localized Internet Anonymization and many more
Malware - Start from entry point and understand:
What, why being performed
Other ways to perform the same behavior
look at ReactOS and reverse the API being used: https://reactos.org/
Current APT campaigns infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However, once opened, execute malicious code without the user knowing. This malicious code is often used in what's known as a "dropper attack", where additional malicious programs are downloaded onto the host. Looks perfectly okay, right? Well in actual fact, this word document has just downloaded a ransomware file from a malicious IP address in the background, with not much more than this snippet of code.
Thankfully Anti-Viruses these days are pretty reliable on picking up that sort of activity when it is left in plaintext. The following example uses two-stages to execute an obfuscated payload code.
The macro starts once edit permissions ("Enable Edit" or "Enable Content")have enabled edit mode on the Word document
The macro executes the payload stored in the text within the document. You need a large amount of text to be contained within the page, users will be suspicious and not proceed with editing the document. The macro doesn't need the text to be visible to the user, it just needs to exist on the page.
PDF's are capable of containing many more types of code that can be executed without the user's knowledge. This includes:
JavaScript
Python
Executables
Powershell Shellcode
Identifying JavaScript embedded PDF:
We'll be using peepdf to begin a precursory analysis of a PDF file to determine the presence of Javascript. If there is, we will extract this Javascript code (without executing it) for our inspection.
To extract this Javascript, we can use peepdf's "extract" module. The following command will create a script file for peepdf to use:
The script will extract all javascript via extract js and pipe > the contents into "javascript-from-demo_notsuspicious.pdf" We now need to tell peepdf the name of the script (extracted_javascript.txt) and the PDF file that we want to extract from (demo_notsuspicious.pdf):
Remembering that the Javascript will output into a file called "javascript-from-demo_nonsuspicious.pdf" because of our script. You will see an output, in this case, a file named "javascript-from-demo_notsuspicious" (highlighted in yellow). This file now contains our extracted Javascript, we can simply cat this to see the contents.
PDF attachments can be ZIP files or images
HEX editor (HXD): https://mh-nexus.de/en/hxd/
4D 5A MZ = .exe file
This tells us that when the PDF is opened, the user will be asked to save an attachment:
Let's investigate further by looking at the strings for attacker's IP and port
CHECK FOR PACKED: If its not a well know packer then google for more infomation
CHECK IMPORTS: After confirming that this file is indeed packed, let's open it up with a tool called IDA Freeware.
CHECK HEADERS / IMPORTS / STRINGS: View - Imports, Tools - Disassembler
CHECK STRINGS: Open a Command prompt on the Windows Machine and navigate to the directory "Tools\Sysinternalssuite"
We're going to use Microsoft's Sysinternals "Strings" program to output the retained strings within the specified file
BOOKS
Computer systems: a programmers perspective https://www.amazon.com/Computer-Systems-Programmers-Perspective-3rd/dp/013409266X
COURSES
ARCH1001 OST2 https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/course/
Compiler explore https://godbolt.org/
Indirect Syscalls and callstack spoofing: https://github.com/HavocFramework/Havoc/tree/dev/payloads/Demon/src/asm
Debugging with WinDbg Preview/x64dbg (Debuggers 1011 OST2) https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/
To attach the script as a separate file to the PDF:
use the Attach File feature in Adobe Acrobat
open the PDF document in the editor
select the location where you want to attach the file
then use the Attach File feature to add the PowerShell script file
To attach a PowerShell script to a PDF and have it execute automatically when the PDF is opened, you can use a third-party tool such as Adobe Acrobat Pro to create a PDF with an embedded script. Here are the steps to do this:
Open Adobe Acrobat Pro.
Click on "Tools" in the top menu bar.
Select "Prepare Form" from the drop-down menu.
Click on "Add New Field" in the right-hand pane.
Select "Text Field" from the options.
Click and drag to create a text field on the PDF document.
Right-click on the text field and select "Properties".
In the "Options" tab, select "Multi-line" and "Scroll long text".
In the "Actions" tab, select "Run a JavaScript" from the "Select Action" drop-down menu.
Click on "Add" to create a new JavaScript action.
In the "JavaScript Editor" window, type the following code to execute the PowerShell script:
Replace "C:\path\to\myscript.ps1" with the actual path to your PowerShell script file.
Click on "OK" to close the "JavaScript Editor" window.
Click on "Close" to close the "Text Field Properties" window.
Save the PDF document.