Malware

REMnux: A Linux Toolkit for Malware Analystsremnux.org

Get the Virtual Appliance | REMnux Documentationdocs.remnux.org

AnyRun Per the site, "Analyze a network, file, module, and the registry activity. Interact with the OS directly from a browser. See the feedback from your actions immediately".

Interactive Online Malware Analysis Sandbox - ANY.RUNapp.any.run

Hybrid Analysis This is a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

Free Automated Malware Analysis Service - powered by Falcon Sandboxwww.hybrid-analysis.com

Joe Sandbox Live Interaction, URL Analysis & AI based Phishing Detection, Yara and Sigma rules support, MITRE ATT&CK matrix, AI based malware detection, Mail Monitor, Threat Hunting & Intelligence, Automated User Behavior, Dynamic VBA/JS/JAR instrumentation, Execution Graphs, Localized Internet Anonymization and many more

Deep Malware and Phishing Analysis - Joe Sandboxwww.joesecurity.org

Malware Samples:

Malware - Start from entry point and understand:

• What, why being performed

• Other ways to perform the same behavior

• look at ReactOS and reverse the API being used: https://reactos.org/

Malware analysis reportswww.ncsc.gov.uk

https://vx-underground.org/vx-underground.org

https://github.com/blackmassgroup/vx_undergroundgithub.com

https://samples.vx-underground.org/samples/Families/samples.vx-underground.org

The-Collection/Rats at master · yatt-ze/The-CollectionGitHub

GitHub - Princekin/malware-database: A collection of malwares found on the internet.GitHub

Tools

Wireshark • Go Deep | DownloadWireshark

HxD - Freeware Hex Editor and Disk Editor | mh-nexusmh-nexus.de

http://implbits.com/products/hashtab/implbits.com

PEiD - aldeidwww.aldeid.com

IDA Free: Disassembler & Decompiler at No Costhex-rays.com

PE Explorerwww.pe-explorer.com

Process Monitor - SysinternalsMicrosoftLearn

Analyzing Malicious Microsoft Office Macros

Current APT campaigns infect users by sending seemingly legitimate documents attached to emails i.e. an invoice for business. However, once opened, execute malicious code without the user knowing. This malicious code is often used in what's known as a "dropper attack", where additional malicious programs are downloaded onto the host. Looks perfectly okay, right? Well in actual fact, this word document has just downloaded a ransomware file from a malicious IP address in the background, with not much more than this snippet of code.

Thankfully Anti-Viruses these days are pretty reliable on picking up that sort of activity when it is left in plaintext. The following example uses two-stages to execute an obfuscated payload code.

1. The macro starts once edit permissions ("Enable Edit" or "Enable Content")have enabled edit mode on the Word document

2. The macro executes the payload stored in the text within the document. You need a large amount of text to be contained within the page, users will be suspicious and not proceed with editing the document. The macro doesn't need the text to be visible to the user, it just needs to exist on the page.

Analyzing Malicious PDF's

PDF's are capable of containing many more types of code that can be executed without the user's knowledge. This includes:

• JavaScript

• Python

• Executables

• Powershell Shellcode

Identifying JavaScript embedded PDF:

We'll be using peepdf to begin a precursory analysis of a PDF file to determine the presence of Javascript. If there is, we will extract this Javascript code (without executing it) for our inspection.

peepdf - PDF Analysis Tool | eternal-todo.cometernal-todo.com

$ peepdf
$ peepdf suspdf.pdf

To extract this Javascript, we can use peepdf's "extract" module. The following command will create a script file for peepdf to use:

$ echo 'extract js > javascript-from-suspdf.pdf' > extracted_javascript.txt
$ ls
$ cat extracted_javascript.txt

The script will extract all javascript via extract js and pipe > the contents into "javascript-from-demo_notsuspicious.pdf" We now need to tell peepdf the name of the script (extracted_javascript.txt) and the PDF file that we want to extract from (demo_notsuspicious.pdf):

$ peepdf -s extracted_javascript.txt suspdf.pdf

Remembering that the Javascript will output into a file called "javascript-from-demo_nonsuspicious.pdf" because of our script. You will see an output, in this case, a file named "javascript-from-demo_notsuspicious" (highlighted in yellow). This file now contains our extracted Javascript, we can simply cat this to see the contents.

$ cat javascript-from-suspdf.pdf

Identifying .exe embedded in PDF

PDF attachments can be ZIP files or images

HEX editor (HXD): https://mh-nexus.de/en/hxd/

• 4D 5A MZ = .exe file

This tells us that when the PDF is opened, the user will be asked to save an attachment:

Javascript$ this.exportDataObject({

Let's investigate further by looking at the strings for attacker's IP and port

$ strings dodgypdf.pdf > dodgypdf.txt

Identifying if .exe are obfuscated / packed

1. CHECK FOR PACKED: If its not a well know packer then google for more infomation

PEiD - aldeidwww.aldeid.com

1. CHECK IMPORTS: After confirming that this file is indeed packed, let's open it up with a tool called IDA Freeware.

IDA Free: Disassembler & Decompiler at No Costhex-rays.com

1. CHECK HEADERS / IMPORTS / STRINGS: View - Imports, Tools - Disassembler

PE Explorerwww.pe-explorer.com

1. CHECK STRINGS: Open a Command prompt on the Windows Machine and navigate to the directory "Tools\Sysinternalssuite"

Sysinternals Suite - SysinternalsMicrosoftLearn

$cd C:\Users\Analysis\Desktop\Tools\SysinternalsSuite
$dir

We're going to use Microsoft's Sysinternals "Strings" program to output the retained strings within the specified file

$strings "C:\Users\Analysis\Desktop\pathtofile"

BOOKS

Computer systems: a programmers perspective https://www.amazon.com/Computer-Systems-Programmers-Perspective-3rd/dp/013409266X

COURSES

ARCH1001 OST2 https://p.ost2.fyi/courses/course-v1:OpenSecurityTraining2+Arch1001_x86-64_Asm+2021_v1/course/

Compiler explore https://godbolt.org/

Indirect Syscalls and callstack spoofing: https://github.com/HavocFramework/Havoc/tree/dev/payloads/Demon/src/asm

Debugging with WinDbg Preview/x64dbg (Debuggers 1011 OST2) https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/

Maldev Academy - Advanced Training for Cyber Security Professionalsmaldevacademy.com

☠️Injecting PowerShell scripts into PDF files ☠️

To attach the script as a separate file to the PDF:

1. use the Attach File feature in Adobe Acrobat

2. open the PDF document in the editor

3. select the location where you want to attach the file

4. then use the Attach File feature to add the PowerShell script file

To attach a PowerShell script to a PDF and have it execute automatically when the PDF is opened, you can use a third-party tool such as Adobe Acrobat Pro to create a PDF with an embedded script. Here are the steps to do this:

1. Open Adobe Acrobat Pro.

2. Click on "Tools" in the top menu bar.

3. Select "Prepare Form" from the drop-down menu.

4. Click on "Add New Field" in the right-hand pane.

5. Select "Text Field" from the options.

6. Click and drag to create a text field on the PDF document.

7. Right-click on the text field and select "Properties".

8. In the "Options" tab, select "Multi-line" and "Scroll long text".

9. In the "Actions" tab, select "Run a JavaScript" from the "Select Action" drop-down menu.

10. Click on "Add" to create a new JavaScript action.

11. In the "JavaScript Editor" window, type the following code to execute the PowerShell script:

    var cmd = "powershell.exe -ExecutionPolicy Bypass -File "C:\\path\\to\\myscript.ps1";
    var shell = new ActiveXObject("WScript.Shell");
    shell.Run(cmd, 0);

Replace "C:\path\to\myscript.ps1" with the actual path to your PowerShell script file.

1. Click on "OK" to close the "JavaScript Editor" window.

2. Click on "Close" to close the "Text Field Properties" window.

3. Save the PDF document.