TekDefense

Friday

Feb222013

Tektip ep23 - MASTIFF with a splash of Maltrieve

Friday, February 22, 2013 at 10:03PM

In this episode of TekTip we take a look at performing basic static analysis with MASTIFF. While that is the focus of this episode I wanted to delve into Maltrieve first.

Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video. Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well.

Once downloaded you run maltrieve without any options, as seen below:

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py

2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory

2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file

2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file

2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.0

2013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file

2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue

2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue

2013-02-23 20:33:03 -1241515200 Fetched URL http://famagatra.ru:8080/forum/links/public_version.php from queue

2013-02-23 20:33:03 -1249907904 Fetched URL http://fzukungda.ru:8080/forum/links/column.php from queue

2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: da1ac7b773f2b96e5d2a31549a347a63

2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: 421ae9afed094a1b2ee1977507175dfc

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&gt%2F;&&&&gt%2F;&&&&lt%2F;%2Fbr%2F&&&&lt, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: ddb8eec9f195d191f05c793ca8f23e4f

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=http:%2Fdownload2.microapp.com%2Ftelechargement%2Feval%2F10001_eval.exetitle=compil&&&ampampampampampamp&&&ampampampampampampampamp&&&ampampa, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: cb932f33a7fa52e3e88bba3d5073d26f

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=hxxp:%2Fdownltbr%2Fgtload2.microapp.com%2Ftelechargement%2Feval%2F10275_eval.exeltbr%2Fgttitle=enigmes, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: a1fe3bca05487621dd876af0e8a31408

2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=3dhttp:%<br%2F>2fdownlo, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: 7cd588413684f019d52a304f78a6538e

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-

This will download the malware to a default directory of /tmp/malware

*Make sure this directory exists or change the path in the python script to match what you want

So, with Maltrieve done and a bunch of samples downloaded it is time to see the power of MASTIFF.

MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program. Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now.

What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database.

Some of the benefits of this framework are:

Easily Extensible: Built very modular so adding to the functionality is easy
Consistent: When you have a team of analyst working on malware it is important that everyone speak the same language. MASTIFF gives a consistent standard approach to static analysis.
Quick: Manual static analysis can take a long time. With MASTIFF I can run through hundreds of samples in minutes.
Documented: As a consequence of being a DARPA funded program the creator was forced to ensure that the framework was documented well. The documentation goes beyond the normal installation and usage covering workflow and methodology.

I do not cover installation in the video as it would take to long and be very boring but I will mention that installation is relatively easy. The only real pain is ensuring you have all of the third party tools installed. The pdf inside the archive for MASTIFF has great documentation to get you up and running. Once the dependencies and MASTIFF are installed though ensure that you modify the mastiff.conf file to reference the appropriate paths for where you installed the third party tools.

Now that the config is good and MASTIFF is installed you are ready to start analyzing malware. running mas.py will show you usage.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ mas.py

Usage: mas.py [options] FILE

Options:

-c CONFIG_FILE, --conf=CONFIG_FILE

Use an alternate config file. The default is

'./mastiff.conf'.

-h, --help Show the help message and exit.

-l PLUGIN_TYPE, --list=PLUGIN_TYPE

List all available plug-ins of the specified type and

exit. Type must be one of 'analysis' or 'cat'.

-o OVERRIDE, --option=OVERRIDE

Override a config file option. Configuration options

should be specified as 'Section.Key=Value' and should

be quoted if any whitespace is present. Multiple

overrides can be specified by using multiple '-o'

options.

-p PLUGIN_NAME, --plugin=PLUGIN_NAME

Only run the specified analysis plug-in. Name must be

quoted if it contains whitespace.

-q, --quiet Only log errors.

-t FTYPE, --type=FTYPE

Force file to be analyzed with plug-ins from the

specified category (e.g., EXE, PDF, etc.). Run with

'-l cat' to list all available category plug-ins.

-V, --verbose Print verbose logs.

-v, --version Show program's version number and exit.

To run mastiff against a single file simply sudo mas.py filename

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo mas.py /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,945] [INFO] [Mastiff] : Starting analysis on /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,954] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/86658467c74b39210de96111ee6f66d5.

[2013-02-23 21:47:40,955] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:41,084] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 21:47:41,175] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 21:47:41,176] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 21:47:41,326] [INFO] [Mastiff.Plugins.Digital Signatures] : Signature extracted.

[2013-02-23 21:47:41,347] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 21:47:41,413] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 21:47:41,506] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 21:47:41,507] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 21:47:41,544] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 21:47:41,545] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 21:47:41,624] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 21:47:41,625] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 21:47:41,625] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 21:47:41,644] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 21:47:41,645] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 21:47:41,645] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/86658467c74b39210de96111ee6f66d5.

Navigate to the directory you have set as the work log in the mastiff.conf to see the results

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ ls -l

total 424

-rw-r--r-- 1 root root 267312 Feb 23 21:47 86658467c74b39210de96111ee6f66d5.VIR

-rw-r--r-- 1 root root 137 Feb 23 21:47 fuzzy.txt

-rw-r--r-- 1 root root 3440 Feb 23 21:47 mastiff.log

-rw-r--r-- 1 root root 1024 Feb 23 21:47 mastiff-run.config

-rw-r--r-- 1 root root 42100 Feb 23 21:47 peinfo-full.txt

-rw-r--r-- 1 root root 13317 Feb 23 21:47 peinfo-quick.txt

drwxr-xr-x 2 root root 4096 Feb 23 21:47 resources

-rw-r--r-- 1 root root 1332 Feb 23 21:47 resources.txt

-rw-r--r-- 1 root root 7704 Feb 23 21:47 sig.der

-rw-r--r-- 1 root root 27152 Feb 23 21:47 sig.txt

-rw-r--r-- 1 root root 42606 Feb 23 21:47 strings.txt

Nice, it looks like we pulled certificate info based on the sig.txt being there. To give you an example of the type of data you get, here is a cat of the peinfo-quick.txt:

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ cat peinfo-quick.txt

PE Header Information

Quick Info:

TimeDateStamp: Tue Aug 30 15:46:24 2011

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Number of Sections: 7

Section Name Entropy Flags

-----------------------------------------------------------------

.text 5.96 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.data 1.1803 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rdata 5.309 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.bss 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.idata 5.2371 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.ndata 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rsrc 5.8707 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

Parser Warnings:

File Information:

LegalCopyright : (c) 2010 (2013-02-05 11:20)

ProductName : 3d-world-map

FileVersion : 2.2.0.0

FileDescription : 3d-world-map

Translation : 0x0000 0x04e4

Imports:

DLL API Address

----------------------------------------------------------------------

ADVAPI32.DLL RegCloseKey 0x428340

ADVAPI32.DLL RegCreateKeyExA 0x428344

ADVAPI32.DLL RegDeleteKeyA 0x428348

ADVAPI32.DLL RegDeleteValueA 0x42834c

ADVAPI32.DLL RegEnumKeyA 0x428350

ADVAPI32.DLL RegEnumValueA 0x428354

ADVAPI32.DLL RegOpenKeyExA 0x428358

ADVAPI32.DLL RegQueryValueExA 0x42835c

ADVAPI32.DLL RegSetValueExA 0x428360

COMCTL32.DLL ImageList_AddMasked 0x428368

COMCTL32.DLL ImageList_Create 0x42836c

COMCTL32.DLL ImageList_Destroy 0x428370

COMCTL32.DLL InitCommonControls 0x428374

GDI32.dll CreateBrushIndirect 0x42837c

GDI32.dll CreateFontIndirectA 0x428380

GDI32.dll DeleteObject 0x428384

GDI32.dll GetDeviceCaps 0x428388

GDI32.dll SelectObject 0x42838c

GDI32.dll SetBkColor 0x428390

GDI32.dll SetBkMode 0x428394

GDI32.dll SetTextColor 0x428398

KERNEL32.dll CloseHandle 0x4283a0

KERNEL32.dll CompareFileTime 0x4283a4

KERNEL32.dll CopyFileA 0x4283a8

KERNEL32.dll CreateDirectoryA 0x4283ac

KERNEL32.dll CreateFileA 0x4283b0

KERNEL32.dll CreateProcessA 0x4283b4

KERNEL32.dll CreateThread 0x4283b8

KERNEL32.dll DeleteFileA 0x4283bc

KERNEL32.dll ExitProcess 0x4283c0

KERNEL32.dll ExpandEnvironmentStringsA 0x4283c4

KERNEL32.dll FindClose 0x4283c8

KERNEL32.dll FindFirstFileA 0x4283cc

KERNEL32.dll FindNextFileA 0x4283d0

KERNEL32.dll FreeLibrary 0x4283d4

KERNEL32.dll GetCommandLineA 0x4283d8

KERNEL32.dll GetCurrentProcess 0x4283dc

KERNEL32.dll GetDiskFreeSpaceA 0x4283e0

KERNEL32.dll GetExitCodeProcess 0x4283e4

KERNEL32.dll GetFileAttributesA 0x4283e8

KERNEL32.dll GetFileSize 0x4283ec

KERNEL32.dll GetFullPathNameA 0x4283f0

KERNEL32.dll GetLastError 0x4283f4

KERNEL32.dll GetModuleFileNameA 0x4283f8

KERNEL32.dll GetModuleHandleA 0x4283fc

KERNEL32.dll GetPrivateProfileStringA 0x428400

KERNEL32.dll GetProcAddress 0x428404

KERNEL32.dll GetShortPathNameA 0x428408

KERNEL32.dll GetSystemDirectoryA 0x42840c

KERNEL32.dll GetTempFileNameA 0x428410

KERNEL32.dll GetTempPathA 0x428414

KERNEL32.dll GetTickCount 0x428418

KERNEL32.dll GetVersion 0x42841c

KERNEL32.dll GetWindowsDirectoryA 0x428420

KERNEL32.dll GlobalAlloc 0x428424

KERNEL32.dll GlobalFree 0x428428

KERNEL32.dll GlobalLock 0x42842c

KERNEL32.dll GlobalUnlock 0x428430

KERNEL32.dll LoadLibraryA 0x428434

KERNEL32.dll LoadLibraryExA 0x428438

KERNEL32.dll MoveFileA 0x42843c

KERNEL32.dll MulDiv 0x428440

KERNEL32.dll MultiByteToWideChar 0x428444

KERNEL32.dll ReadFile 0x428448

KERNEL32.dll RemoveDirectoryA 0x42844c

KERNEL32.dll SearchPathA 0x428450

KERNEL32.dll SetCurrentDirectoryA 0x428454

KERNEL32.dll SetErrorMode 0x428458

KERNEL32.dll SetFileAttributesA 0x42845c

KERNEL32.dll SetFilePointer 0x428460

KERNEL32.dll SetFileTime 0x428464

KERNEL32.dll Sleep 0x428468

KERNEL32.dll WaitForSingleObject 0x42846c

KERNEL32.dll WriteFile 0x428470

KERNEL32.dll WritePrivateProfileStringA 0x428474

KERNEL32.dll lstrcatA 0x428478

KERNEL32.dll lstrcmpA 0x42847c

KERNEL32.dll lstrcmpiA 0x428480

KERNEL32.dll lstrcpynA 0x428484

KERNEL32.dll lstrlenA 0x428488

OLE32.dll CoCreateInstance 0x428490

OLE32.dll CoTaskMemFree 0x428494

OLE32.dll OleInitialize 0x428498

OLE32.dll OleUninitialize 0x42849c

SHELL32.DLL SHBrowseForFolderA 0x4284a4

SHELL32.DLL SHFileOperationA 0x4284a8

SHELL32.DLL SHGetFileInfoA 0x4284ac

SHELL32.DLL SHGetPathFromIDListA 0x4284b0

SHELL32.DLL SHGetSpecialFolderLocation 0x4284b4

SHELL32.DLL ShellExecuteA 0x4284b8

USER32.dll AppendMenuA 0x4284c0

USER32.dll BeginPaint 0x4284c4

USER32.dll CallWindowProcA 0x4284c8

USER32.dll CharNextA 0x4284cc

USER32.dll CharPrevA 0x4284d0

USER32.dll CheckDlgButton 0x4284d4

USER32.dll CloseClipboard 0x4284d8

USER32.dll CreateDialogParamA 0x4284dc

USER32.dll CreatePopupMenu 0x4284e0

USER32.dll CreateWindowExA 0x4284e4

USER32.dll DefWindowProcA 0x4284e8

USER32.dll DestroyWindow 0x4284ec

USER32.dll DialogBoxParamA 0x4284f0

USER32.dll DispatchMessageA 0x4284f4

USER32.dll DrawTextA 0x4284f8

USER32.dll EmptyClipboard 0x4284fc

USER32.dll EnableMenuItem 0x428500

USER32.dll EnableWindow 0x428504

USER32.dll EndDialog 0x428508

USER32.dll EndPaint 0x42850c

USER32.dll ExitWindowsEx 0x428510

USER32.dll FillRect 0x428514

USER32.dll FindWindowExA 0x428518

USER32.dll GetClassInfoA 0x42851c

USER32.dll GetClientRect 0x428520

USER32.dll GetDC 0x428524

USER32.dll GetDlgItem 0x428528

USER32.dll GetDlgItemTextA 0x42852c

USER32.dll GetMessagePos 0x428530

USER32.dll GetSysColor 0x428534

USER32.dll GetSystemMenu 0x428538

USER32.dll GetSystemMetrics 0x42853c

USER32.dll GetWindowLongA 0x428540

USER32.dll GetWindowRect 0x428544

USER32.dll InvalidateRect 0x428548

USER32.dll IsWindow 0x42854c

USER32.dll IsWindowEnabled 0x428550

USER32.dll IsWindowVisible 0x428554

USER32.dll LoadBitmapA 0x428558

USER32.dll LoadCursorA 0x42855c

USER32.dll LoadImageA 0x428560

USER32.dll MessageBoxIndirectA 0x428564

USER32.dll OpenClipboard 0x428568

USER32.dll PeekMessageA 0x42856c

USER32.dll PostQuitMessage 0x428570

USER32.dll RegisterClassA 0x428574

USER32.dll ScreenToClient 0x428578

USER32.dll SendMessageA 0x42857c

USER32.dll SendMessageTimeoutA 0x428580

USER32.dll SetClassLongA 0x428584

USER32.dll SetClipboardData 0x428588

USER32.dll SetCursor 0x42858c

USER32.dll SetDlgItemTextA 0x428590

USER32.dll SetForegroundWindow 0x428594

USER32.dll SetTimer 0x428598

USER32.dll SetWindowLongA 0x42859c

USER32.dll SetWindowPos 0x4285a0

USER32.dll SetWindowTextA 0x4285a4

USER32.dll ShowWindow 0x4285a8

USER32.dll SystemParametersInfoA 0x4285ac

USER32.dll TrackPopupMenu 0x4285b0

USER32.dll wsprintfA 0x4285b4

VERSION.dll GetFileVersionInfoA 0x4285bc

VERSION.dll GetFileVersionInfoSizeA 0x4285c0

VERSION.dll VerQueryValueA 0x4285c4

MASTIFF does not currently have a native method to scan multiple files at once. While that is on the horizon for the project that is not a problem for us as we can just script out a quick program to do this. Of course you can always use mine.

#!/usr/bin/python
 
import os
 
# MASTIFF Autorun
# @TekDefense
# www.TekDefense.com
# Quick script to autorun samples from maltrieve to MASTIFF
 
malwarePath = '/tmp/malware/'
 
for r, d, f in os.walk(malwarePath):
  for files in f:
		malware = malwarePath + files
		print malware
		os.system ('mas.py' + ' ' + malware)

Simply change the directory in the script to point to where you have the samples and run the python program. Also be sure to keep this script in the same directory as mas.py.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo python autoRunMas.py

/tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,296] [INFO] [Mastiff] : Starting analysis on /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,318] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

[2013-02-23 22:00:55,326] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,494] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:55,518] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:55,519] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:55,682] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:55,838] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:55,839] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:55,874] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:55,875] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:55,995] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:55,996] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:55,996] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,010] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,011] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,011] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

/tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,257] [INFO] [Mastiff] : Starting analysis on /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,259] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

[2013-02-23 22:00:56,268] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,375] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:56,408] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:56,409] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:56,471] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:56,472] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:56,546] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:56,596] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:56,600] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:56,614] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:56,615] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:56,673] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:56,674] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:56,675] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,697] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,698] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,698] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

/tmp/malware/a544ffb08f6177f6382df6101f78bfdc

Now that you have performed analysis against a bunch of samples you can analyze the results, or open up the sqllite database to pull some statistics.

As you can probably tell by now, I am really enjoying MASTIFF, in fact I am looking for any excuse to run it daily. Last week I was given a perfect event to apply MASTIFF too and that was Mandiant's report on APT1. VirusShare @VXShare was able to quickly compile a bunch of samples which a lot of folks started playing around with. I decided to run 20 or so of the samples through MASTIFF. If you would like to download those results you can get them in the download section.

I mentioned in the video that I was getting an error when running MASTIFF. I am not sure what is generating the error exactly quite yet, as I have checked that all the appropriate imports are in place. Once I figure it out I'll let you guys know what is going on. The error is below:

[2013-02-23 21:47:40,904] [ERROR] [yapsy] : Unable to import plugin: /opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring

Traceback (most recent call last):

File "/usr/local/lib/python2.7/dist-packages/Yapsy-1.10.1_pythons2n3-py2.7.egg/yapsy/PluginManager.py", line 486, in loadPlugins

candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))

File "/opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring.py", line 52, in <module>

from distorm3 import Decode, Decode32Bits

File "/usr/local/lib/python2.7/dist-packages/distorm3-3-py2.7.egg/distorm3/__init__.py", line 47, in <module>

raise ImportError("Error loading the diStorm dynamic library (or cannot load library into process).")

ImportError: Error loading the diStorm dynamic library (or cannot load library into process).

MASTIFF seems to be running fine even with the error though.

Look for MASTIFF to be in the next release of HoneyDrive. Thanks @ikoniaris!

Admin |

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

Post a New Comment

Enter your information below to add a new comment.

My response is on my own website »

Author:

Author Email (optional):

Author URL (optional):

Post:

↓ | ↑

Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Links

Tektip ep23 - MASTIFF with a splash of Maltrieve

Reader Comments

Post a New Comment

Link an External Response