Tektip ep23 - MASTIFF with a splash of Maltrieve
In this episode of TekTip we take a look at performing basic static analysis with MASTIFF. While that is the focus of this episode I wanted to delve into Maltrieve first.
Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video. Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well.
Once downloaded you run maltrieve without any options, as seen below:
tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-02-23 20:33:03 -1241515200 Fetched URL http://famagatra.ru:8080/forum/links/public_version.php from queue2013-02-23 20:33:03 -1249907904 Fetched URL http://fzukungda.ru:8080/forum/links/column.php from queue2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: da1ac7b773f2b96e5d2a31549a347a632013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: 421ae9afed094a1b2ee1977507175dfc2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&>%2F;&&&>%2F;&&&<%2F;%2Fbr%2F&&&<, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: ddb8eec9f195d191f05c793ca8f23e4f2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=http:%2Fdownload2.microapp.com%2Ftelechargement%2Feval%2F10001_eval.exetitle=compil&&&ampampampampamp&&&ampampampampampampamp&&&ampa, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: cb932f33a7fa52e3e88bba3d5073d26f2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=hxxp:%2Fdownltbr%2Fgtload2.microapp.com%2Ftelechargement%2Feval%2F10275_eval.exeltbr%2Fgttitle=enigmes, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: a1fe3bca05487621dd876af0e8a314082013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=3dhttp:%<br%2F>2fdownlo, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: 7cd588413684f019d52a304f78a6538etekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-
This will download the malware to a default directory of /tmp/malware
*Make sure this directory exists or change the path in the python script to match what you want
So, with Maltrieve done and a bunch of samples downloaded it is time to see the power of MASTIFF.
MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program. Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now.
What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database.
Some of the benefits of this framework are:
- Easily Extensible: Built very modular so adding to the functionality is easy
- Consistent: When you have a team of analyst working on malware it is important that everyone speak the same language. MASTIFF gives a consistent standard approach to static analysis.
- Quick: Manual static analysis can take a long time. With MASTIFF I can run through hundreds of samples in minutes.
- Documented: As a consequence of being a DARPA funded program the creator was forced to ensure that the framework was documented well. The documentation goes beyond the normal installation and usage covering workflow and methodology.
I do not cover installation in the video as it would take to long and be very boring but I will mention that installation is relatively easy. The only real pain is ensuring you have all of the third party tools installed. The pdf inside the archive for MASTIFF has great documentation to get you up and running. Once the dependencies and MASTIFF are installed though ensure that you modify the mastiff.conf file to reference the appropriate paths for where you installed the third party tools.
Now that the config is good and MASTIFF is installed you are ready to start analyzing malware. running mas.py will show you usage.
tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ mas.py
Usage: mas.py [options] FILE
Options:
-c CONFIG_FILE, --conf=CONFIG_FILE
Use an alternate config file. The default is
'./mastiff.conf'.
-h, --help Show the help message and exit.
-l PLUGIN_TYPE, --list=PLUGIN_TYPE
List all available plug-ins of the specified type and
exit. Type must be one of 'analysis' or 'cat'.
-o OVERRIDE, --option=OVERRIDE
Override a config file option. Configuration options
should be specified as 'Section.Key=Value' and should
be quoted if any whitespace is present. Multiple
overrides can be specified by using multiple '-o'
options.
-p PLUGIN_NAME, --plugin=PLUGIN_NAME
Only run the specified analysis plug-in. Name must be
quoted if it contains whitespace.
-q, --quiet Only log errors.
-t FTYPE, --type=FTYPE
Force file to be analyzed with plug-ins from the
specified category (e.g., EXE, PDF, etc.). Run with
'-l cat' to list all available category plug-ins.
-V, --verbose Print verbose logs.
-v, --version Show program's version number and exit.
To run mastiff against a single file simply sudo mas.py filename
tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo mas.py /tmp/malware/86658467c74b39210de96111ee6f66d5
[2013-02-23 21:47:40,945] [INFO] [Mastiff] : Starting analysis on /tmp/malware/86658467c74b39210de96111ee6f66d5
[2013-02-23 21:47:40,954] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/86658467c74b39210de96111ee6f66d5.
[2013-02-23 21:47:40,955] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/86658467c74b39210de96111ee6f66d5
[2013-02-23 21:47:41,084] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']
[2013-02-23 21:47:41,175] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].
[2013-02-23 21:47:41,176] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.
[2013-02-23 21:47:41,326] [INFO] [Mastiff.Plugins.Digital Signatures] : Signature extracted.
[2013-02-23 21:47:41,347] [INFO] [Mastiff.Plugins.Resources] : Starting execution.
[2013-02-23 21:47:41,413] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.
[2013-02-23 21:47:41,506] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-02-23 21:47:41,507] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-02-23 21:47:41,544] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-02-23 21:47:41,545] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-02-23 21:47:41,624] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-02-23 21:47:41,625] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.
[2013-02-23 21:47:41,625] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-02-23 21:47:41,644] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-02-23 21:47:41,645] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.
[2013-02-23 21:47:41,645] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/86658467c74b39210de96111ee6f66d5.
Navigate to the directory you have set as the work log in the mastiff.conf to see the results
tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ ls -l
total 424
-rw-r--r-- 1 root root 267312 Feb 23 21:47 86658467c74b39210de96111ee6f66d5.VIR
-rw-r--r-- 1 root root 137 Feb 23 21:47 fuzzy.txt
-rw-r--r-- 1 root root 3440 Feb 23 21:47 mastiff.log
-rw-r--r-- 1 root root 1024 Feb 23 21:47 mastiff-run.config
-rw-r--r-- 1 root root 42100 Feb 23 21:47 peinfo-full.txt
-rw-r--r-- 1 root root 13317 Feb 23 21:47 peinfo-quick.txt
drwxr-xr-x 2 root root 4096 Feb 23 21:47 resources
-rw-r--r-- 1 root root 1332 Feb 23 21:47 resources.txt
-rw-r--r-- 1 root root 7704 Feb 23 21:47 sig.der
-rw-r--r-- 1 root root 27152 Feb 23 21:47 sig.txt
-rw-r--r-- 1 root root 42606 Feb 23 21:47 strings.txt
Nice, it looks like we pulled certificate info based on the sig.txt being there. To give you an example of the type of data you get, here is a cat of the peinfo-quick.txt:
tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ cat peinfo-quick.txt
PE Header Information
Quick Info:
TimeDateStamp: Tue Aug 30 15:46:24 2011
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Number of Sections: 7
Section Name Entropy Flags
-----------------------------------------------------------------
.text 5.96 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.data 1.1803 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.rdata 5.309 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.bss 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.idata 5.2371 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.ndata 0.0 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
.rsrc 5.8707 IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ
Parser Warnings:
File Information:
LegalCopyright : (c) 2010 (2013-02-05 11:20)
ProductName : 3d-world-map
FileVersion : 2.2.0.0
FileDescription : 3d-world-map
Translation : 0x0000 0x04e4
Imports:
DLL API Address
----------------------------------------------------------------------
ADVAPI32.DLL RegCloseKey 0x428340
ADVAPI32.DLL RegCreateKeyExA 0x428344
ADVAPI32.DLL RegDeleteKeyA 0x428348
ADVAPI32.DLL RegDeleteValueA 0x42834c
ADVAPI32.DLL RegEnumKeyA 0x428350
ADVAPI32.DLL RegEnumValueA 0x428354
ADVAPI32.DLL RegOpenKeyExA 0x428358
ADVAPI32.DLL RegQueryValueExA 0x42835c
ADVAPI32.DLL RegSetValueExA 0x428360
COMCTL32.DLL ImageList_AddMasked 0x428368
COMCTL32.DLL ImageList_Create 0x42836c
COMCTL32.DLL ImageList_Destroy 0x428370
COMCTL32.DLL InitCommonControls 0x428374
GDI32.dll CreateBrushIndirect 0x42837c
GDI32.dll CreateFontIndirectA 0x428380
GDI32.dll DeleteObject 0x428384
GDI32.dll GetDeviceCaps 0x428388
GDI32.dll SelectObject 0x42838c
GDI32.dll SetBkColor 0x428390
GDI32.dll SetBkMode 0x428394
GDI32.dll SetTextColor 0x428398
KERNEL32.dll CloseHandle 0x4283a0
KERNEL32.dll CompareFileTime 0x4283a4
KERNEL32.dll CopyFileA 0x4283a8
KERNEL32.dll CreateDirectoryA 0x4283ac
KERNEL32.dll CreateFileA 0x4283b0
KERNEL32.dll CreateProcessA 0x4283b4
KERNEL32.dll CreateThread 0x4283b8
KERNEL32.dll DeleteFileA 0x4283bc
KERNEL32.dll ExitProcess 0x4283c0
KERNEL32.dll ExpandEnvironmentStringsA 0x4283c4
KERNEL32.dll FindClose 0x4283c8
KERNEL32.dll FindFirstFileA 0x4283cc
KERNEL32.dll FindNextFileA 0x4283d0
KERNEL32.dll FreeLibrary 0x4283d4
KERNEL32.dll GetCommandLineA 0x4283d8
KERNEL32.dll GetCurrentProcess 0x4283dc
KERNEL32.dll GetDiskFreeSpaceA 0x4283e0
KERNEL32.dll GetExitCodeProcess 0x4283e4
KERNEL32.dll GetFileAttributesA 0x4283e8
KERNEL32.dll GetFileSize 0x4283ec
KERNEL32.dll GetFullPathNameA 0x4283f0
KERNEL32.dll GetLastError 0x4283f4
KERNEL32.dll GetModuleFileNameA 0x4283f8
KERNEL32.dll GetModuleHandleA 0x4283fc
KERNEL32.dll GetPrivateProfileStringA 0x428400
KERNEL32.dll GetProcAddress 0x428404
KERNEL32.dll GetShortPathNameA 0x428408
KERNEL32.dll GetSystemDirectoryA 0x42840c
KERNEL32.dll GetTempFileNameA 0x428410
KERNEL32.dll GetTempPathA 0x428414
KERNEL32.dll GetTickCount 0x428418
KERNEL32.dll GetVersion 0x42841c
KERNEL32.dll GetWindowsDirectoryA 0x428420
KERNEL32.dll GlobalAlloc 0x428424
KERNEL32.dll GlobalFree 0x428428
KERNEL32.dll GlobalLock 0x42842c
KERNEL32.dll GlobalUnlock 0x428430
KERNEL32.dll LoadLibraryA 0x428434
KERNEL32.dll LoadLibraryExA 0x428438
KERNEL32.dll MoveFileA 0x42843c
KERNEL32.dll MulDiv 0x428440
KERNEL32.dll MultiByteToWideChar 0x428444
KERNEL32.dll ReadFile 0x428448
KERNEL32.dll RemoveDirectoryA 0x42844c
KERNEL32.dll SearchPathA 0x428450
KERNEL32.dll SetCurrentDirectoryA 0x428454
KERNEL32.dll SetErrorMode 0x428458
KERNEL32.dll SetFileAttributesA 0x42845c
KERNEL32.dll SetFilePointer 0x428460
KERNEL32.dll SetFileTime 0x428464
KERNEL32.dll Sleep 0x428468
KERNEL32.dll WaitForSingleObject 0x42846c
KERNEL32.dll WriteFile 0x428470
KERNEL32.dll WritePrivateProfileStringA 0x428474
KERNEL32.dll lstrcatA 0x428478
KERNEL32.dll lstrcmpA 0x42847c
KERNEL32.dll lstrcmpiA 0x428480
KERNEL32.dll lstrcpynA 0x428484
KERNEL32.dll lstrlenA 0x428488
OLE32.dll CoCreateInstance 0x428490
OLE32.dll CoTaskMemFree 0x428494
OLE32.dll OleInitialize 0x428498
OLE32.dll OleUninitialize 0x42849c
SHELL32.DLL SHBrowseForFolderA 0x4284a4
SHELL32.DLL SHFileOperationA 0x4284a8
SHELL32.DLL SHGetFileInfoA 0x4284ac
SHELL32.DLL SHGetPathFromIDListA 0x4284b0
SHELL32.DLL SHGetSpecialFolderLocation 0x4284b4
SHELL32.DLL ShellExecuteA 0x4284b8
USER32.dll AppendMenuA 0x4284c0
USER32.dll BeginPaint 0x4284c4
USER32.dll CallWindowProcA 0x4284c8
USER32.dll CharNextA 0x4284cc
USER32.dll CharPrevA 0x4284d0
USER32.dll CheckDlgButton 0x4284d4
USER32.dll CloseClipboard 0x4284d8
USER32.dll CreateDialogParamA 0x4284dc
USER32.dll CreatePopupMenu 0x4284e0
USER32.dll CreateWindowExA 0x4284e4
USER32.dll DefWindowProcA 0x4284e8
USER32.dll DestroyWindow 0x4284ec
USER32.dll DialogBoxParamA 0x4284f0
USER32.dll DispatchMessageA 0x4284f4
USER32.dll DrawTextA 0x4284f8
USER32.dll EmptyClipboard 0x4284fc
USER32.dll EnableMenuItem 0x428500
USER32.dll EnableWindow 0x428504
USER32.dll EndDialog 0x428508
USER32.dll EndPaint 0x42850c
USER32.dll ExitWindowsEx 0x428510
USER32.dll FillRect 0x428514
USER32.dll FindWindowExA 0x428518
USER32.dll GetClassInfoA 0x42851c
USER32.dll GetClientRect 0x428520
USER32.dll GetDC 0x428524
USER32.dll GetDlgItem 0x428528
USER32.dll GetDlgItemTextA 0x42852c
USER32.dll GetMessagePos 0x428530
USER32.dll GetSysColor 0x428534
USER32.dll GetSystemMenu 0x428538
USER32.dll GetSystemMetrics 0x42853c
USER32.dll GetWindowLongA 0x428540
USER32.dll GetWindowRect 0x428544
USER32.dll InvalidateRect 0x428548
USER32.dll IsWindow 0x42854c
USER32.dll IsWindowEnabled 0x428550
USER32.dll IsWindowVisible 0x428554
USER32.dll LoadBitmapA 0x428558
USER32.dll LoadCursorA 0x42855c
USER32.dll LoadImageA 0x428560
USER32.dll MessageBoxIndirectA 0x428564
USER32.dll OpenClipboard 0x428568
USER32.dll PeekMessageA 0x42856c
USER32.dll PostQuitMessage 0x428570
USER32.dll RegisterClassA 0x428574
USER32.dll ScreenToClient 0x428578
USER32.dll SendMessageA 0x42857c
USER32.dll SendMessageTimeoutA 0x428580
USER32.dll SetClassLongA 0x428584
USER32.dll SetClipboardData 0x428588
USER32.dll SetCursor 0x42858c
USER32.dll SetDlgItemTextA 0x428590
USER32.dll SetForegroundWindow 0x428594
USER32.dll SetTimer 0x428598
USER32.dll SetWindowLongA 0x42859c
USER32.dll SetWindowPos 0x4285a0
USER32.dll SetWindowTextA 0x4285a4
USER32.dll ShowWindow 0x4285a8
USER32.dll SystemParametersInfoA 0x4285ac
USER32.dll TrackPopupMenu 0x4285b0
USER32.dll wsprintfA 0x4285b4
VERSION.dll GetFileVersionInfoA 0x4285bc
VERSION.dll GetFileVersionInfoSizeA 0x4285c0
VERSION.dll VerQueryValueA 0x4285c4
MASTIFF does not currently have a native method to scan multiple files at once. While that is on the horizon for the project that is not a problem for us as we can just script out a quick program to do this. Of course you can always use mine.
#!/usr/bin/pythonimport os# MASTIFF Autorun# @TekDefense# www.TekDefense.com# Quick script to autorun samples from maltrieve to MASTIFFmalwarePath = '/tmp/malware/'for r, d, f in os.walk(malwarePath):for files in f:malware = malwarePath + filesprint malwareos.system ('mas.py' + ' ' + malware)
Simply change the directory in the script to point to where you have the samples and run the python program. Also be sure to keep this script in the same directory as mas.py.
tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo python autoRunMas.py
/tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e
[2013-02-23 22:00:55,296] [INFO] [Mastiff] : Starting analysis on /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e
[2013-02-23 22:00:55,318] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.
[2013-02-23 22:00:55,326] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/dd1f966ee8f22e6a45a90bb112454e2e
[2013-02-23 22:00:55,494] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']
[2013-02-23 22:00:55,518] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].
[2013-02-23 22:00:55,519] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.
[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.
[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Resources] : Starting execution.
[2013-02-23 22:00:55,682] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.
[2013-02-23 22:00:55,838] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-02-23 22:00:55,839] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-02-23 22:00:55,874] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-02-23 22:00:55,875] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-02-23 22:00:55,995] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-02-23 22:00:55,996] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.
[2013-02-23 22:00:55,996] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-02-23 22:00:56,010] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-02-23 22:00:56,011] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.
[2013-02-23 22:00:56,011] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.
/tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328
[2013-02-23 22:00:56,257] [INFO] [Mastiff] : Starting analysis on /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328
[2013-02-23 22:00:56,259] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.
[2013-02-23 22:00:56,268] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/ba91f309a81c1f6f1d7dcc5cb5094328
[2013-02-23 22:00:56,375] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']
[2013-02-23 22:00:56,408] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].
[2013-02-23 22:00:56,409] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.
[2013-02-23 22:00:56,471] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.
[2013-02-23 22:00:56,472] [INFO] [Mastiff.Plugins.Resources] : Starting execution.
[2013-02-23 22:00:56,546] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.
[2013-02-23 22:00:56,596] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-02-23 22:00:56,600] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-02-23 22:00:56,614] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-02-23 22:00:56,615] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-02-23 22:00:56,673] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-02-23 22:00:56,674] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.
[2013-02-23 22:00:56,675] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-02-23 22:00:56,697] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-02-23 22:00:56,698] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.
[2013-02-23 22:00:56,698] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.
/tmp/malware/a544ffb08f6177f6382df6101f78bfdc
Now that you have performed analysis against a bunch of samples you can analyze the results, or open up the sqllite database to pull some statistics.
As you can probably tell by now, I am really enjoying MASTIFF, in fact I am looking for any excuse to run it daily. Last week I was given a perfect event to apply MASTIFF too and that was Mandiant's report on APT1. VirusShare @VXShare was able to quickly compile a bunch of samples which a lot of folks started playing around with. I decided to run 20 or so of the samples through MASTIFF. If you would like to download those results you can get them in the download section.
I mentioned in the video that I was getting an error when running MASTIFF. I am not sure what is generating the error exactly quite yet, as I have checked that all the appropriate imports are in place. Once I figure it out I'll let you guys know what is going on. The error is below:
[2013-02-23 21:47:40,904] [ERROR] [yapsy] : Unable to import plugin: /opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/Yapsy-1.10.1_pythons2n3-py2.7.egg/yapsy/PluginManager.py", line 486, in loadPlugins
candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))
File "/opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring.py", line 52, in <module>
from distorm3 import Decode, Decode32Bits
File "/usr/local/lib/python2.7/dist-packages/distorm3-3-py2.7.egg/distorm3/__init__.py", line 47, in <module>
raise ImportError("Error loading the diStorm dynamic library (or cannot load library into process).")
ImportError: Error loading the diStorm dynamic library (or cannot load library into process).
MASTIFF seems to be running fine even with the error though.
Look for MASTIFF to be in the next release of HoneyDrive. Thanks @ikoniaris!