Sponsor

Security Videos

Entries in MASTIFF (3)

Sunday
Mar102013

Installing MASTIFF

So we have talked about using SecShoggoth 's MASTIFF (here, here, and here), but haven't really gone through the installation. Here goes...

I am assuming a base installation of Ubuntu 12.10 (because its easy and you can run it free on AWS). The first thing that we should do is update the base OS and install ssh for remote management.

sudo apt-get update; sudo apt-get upgrade -y; sudo apt-get dist-upgrade -y; sudo apt-get autoremove -y; sudo apt-get install openssh-server -y; sudo shutdown -r now later

Once that is back online we will begin installing the necessary packages for MASTIFF. I am running through the dependencies as they are introduced in the documentation. First lets get the python dependencies out of the way, as well as an editor (nano is fine...albeit evil)

sudo apt-get install python python-dev python-magic python-sqlite python-setuptools python-pip build-essential vim -y 

Install yapsy from pip

sudo pip install yapsy
Now, I tend to pull the majority of my software to /opt out of habit. You do not need to do the same but if you change the location be sure to update to commands below. First I will ensure that the user and group that I am currently using have access to /opt so I can write to that directory.
sudo chown -R `whoami`:`groups | awk '{print $1}'` /opt
Install TrID, download and run the TrID database updater.
cd /opt
mkdir /opt/trid
cd /opt/trid
wget wget http://mark0.net/download/trid_linux.zip
unzip trid_linux.zip
rm -f unzip trid_linux.zip
chmod +x trid
wget http://goo.gl/RQXV8
unzip RQXV8
rm -f RQXV8
chmod +x tridupdate.py
python tridupdate.py
*Note* if you are running this on a 64 bit machine you will need to install ia32-libs
sudo aptitude install ia32-libs
Next we will pull the dependencies down for ssdeep and pyssdeep and then install those packages
sudo apt-get install subversion libpcre3 libpcre3-dev libpcre++-dev -y
cd /opt/
wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.9/ssdeep-2.9.tar.gz
tar -xvzf ssdeep-2.9.tar.gz
rm -f ssdeep-2.9.tar.gz
mv ssdeep-2.9 ssdeep
cd /opt/ssdeep
./configure
make
sudo make install
sudo ldconfig
svn checkout http://pyssdeep.googlecode.com/svn/trunk/ pyssdeep
cd /opt/ssdeep/pyssdeep
python setup.py build
sudo python setup.py install
Next up is automake and yara:
sudo apt-get install automake -y
cd /opt
svn checkout http://yara-project.googlecode.com/svn/trunk/ yara
cd /opt/yara
sudo ln -s /usr/bin/aclocal-1.11 /usr/bin/aclocal-1.12
./configure
make
sudo make install
cd yara-python
python setup.py build
sudo python setup.py install
Now install simplejson from soure (NOT the APT repo)
sudo apt-get install git -y
cd /opt
git clone https://github.com/simplejson/simplejson simplejson
cd /opt/simplejson
python setup.py build
sudo python setup.py build install
Pull down Didier Stevens awesome pdf tools
mkdir /opt/pdftools
cd /opt/pdftools
wget http://didierstevens.com/files/software/pdf-parser_V0_3_9.zip
unzip pdf-parser_V0_3_9.zip
rm -f pdf-parser_V0_3_9.zip
chmod +x pdf-parser.py
wget http://didierstevens.com/files/software/pdfid_v0_0_12.zip
unzip pdfid_v0_0_12.zip
rm -f pdfid_v0_0_12.zip
chmod +x pdfid.py
Exiftool
cd /opt
wget http://www.sno.phy.queensu.ca/~phil/exiftool/Image-ExifTool-9.22.tar.gz
tar -xvzf Image-ExifTool-9.22.tar.gz
rm Image-ExifTool-9.22.tar.gz
mv Image-ExifTool-9.22 exiftool
PE-File (again NOT from the apt repo)
cd /opt
svn checkout http://pefile.googlecode.com/svn/trunk/ pefile
cd /opt/pefile
python setup.py build
sudo python setup.py build install
Disitool
mkdir /opt/disitool
cd /opt/disitool
wget http://www.didierstevens.com/files/software/disitool_v0_3.zip
unzip disitool_v0_3.zip
rm disitool_v0_3.zip
Openssl
sudo apt-get install openssl -y
pyOLEScanner
mkdir /opt/pyOLEScanner
cd /opt/pyOLEScanner
wget https://github.com/Evilcry/PythonScripts/raw/master/pyOLEScanner.zip
unzip pyOLEScanner.zip
rm pyOLEScanner.zip
chmod +x pyOLEScanner.py
Distorm
cd /opt
svn checkout http://distorm.googlecode.com/svn/trunk/ distorm
cd /opt/distorm
python setup.py build
sudo python setup.py build install
And finally MASTIFF itself
cd /opt
wget http://downloads.sourceforge.net/project/mastiff/mastiff/0.5.0/mastiff-0.5.0.tar.gz
tar -xvzf mastiff-0.5.0.tar.gz
rm mastiff-0.5.0.tar.gz
mv mastiff-0.5.0/ mastiff
cd /opt/mastiff
sudo make install
Now that MASTIFF is good to go we will want to ensure that the config file is created / edited properly. Ensure that you read through the config file as you will want to add the appropriate VirusTotal API key. Also if you installed the dependencies to different locations now is the time to correct those paths. 
mkdir /etc/mastiff
cd /etc/mastiff
 cat > /opt/mastiff/mastiff.conf.TEST <<EOF
# This is the configuration file for mastiff.
#
# Comments are preceded by a # or ;
#
[Dir]
# log_dir is the base directory where the logs generated will
# be placed in.
#log_dir = /usr/local/mastiff/log
log_dir = ./work/log
# plugin_dir is a list of directories plugins may be present in.
# should be comma-separated.
plugin_dir = ./plugins, /etc/mastiff
[Misc]
# verbose = [on|off]
verbose = off
[Sqlite]
# Sqlite database options
# db_file = Name of the database file
db_file = mastiff.db
[File ID]
# trid is the location of the TrID binary
# trid_db is the location of the TrID database
#trid = /usr/local/bin/trid
trid = /opt/trid/trid
#trid_db = /usr/local/etc/triddefs.trd
trid_db = /opt/trid/triddefs.trd
[Embedded Strings Plugin]
# Options for the Embedded Strings Plugin.
# strcmd is the path to the strings command
strcmd = /usr/bin/strings
[VirusTotal]
# Options for the VirusTotal Submission Plug-in.
# api_key is your API key from virustotal.com
#   - Leave this empty if you wish to disable this plug-in
api_key = GET_YOUR_OWN
# submit [on|off] - submit binary to VirusTotal
submit = off
[pdfid]
# Options to run Didier Stevens pdfid.py script
# pdfid_cmd = Path to the pdfid.py script
#   - Leave blank if you want the script disabled.
# pdfid_opts = Options for program.
#   - Do not put multiple options in quotes.
# Note: pdfid.py has bugs that may cause errors when examining
#       malformed PDFs when using the -e option.
pdfid_cmd = /opt/pdftools/pdfid.py
#pdfid_opts = -e
pdfid_opts =
[pdf-parser]
# Options to run Didier Stevens pdf-parser.py script
# pdf_cmd = Path to pdf-parser.py.
pdf_cmd = /opt/pdftools/pdf-parser.py
[PDF Metadata]
# Options for PDF Metadata script
# exiftool = path to exitfool
exiftool = /opt/exiftool/exiftool
[yara]
# Options for the Yara signature plug-in
# yara_sigs = Base path to Yara signatures. This path will be recursed
#             to find additional signatures.
#             Leave blank to disable the plug-in.
yara_sigs = /opt/yara
[Digital Signatures]
# Options to extract the digital signatures
#
# disitool - path to disitool.py script.
# openssl - path to openssl binary
disitool = /opt/disitool/disitool.py
openssl = /usr/bin/openssl
[Office Metadata]
# Options for Office Metadata script
# exiftool = path to exitfool
exiftool = /opt/exiftool/exiftool
[Single-Byte Strings]
# options for single-byte string extraction plug-in
# length - Minimum length to extract
length = 3
# raw - print raw characters instead of formatted ones (e.g. \\n vs. \n)
raw = False
[ZipExtract]
# options for Zip archive file extraction plug-in
# enabled: [on|off] - Extract files or not
# password: Password to use for zip file. OK to leave blank.
enabled = on
password = infected
[Office pyOLEScanner]
# olecmd = Path to pyOLEScanner.py
olecmd=/opt/pyOLEScanner/pyOLEScanner.py
EOF
Now testing MASTIFF out is as simple as:
cd /opt/mastiff
zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.exe
[2013-03-10 15:11:47,324] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.exe
[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.exe.
[2013-03-10 15:11:47,326] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/c69ffb3057b2077fcaecc99b9f16c7c8
[2013-03-10 15:11:47,417] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'EXE']
[2013-03-10 15:11:47,506] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'EXE'].
[2013-03-10 15:11:47,507] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-03-10 15:11:47,521] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-03-10 15:11:47,602] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-03-10 15:11:47,681] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.
[2013-03-10 15:11:48,717] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-03-10 15:11:48,722] [INFO] [Mastiff.Plugins.Resources] : Starting execution.
[2013-03-10 15:11:48,774] [INFO] [Mastiff.Plugins.Single-Byte Strings] : Starting execution.
[2013-03-10 15:11:48,813] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.
[2013-03-10 15:11:48,926] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.
[2013-03-10 15:11:48,975] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.
[2013-03-10 15:11:48,976] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.exe.
zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.pdf
[2013-03-10 15:12:36,299] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.pdf
[2013-03-10 15:12:36,299] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.pdf.
[2013-03-10 15:12:36,300] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/3f53a4bf0097f9075ff641b03bb176f5
[2013-03-10 15:12:36,381] [INFO] [Mastiff.DB.Insert] : Adding ['PDF', 'Generic']
[2013-03-10 15:12:36,468] [INFO] [Mastiff.Analysis] : File categories are ['PDF', 'Generic'].
[2013-03-10 15:12:36,469] [INFO] [Mastiff.Plugins.pdf-parser] : Starting execution.
[2013-03-10 15:12:36,470] [INFO] [Mastiff.Plugins.pdf-parser.uncompress] : Uncompressing PDF.
[2013-03-10 15:12:36,563] [INFO] [Mastiff.Plugins.pdf-parser.get_objects] : Extracting interesting objects.
[2013-03-10 15:12:37,532] [INFO] [Mastiff.Plugins.PDF Metadata] : Starting execution.
[2013-03-10 15:12:37,643] [INFO] [Mastiff.Plugins.pdfid] : Starting execution.
[2013-03-10 15:12:37,729] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-03-10 15:12:37,741] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-03-10 15:12:37,819] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-03-10 15:12:37,820] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-03-10 15:12:37,909] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-03-10 15:12:37,910] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.
[2013-03-10 15:12:38,386] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-03-10 15:12:38,392] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.pdf.
zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.doc
[2013-03-10 15:12:53,882] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.doc
[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.doc.
[2013-03-10 15:12:53,883] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/759f7e53f54df03f2ae06fcec25e8ac3
[2013-03-10 15:12:53,973] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'Office', 'ZIP']
[2013-03-10 15:12:54,076] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'Office', 'ZIP'].
[2013-03-10 15:12:54,078] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-03-10 15:12:54,088] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-03-10 15:12:54,167] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-03-10 15:12:54,234] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-03-10 15:12:55,239] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-03-10 15:12:55,244] [INFO] [Mastiff.Plugins.Office pyOLEScanner] : Starting execution.
[2013-03-10 15:12:57,497] [INFO] [Mastiff.Plugins.Office Metadata] : Starting execution.
[2013-03-10 15:12:57,681] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.
[2013-03-10 15:12:57,682] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.
[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.
[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting [Content_Types].xml.
[2013-03-10 15:12:57,683] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting _rels/.rels.
[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/themeManager.xml.
[2013-03-10 15:12:57,684] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/theme1.xml.
[2013-03-10 15:12:57,685] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting theme/theme/_rels/themeManager.xml.rels.
[2013-03-10 15:12:57,685] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.doc.
zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.
test.doc  test.exe  test.pdf  test.zip
zwned@malwr:/opt/mastiff$ python mas.py /opt/mastiff/tests/test.zip
[2013-03-10 15:13:22,856] [INFO] [Mastiff] : Starting analysis on /opt/mastiff/tests/test.zip
[2013-03-10 15:13:22,870] [INFO] [Mastiff.Init_File] : Analyzing /opt/mastiff/tests/test.zip.
[2013-03-10 15:13:22,871] [INFO] [Mastiff.Init_File] : Log Directory: ./work/log/033d488bbe65e8aececb2c55bdfbc2fd
[2013-03-10 15:13:23,035] [INFO] [Mastiff.DB.Insert] : Adding ['Generic', 'ZIP']
[2013-03-10 15:13:23,106] [INFO] [Mastiff.Analysis] : File categories are ['Generic', 'ZIP'].
[2013-03-10 15:13:23,107] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.
[2013-03-10 15:13:23,115] [INFO] [Mastiff.Plugins.File Information] : Starting execution.
[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.
[2013-03-10 15:13:23,178] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.
[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.
[2013-03-10 15:13:23,238] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.
[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.VirusTotal.submit] : Submission disabled. Not sending file.
[2013-03-10 15:13:23,440] [INFO] [Mastiff.Plugins.yara] : Starting execution.
[2013-03-10 15:13:23,445] [INFO] [Mastiff.Plugins.ZipInfo] : Starting execution.
[2013-03-10 15:13:23,446] [INFO] [Mastiff.Plugins.ZipExtract] : Starting execution.
[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Password "infected" will be used for this zip.
[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.bin.
[2013-03-10 15:13:23,447] [INFO] [Mastiff.Plugins.ZipExtract] : Extracting test.txt.
[2013-03-10 15:13:23,448] [INFO] [Mastiff.Analysis] : Finished analysis for /opt/mastiff/tests/test.zip.
If you did not receive any errors / warnings you should be good to go. Now that MASTIFF is up and running we can download MASTIFF2HTML on Github.
wget https://raw.github.com/1aN0rmus/TekDefense/master/MASTIFF2HTML.py
chmod +x MASTIFF2HTML.py
python MASTIFF2HTML.py -f /opt/mastiff/work/log/ -d mastiff.db
cd /opt/mastiff/work/log/www/
python -m SimpleHTTPServer
Now if you browse to 127.0.0.1:8000/mastiff.html you should be seeing the results for your analysis.
 If you run into any issues... please leave a comment so we can address / update as necessary.
Cheers
Friday
Mar012013

MASTIFF2HTML Demo

I have been spending my nights this week working on a script that will generate a web front end for the results that MASTIFF produces. It has been a blast creating so far, but I would really like to hear from the community what suggestions they have for it.

You can download MASTIFF2HTML on Github.

Here is a video demo of what it looks like right now:

And some pics:

 

Friday
Feb222013

Tektip ep23 - MASTIFF with a splash of Maltrieve

In this episode of TekTip we take a look at performing basic static analysis with MASTIFF.  While that is the focus of this episode I wanted to delve into Maltrieve first.

Maltrieve is a fork of MWCrawler which you guys and gals may remember from a previous TekTip video.  Maltrieve was created by Kyle Maxwell @KyleMaxwell. While it has the same basic function of MWCrawler which is downloading malware from various web resources, it works much faster and has more reliable web resources it pulls from. @KyleMaxwell is working to add thug integration as well.

Once downloaded you run maltrieve without any options, as seen below:

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 
2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory
2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file
2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file
2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.0
2013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file
2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue
2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue
2013-02-23 20:33:03 -1241515200 Fetched URL http://famagatra.ru:8080/forum/links/public_version.php from queue
2013-02-23 20:33:03 -1249907904 Fetched URL http://fzukungda.ru:8080/forum/links/column.php from queue
2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: da1ac7b773f2b96e5d2a31549a347a63
2013-02-23 20:33:04 -1216783616 Parsing description URL: zsos6.webd.pl/a66PJ2P.exe, IP Address: 94.75.225.215, Country: NL, ASN: 16265, MD5: 421ae9afed094a1b2ee1977507175dfc
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&gt%2F;&&&&gt%2F;&&&&lt%2F;%2Fbr%2F&&&&lt, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: ddb8eec9f195d191f05c793ca8f23e4f
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=http:%2Fdownload2.microapp.com%2Ftelechargement%2Feval%2F10001_eval.exetitle=compil&&&ampampampampampamp&&&ampampampampampampampamp&&&ampampa, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: cb932f33a7fa52e3e88bba3d5073d26f
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=hxxp:%2Fdownltbr%2Fgtload2.microapp.com%2Ftelechargement%2Feval%2F10275_eval.exeltbr%2Fgttitle=enigmes, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: a1fe3bca05487621dd876af0e8a31408
2013-02-23 20:33:04 -1216783616 Parsing description URL: www.un-jeu-par-jour.com/toolbar/telecharger.php?url=3dhttp:%&lt;br%2F&gt;2fdownlo, IP Address: 212.23.46.135, Country: GB, ASN: 8928, MD5: 7cd588413684f019d52a304f78a6538e

tekmalinux@TekMALinux:/opt/maltrieve/maltrieve$ sudo python maltrieve.py 2013-02-23 20:33:02 -1216783616 Using /tmp/malware as dump directory2013-02-23 20:33:03 -1216783616 Parsing description Host: forummersedec.ru:8080/forum/links/column.php, IP address: 122.160.168.219, ASN: 24560, Country: IN, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: www.slayerlife.com/nbh/sends/ftc.php, IP address: 46.166.178.130, ASN: 57668, Country: GB, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: famagatra.ru:8080/forum/links/public_version.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: fzukungda.ru:8080/forum/links/column.php, IP address: 84.23.66.74, ASN: 35366, Country: DE, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: m1radio.mctorg.net/mirror.php?receipt_print=827_1226049211, IP address: 174.120.136.126, ASN: 21844, Country: US, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: emmmhhh.ru:8080/forum/links/column.php, IP address: 50.31.1.104, ASN: 32748, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: errriiiijjjj.ru:8080/forum/links/public_version.php, IP address: 195.210.47.208, ASN: 48716, Country: KZ, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: livrariaonline.net/mirror.php?receipt_print=827_1372781167, IP address: 186.202.136.206, ASN: 27715, Country: BR, Description: trojan inside zip file2013-02-23 20:33:03 -1216783616 Parsing description Host: -, IP address: 65.75.185.235/1834c8d6e8cac3af02dc7863ba4e45f1/q.php, ASN: 36444, Country: US, Description: Blackhole exploit kit 2.02013-02-23 20:33:03 -1216783616 Parsing description Host: rabeachproperties.devideas.net/mirror.php?receipt_print=827_1473287257, IP address: 200.58.119.89, ASN: 27823, Country: AR, Description: trojan inside zip file2013-02-23 20:33:03 -1221162176 Fetched URL http://forummersedec.ru:8080/forum/links/column.php from queue2013-02-23 20:33:03 -1231029440 Fetched URL http://www.slayerlife.com/nbh/sends/ftc.php from queue2013-

This will download the malware to a default directory of /tmp/malware

*Make sure this directory exists or change the path in the python script to match what you want


So, with Maltrieve done and a bunch of samples downloaded it is time to see the power of MASTIFF.

MASTIFF is an automated framework for static analysis created by Tyler Hudak @SecShoggath and was funded by the Cyber Fast Track DARPA program.  Too bad Cyber Fast track is going away, there are so many awesome projects coming out of it right now.  

What MASTIFF will do is it will analyze a file to determine the file type (pdf, zip, PE32) and based on that file type it will run the appropriate static analysis tools against the sample. The output for tools it runs are organized and packaged up with some key information also making its way to a sqllite database.

Some of the benefits of this framework are:

  • Easily Extensible: Built very modular so adding to the functionality is easy
  • Consistent: When you have a team of analyst working on malware it is important that everyone speak the same language. MASTIFF gives a consistent standard approach to static analysis.
  • Quick: Manual static analysis can take a long time. With MASTIFF I can run through hundreds of samples in minutes.
  • Documented: As a consequence of being a DARPA funded program the creator was forced to ensure that the framework was documented well. The documentation goes beyond the normal installation and usage covering workflow and methodology.

I do not cover installation in the video as it would take to long and be very boring but I will mention that installation is relatively easy.  The only real pain is ensuring you have all of the third party tools installed. The pdf inside the archive for MASTIFF has great documentation to get you up and running. Once the dependencies and MASTIFF are installed though ensure that you modify the mastiff.conf file to reference the appropriate paths for where you installed the third party tools.

Now that the config is good and MASTIFF is installed you are ready to start analyzing malware. running mas.py will show you usage.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ mas.py 

Usage: mas.py [options] FILE

 

Options:

  -c CONFIG_FILE, --conf=CONFIG_FILE

                        Use an alternate config file. The default is

                        './mastiff.conf'.

  -h, --help            Show the help message and exit.

  -l PLUGIN_TYPE, --list=PLUGIN_TYPE

                        List all available plug-ins of the specified type and

                        exit. Type must be one of 'analysis' or 'cat'.

  -o OVERRIDE, --option=OVERRIDE

                        Override a config file option. Configuration options

                        should be specified as 'Section.Key=Value' and should

                        be quoted if any whitespace is present. Multiple

                        overrides can be specified by using multiple '-o'

                        options.

  -p PLUGIN_NAME, --plugin=PLUGIN_NAME

                        Only run the specified analysis plug-in. Name must be

                        quoted if it contains whitespace.

  -q, --quiet           Only log errors.

  -t FTYPE, --type=FTYPE

                        Force file to be analyzed with plug-ins from the

                        specified category (e.g., EXE, PDF, etc.). Run with

                        '-l cat' to list all available category plug-ins.

  -V, --verbose         Print verbose logs.

  -v, --version         Show program's version number and exit.

To run mastiff against a single file simply sudo mas.py filename

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo mas.py /tmp/malware/86658467c74b39210de96111ee6f66d5 

[2013-02-23 21:47:40,945] [INFO] [Mastiff] : Starting analysis on /tmp/malware/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:40,954] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/86658467c74b39210de96111ee6f66d5.

[2013-02-23 21:47:40,955] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/86658467c74b39210de96111ee6f66d5

[2013-02-23 21:47:41,084] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 21:47:41,175] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 21:47:41,176] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 21:47:41,326] [INFO] [Mastiff.Plugins.Digital Signatures] : Signature extracted.

[2013-02-23 21:47:41,347] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 21:47:41,413] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 21:47:41,506] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 21:47:41,507] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 21:47:41,544] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 21:47:41,545] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 21:47:41,624] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 21:47:41,625] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 21:47:41,625] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 21:47:41,644] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 21:47:41,645] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 21:47:41,645] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/86658467c74b39210de96111ee6f66d5.

Navigate to the directory you have set as the work log in the mastiff.conf to see the results

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ ls -l

total 424

-rw-r--r-- 1 root root 267312 Feb 23 21:47 86658467c74b39210de96111ee6f66d5.VIR

-rw-r--r-- 1 root root    137 Feb 23 21:47 fuzzy.txt

-rw-r--r-- 1 root root   3440 Feb 23 21:47 mastiff.log

-rw-r--r-- 1 root root   1024 Feb 23 21:47 mastiff-run.config

-rw-r--r-- 1 root root  42100 Feb 23 21:47 peinfo-full.txt

-rw-r--r-- 1 root root  13317 Feb 23 21:47 peinfo-quick.txt

drwxr-xr-x 2 root root   4096 Feb 23 21:47 resources

-rw-r--r-- 1 root root   1332 Feb 23 21:47 resources.txt

-rw-r--r-- 1 root root   7704 Feb 23 21:47 sig.der

-rw-r--r-- 1 root root  27152 Feb 23 21:47 sig.txt

-rw-r--r-- 1 root root  42606 Feb 23 21:47 strings.txt

Nice, it looks like we pulled certificate info based on the sig.txt being there. To give you an example of the type of data you get, here is a cat of the peinfo-quick.txt:

tekmalinux@TekMALinux:/work/log/86658467c74b39210de96111ee6f66d5$ cat peinfo-quick.txt 

PE Header Information

Quick Info:

TimeDateStamp: Tue Aug 30 15:46:24 2011

Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI

Number of Sections: 7

Section Name    Entropy  Flags                                   

-----------------------------------------------------------------

.text           5.96     IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_CNT_CODE, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.data           1.1803   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rdata          5.309    IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.bss            0.0      IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.idata          5.2371   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.ndata          0.0      IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

.rsrc           5.8707   IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_MEM_READ

 

Parser Warnings:

File Information:

LegalCopyright      : (c) 2010 (2013-02-05 11:20)             

ProductName         : 3d-world-map                            

FileVersion         : 2.2.0.0                                 

FileDescription     : 3d-world-map                            

Translation         : 0x0000 0x04e4                           

 

Imports:

DLL                 API                           Address   

----------------------------------------------------------------------

ADVAPI32.DLL         RegCloseKey                   0x428340  

ADVAPI32.DLL         RegCreateKeyExA               0x428344  

ADVAPI32.DLL         RegDeleteKeyA                 0x428348  

ADVAPI32.DLL         RegDeleteValueA               0x42834c  

ADVAPI32.DLL         RegEnumKeyA                   0x428350  

ADVAPI32.DLL         RegEnumValueA                 0x428354  

ADVAPI32.DLL         RegOpenKeyExA                 0x428358  

ADVAPI32.DLL         RegQueryValueExA               0x42835c  

ADVAPI32.DLL         RegSetValueExA                 0x428360  

COMCTL32.DLL         ImageList_AddMasked           0x428368  

COMCTL32.DLL         ImageList_Create               0x42836c  

COMCTL32.DLL         ImageList_Destroy             0x428370  

COMCTL32.DLL         InitCommonControls             0x428374  

GDI32.dll           CreateBrushIndirect           0x42837c  

GDI32.dll           CreateFontIndirectA           0x428380  

GDI32.dll           DeleteObject                   0x428384  

GDI32.dll           GetDeviceCaps                 0x428388  

GDI32.dll           SelectObject                   0x42838c  

GDI32.dll           SetBkColor                     0x428390  

GDI32.dll           SetBkMode                     0x428394  

GDI32.dll           SetTextColor                   0x428398  

KERNEL32.dll         CloseHandle                   0x4283a0  

KERNEL32.dll         CompareFileTime               0x4283a4  

KERNEL32.dll         CopyFileA                     0x4283a8  

KERNEL32.dll         CreateDirectoryA               0x4283ac  

KERNEL32.dll         CreateFileA                   0x4283b0  

KERNEL32.dll         CreateProcessA                 0x4283b4  

KERNEL32.dll         CreateThread                   0x4283b8  

KERNEL32.dll         DeleteFileA                   0x4283bc  

KERNEL32.dll         ExitProcess                   0x4283c0  

KERNEL32.dll         ExpandEnvironmentStringsA     0x4283c4  

KERNEL32.dll         FindClose                     0x4283c8  

KERNEL32.dll         FindFirstFileA                 0x4283cc  

KERNEL32.dll         FindNextFileA                 0x4283d0  

KERNEL32.dll         FreeLibrary                   0x4283d4  

KERNEL32.dll         GetCommandLineA               0x4283d8  

KERNEL32.dll         GetCurrentProcess             0x4283dc  

KERNEL32.dll         GetDiskFreeSpaceA             0x4283e0  

KERNEL32.dll         GetExitCodeProcess             0x4283e4  

KERNEL32.dll         GetFileAttributesA             0x4283e8  

KERNEL32.dll         GetFileSize                   0x4283ec  

KERNEL32.dll         GetFullPathNameA               0x4283f0  

KERNEL32.dll         GetLastError                   0x4283f4  

KERNEL32.dll         GetModuleFileNameA             0x4283f8  

KERNEL32.dll         GetModuleHandleA               0x4283fc  

KERNEL32.dll         GetPrivateProfileStringA       0x428400  

KERNEL32.dll         GetProcAddress                 0x428404  

KERNEL32.dll         GetShortPathNameA             0x428408  

KERNEL32.dll         GetSystemDirectoryA           0x42840c  

KERNEL32.dll         GetTempFileNameA               0x428410  

KERNEL32.dll         GetTempPathA                   0x428414  

KERNEL32.dll         GetTickCount                   0x428418  

KERNEL32.dll         GetVersion                     0x42841c  

KERNEL32.dll         GetWindowsDirectoryA           0x428420  

KERNEL32.dll         GlobalAlloc                   0x428424  

KERNEL32.dll         GlobalFree                     0x428428  

KERNEL32.dll         GlobalLock                     0x42842c  

KERNEL32.dll         GlobalUnlock                   0x428430  

KERNEL32.dll         LoadLibraryA                   0x428434  

KERNEL32.dll         LoadLibraryExA                 0x428438  

KERNEL32.dll         MoveFileA                     0x42843c  

KERNEL32.dll         MulDiv                         0x428440  

KERNEL32.dll         MultiByteToWideChar           0x428444  

KERNEL32.dll         ReadFile                       0x428448  

KERNEL32.dll         RemoveDirectoryA               0x42844c  

KERNEL32.dll         SearchPathA                   0x428450  

KERNEL32.dll         SetCurrentDirectoryA           0x428454  

KERNEL32.dll         SetErrorMode                   0x428458  

KERNEL32.dll         SetFileAttributesA             0x42845c  

KERNEL32.dll         SetFilePointer                 0x428460  

KERNEL32.dll         SetFileTime                   0x428464  

KERNEL32.dll         Sleep                         0x428468  

KERNEL32.dll         WaitForSingleObject           0x42846c  

KERNEL32.dll         WriteFile                     0x428470  

KERNEL32.dll         WritePrivateProfileStringA     0x428474  

KERNEL32.dll         lstrcatA                       0x428478  

KERNEL32.dll         lstrcmpA                       0x42847c  

KERNEL32.dll         lstrcmpiA                     0x428480  

KERNEL32.dll         lstrcpynA                     0x428484  

KERNEL32.dll         lstrlenA                       0x428488  

OLE32.dll           CoCreateInstance               0x428490  

OLE32.dll           CoTaskMemFree                 0x428494  

OLE32.dll           OleInitialize                 0x428498  

OLE32.dll           OleUninitialize               0x42849c  

SHELL32.DLL         SHBrowseForFolderA             0x4284a4  

SHELL32.DLL         SHFileOperationA               0x4284a8  

SHELL32.DLL         SHGetFileInfoA                 0x4284ac  

SHELL32.DLL         SHGetPathFromIDListA           0x4284b0  

SHELL32.DLL         SHGetSpecialFolderLocation     0x4284b4  

SHELL32.DLL         ShellExecuteA                 0x4284b8  

USER32.dll           AppendMenuA                   0x4284c0  

USER32.dll           BeginPaint                     0x4284c4  

USER32.dll           CallWindowProcA               0x4284c8  

USER32.dll           CharNextA                     0x4284cc  

USER32.dll           CharPrevA                     0x4284d0  

USER32.dll           CheckDlgButton                 0x4284d4  

USER32.dll           CloseClipboard                 0x4284d8  

USER32.dll           CreateDialogParamA             0x4284dc  

USER32.dll           CreatePopupMenu               0x4284e0  

USER32.dll           CreateWindowExA               0x4284e4  

USER32.dll           DefWindowProcA                 0x4284e8  

USER32.dll           DestroyWindow                 0x4284ec  

USER32.dll           DialogBoxParamA               0x4284f0  

USER32.dll           DispatchMessageA               0x4284f4  

USER32.dll           DrawTextA                     0x4284f8  

USER32.dll           EmptyClipboard                 0x4284fc  

USER32.dll           EnableMenuItem                 0x428500  

USER32.dll           EnableWindow                   0x428504  

USER32.dll           EndDialog                     0x428508  

USER32.dll           EndPaint                       0x42850c  

USER32.dll           ExitWindowsEx                 0x428510  

USER32.dll           FillRect                       0x428514  

USER32.dll           FindWindowExA                 0x428518  

USER32.dll           GetClassInfoA                 0x42851c  

USER32.dll           GetClientRect                 0x428520  

USER32.dll           GetDC                         0x428524  

USER32.dll           GetDlgItem                     0x428528  

USER32.dll           GetDlgItemTextA               0x42852c  

USER32.dll           GetMessagePos                 0x428530  

USER32.dll           GetSysColor                   0x428534  

USER32.dll           GetSystemMenu                 0x428538  

USER32.dll           GetSystemMetrics               0x42853c  

USER32.dll           GetWindowLongA                 0x428540  

USER32.dll           GetWindowRect                 0x428544  

USER32.dll           InvalidateRect                 0x428548  

USER32.dll           IsWindow                       0x42854c  

USER32.dll           IsWindowEnabled               0x428550  

USER32.dll           IsWindowVisible               0x428554  

USER32.dll           LoadBitmapA                   0x428558  

USER32.dll           LoadCursorA                   0x42855c  

USER32.dll           LoadImageA                     0x428560  

USER32.dll           MessageBoxIndirectA           0x428564  

USER32.dll           OpenClipboard                 0x428568  

USER32.dll           PeekMessageA                   0x42856c  

USER32.dll           PostQuitMessage               0x428570  

USER32.dll           RegisterClassA                 0x428574  

USER32.dll           ScreenToClient                 0x428578  

USER32.dll           SendMessageA                   0x42857c  

USER32.dll           SendMessageTimeoutA           0x428580  

USER32.dll           SetClassLongA                 0x428584  

USER32.dll           SetClipboardData               0x428588  

USER32.dll           SetCursor                     0x42858c  

USER32.dll           SetDlgItemTextA               0x428590  

USER32.dll           SetForegroundWindow           0x428594  

USER32.dll           SetTimer                       0x428598  

USER32.dll           SetWindowLongA                 0x42859c  

USER32.dll           SetWindowPos                   0x4285a0  

USER32.dll           SetWindowTextA                 0x4285a4  

USER32.dll           ShowWindow                     0x4285a8  

USER32.dll           SystemParametersInfoA         0x4285ac  

USER32.dll           TrackPopupMenu                 0x4285b0  

USER32.dll           wsprintfA                     0x4285b4  

VERSION.dll         GetFileVersionInfoA           0x4285bc  

VERSION.dll         GetFileVersionInfoSizeA       0x4285c0  

VERSION.dll         VerQueryValueA                 0x4285c4  

MASTIFF does not currently have a native method to scan multiple files at once.  While that is on the horizon for the project that is not a problem for us as we can just script out a quick program to do this. Of course you can always use mine.

#!/usr/bin/python
 
import os
 
# MASTIFF Autorun
# @TekDefense
# www.TekDefense.com
# Quick script to autorun samples from maltrieve to MASTIFF
 
malwarePath = '/tmp/malware/'
 
for r, d, f in os.walk(malwarePath):
  for files in f:
malware = malwarePath + files
print malware
os.system ('mas.py' + ' ' + malware)

Simply change the directory in the script to point to where you have the samples and run the python program. Also be sure to keep this script in the same directory as mas.py.

tekmalinux@TekMALinux:/opt/mastiff/mastiff-0.5.0$ sudo python autoRunMas.py 

/tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,296] [INFO] [Mastiff] : Starting analysis on /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,318] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

[2013-02-23 22:00:55,326] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/dd1f966ee8f22e6a45a90bb112454e2e

[2013-02-23 22:00:55,494] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:55,518] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:55,519] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:55,636] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:55,682] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:55,838] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:55,839] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:55,874] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:55,875] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:55,995] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:55,996] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:55,996] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,010] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,011] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,011] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/dd1f966ee8f22e6a45a90bb112454e2e.

/tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,257] [INFO] [Mastiff] : Starting analysis on /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,259] [INFO] [Mastiff.Init_File] : Analyzing /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

[2013-02-23 22:00:56,268] [INFO] [Mastiff.Init_File] : Log Directory: /work/log/ba91f309a81c1f6f1d7dcc5cb5094328

[2013-02-23 22:00:56,375] [INFO] [Mastiff.DB.Insert] : Adding ['EXE', 'Generic']

[2013-02-23 22:00:56,408] [INFO] [Mastiff.Analysis] : File categories are ['EXE', 'Generic'].

[2013-02-23 22:00:56,409] [INFO] [Mastiff.Plugins.Digital Signatures] : Starting execution.

[2013-02-23 22:00:56,471] [INFO] [Mastiff.Plugins.Digital Signatures] : No signature on the file.

[2013-02-23 22:00:56,472] [INFO] [Mastiff.Plugins.Resources] : Starting execution.

[2013-02-23 22:00:56,546] [INFO] [Mastiff.Plugins.PE Info] : Starting execution.

[2013-02-23 22:00:56,596] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Starting execution.

[2013-02-23 22:00:56,600] [INFO] [Mastiff.Plugins.Fuzzy Hashing] : Generating fuzzy hash.

[2013-02-23 22:00:56,614] [INFO] [Mastiff.Plugins.Fuzzy Hashing.compare] : Comparing fuzzy hashes.

[2013-02-23 22:00:56,615] [INFO] [Mastiff.Plugins.Embedded Strings Plugin] : Starting execution.

[2013-02-23 22:00:56,673] [INFO] [Mastiff.Plugins.VirusTotal] : Starting execution.

[2013-02-23 22:00:56,674] [ERROR] [Mastiff.Plugins.VirusTotal] : No VirusTotal API Key - exiting.

[2013-02-23 22:00:56,675] [INFO] [Mastiff.Plugins.File Information] : Starting execution.

[2013-02-23 22:00:56,697] [INFO] [Mastiff.Plugins.yara] : Starting execution.

[2013-02-23 22:00:56,698] [ERROR] [Mastiff.Plugins.yara.get_sigs] : /opt/yara-1.6/yara is not a directory or does not exist.

[2013-02-23 22:00:56,698] [INFO] [Mastiff.Analysis] : Finished analysis for /tmp/malware/ba91f309a81c1f6f1d7dcc5cb5094328.

/tmp/malware/a544ffb08f6177f6382df6101f78bfdc

Now that you have performed analysis against a bunch of samples you can analyze the results, or open up the sqllite database to pull some statistics.

 

 

As you can probably tell by now, I am really enjoying MASTIFF, in fact I am looking for any excuse to run it daily. Last week I was given a perfect event to apply MASTIFF too and that was Mandiant's report on APT1. VirusShare @VXShare was able to quickly compile a bunch of samples which a lot of folks started playing around with. I decided to run 20 or so of the samples through MASTIFF.  If you would like to download those results you can get them in the download section.

I mentioned in the video that I was getting an error when running MASTIFF.  I am not sure what is generating the error exactly quite yet, as I have checked that all the appropriate imports are in place. Once I figure it out I'll let you guys know what is going on. The error is below:

[2013-02-23 21:47:40,904] [ERROR] [yapsy] : Unable to import plugin: /opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring

Traceback (most recent call last):

  File "/usr/local/lib/python2.7/dist-packages/Yapsy-1.10.1_pythons2n3-py2.7.egg/yapsy/PluginManager.py", line 486, in loadPlugins

    candidate_module = imp.load_module(plugin_module_name,plugin_file,candidate_filepath+".py",("py","r",imp.PY_SOURCE))

  File "/opt/mastiff/mastiff-0.5.0/plugins/EXE/EXE-singlestring.py", line 52, in &lt;module&gt;

    from distorm3 import Decode, Decode32Bits

  File "/usr/local/lib/python2.7/dist-packages/distorm3-3-py2.7.egg/distorm3/__init__.py", line 47, in &lt;module&gt;

    raise ImportError("Error loading the diStorm dynamic library (or cannot load library into process).")

ImportError: Error loading the diStorm dynamic library (or cannot load library into process).

MASTIFF seems to be running fine even with the error though.

Look for MASTIFF to be in the next release of HoneyDrive.  Thanks @ikoniaris!