Social Icons

Showing posts with label Cuckoo. Show all posts
Showing posts with label Cuckoo. Show all posts

Tuesday, September 22, 2015

Volatility-Advanced Memory Forensics Framework : Installation@Ubuntu

1.   The Volatility Framework is a completely open collection of tools, implemented in Python for the extraction of digital artifacts from volatile memory (RAM) samples. Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile.The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.Vide this post, I am sharing how to install volatility in Ubuntu 12.04 in a step wise manner.The post includes screen-shots and ready to shoot terminal commands for installing other dependent libraries.

Firstly : Installing Dependencies

sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Secondly : Installing PyCrypto

First download PyCRypto from https://ftp.dlitz.net/pub/dlitz/crypto/pycrypto/pycrypto-2.6.1.tar.gz

Go to ~/..../Downloads/

tar -zxvf pycrypto-2.6.1.tar.gz

cd pycrypto-2.6.1

python setup.py build

sudo python setup.py build install




Thirdly: Installing Distrom
Distrom ,a disassemble library for x86/AMD64 can be downloaded from https://github.com/gdabah/distorm

Goto downloads where the file is likely downloaded :

unzip distorm3.zip

cd distorm3/

python setup.py build

python setup.py build install

Fourthly: Installing Yara 

Volatility needs another important dependency known as Yara,that can be installed as follows:

wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

tar -zxvf yara-1.4.tar.gz

cd yara-1.4/

sudo ./configure

sudo make

sudo make install


Fifthly : Installing Yara-Python





Download the tar.gz from https://yara-project.googlecode.com/files/yara-python-1.4a.tar.gz

tar -zxvf yara-python-1.4a.tar.gz

cd yara-python-1.4a/

python setup.py build

python setup.py build install

sudo echo “/usr/local/lib” >> /etc/ld.so.conf

sudo ldconfig
Now through with the installation of dependencies,we go ahead to install Volatility after we download the tar ball from https://code.google.com/p/volatility/downloads/detail?name=volatility-2.3.1.tar.gz&can=2&q=


~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

The installation is complete now and you should get a similar screen as seen below on running the command python vol.py -h

Sunday, September 20, 2015

Online Malware Analysis Tools : Listed with links

1.   Typically analyzing malware requires a great deal of knowledge in computers and expects basic knowledge of terminal commands,configuring the tool correct and right usage of advanced tools. As seen in my last post about Cuckoo usage and configuration,it is actually complex and confusing at times,now what if one can use Cuckoo without doing anything like that..no installation,no configuration,no testing and bugging...one can directly use Cuckoo directly for a sample file analysis.As we realize the power online tools,its becomes actually easier for anyone to analyze a file’s behavior by simply uploading the file to the free on-line services for automated analysis and review the detailed and yet easy to understand report.This way not only the analyst gets a quick report and analysis but more importantly he gets a variety of reports which can be compared and analyzed further leading to expedited pace of understanding and clarity of the malware architecture and working.Here I list out my choices of best on-line file/malware analyzers that can be used for free with address and screenshots of sample usage....

ThreatExpert is an advanced automated threat analysis system designed to analyze and report the behavior of computer viruses, worms, trojans, adware, spyware, and other security-related risks in a fully automated mode.In only a few minutes ThreatExpert can process a sample and generate a highly detailed threat report with the level of technical detail that matches or exceeds antivirus industry standards such as those normally found in online virus encyclopedias. 


3.   Wepawet at http://wepawet.iseclab.org/

Wepawet is a free service, for non-commercial organizations, to detect and analyze web-based threats. It currently handles Flash, JavaScript, and PDF files.But the upload size of the file is limited to 2 Mb and below.

4.   IObit Cloud at http://cloud.iobit.com/

IObit Cloud is an advanced automated threat analysis system. It uses the latest Cloud Computing technology and Heuristic Analyzing mechanic to analyze the behavior of spyware, adware, trojans, keyloggers, bots, worms, hijackers and other security-related risks in a fully automated mode


5.   Comodo Instant Malware Analysis at http://camas.comodo.com/

Comodo Instant Malware Analysis is one of the easier to use and understand online sandbox service wherein no submission form is required nor an email address nor solving a CAPTCHA code. Simply browse the file that you want to analyze in Comodo sandbox, tick the box to agree with their terms and click the Upload file button. The file will then be analyzed in real time and the report page will continuously refresh by itself until the analysis has been completed.




6.     ViCheck at https://vicheck.ca/

Vicheck.ca is an advanced malware detection engine designed to decrypt and extract malicious executables from common document formats such as MS Office Word, Powerpoint, Excel, Access, or Adobe PDF documents. ViCheck will detect the majority of embedded executables in documents as well as common exploits which download malware from the internet.ViCheck is a free service designed to help the public detect new sophisticated malware which is often difficult to detect with common commercial anti-virus programs.


  7.   Anubis at https://anubis.iseclab.org/

Anubis is another popular online service to analyze unknown Windows executable files. Four report formats (HTML, XML, PDF and Text) are available to download once the analysis has been complete.



8.   GFI Threattrack at http://www.threattracksecurity.com/

GFI SandBox is meant for OEM or cloud providers and fortunately they’ve created a webpage that offers free analysis called ThreatTrack which uses their sandbox technology. ThreatTrack supports analyzing any Windows executable file, office documents, PDF files and even flash ads that is mostly not accepted by other online sandboxes.


 9.   Joe sandbox cloud at https://www.file-analyzer.net/

Joe Sandbox is the automated malware analysis system which implements any state of the art program analysis technology from coarse to fine grained including dynamic, static and hybrid. Joe Sandbox’s analysis spectrum enables to discover any behavior including hidden or obfuscated parts.


10.   EUREKA:An Automated Malware Binary Analysis Service at http://eureka.cyber-ta.org/

Eureka is a binary static analysis preparation framework. It implements a novel binary unpacking strategy based on statistical  bigram analysis and coarse-grained execution tracing. Eureka incorporates advanced API deobfuscation capabilities to facilitate the structural analysis of the underlying malware logic.


11.   XecScan   at http://scan.xecure-lab.com/

The Xecure Lab Scanner (XecScan) gives the security community and general public on-demand analysis of any suspicious document file where no installation or registration is required to enjoy the service. Though it’s free, XecScan is capable of finding advanced malware, zero-day, and targeted APT attacks embedded in common file formats.

12.    Malwr at https://malwr.com/submission/ [Based on Cuckoo]

Malwr is a free malware analysis service and community launched in January 2011. One can submit files to it and receive the results of a complete dynamic analysis back.Malwr is operated by volunteer security professionals with the exclusive intent to help the community. It's not associated or influenced by any commercial or government organization of any sort.Malwr is mainly based on an open source malware analysis tool called Cuckoo Sandbox as explained in my last post at http://anupriti.blogspot.in/2015/09/cuckoo-sandboxautomatic-malware.html



In fact as you google,you will find thousands of links and websites offering free online malware analysis but one has to be careful too while submitting any file to such sites.......so happy analyzing for now.....

Saturday, September 19, 2015

Cuckoo SandBox:Automatic Malware Analysis Tool

1.   Cuckoo Sandbox is a malware analysis system tool which allows you to throw any suspicious file at it and in a matter of seconds it will provide you back some detailed results outlining what such file did when executed inside an isolated environment.It is written 100% in Python, the architecture is very interesting and it is based on a virtualisation engine like Virtual box to maintain a “fresh” pc always at hand to run the malware called the client, inside this client it is run as an agent that is also written 100% in Python to monitor the different calls that the malware do to the dll’s, host that try to connect, etc.The connection between the Server and the client is done through an isolated network set up by virtual box, it is configured that way in order to avoid the propagation of the malware and to communicate effectively between the client and the server to send the analysis report, infected binaries, etc.This post ahead brings you a step by step screenshot to download and configure this excellent tool,will be good for beginners in cyber security/penetration testing to play with and see results immediately.Though from the looks of this post below,the procedure looks cumbersome and complex,but I have made attempts for a naive to understand and follow up screenshot wise,any queries still will be most welcome :

WHAT IT DOES PRECISELY?

2.   Cuckoo can produce the following types of results:

- Files being created, deleted, and downloaded by the malware during its execution
- Network traffic trace in PCAP format(as we get with wireshark and ethreal)
- Traces of win32 API calls spawned by the malware
- Memory dumps of the malware processes
- Screenshots of the Windows desktop as it happens during execution of the malware
- Full memory dumps of the machines

KINDS OF FILES FOR ANALYSIS

3.   The following kinds of files can be analysed and put for check in cuckoo :

- DLL files
- Windows executables ie .exe
- Microsoft Office docs
- URLs
- Typical PDF documents
- PHP scripts
- Anything actually!!!

More about Cuckoo at the video below and http://www.cuckoosandbox.org/

PRELIMS TO SETUP YOUR SYSTEM 

4.   Be ready with the following :

-  Linux OS as parent OS
- Virtual Box installed with Windows 7/Xp
- Adequate RAM around 4 GB in all with the parent machine.
- i3 processor and above will help u lessen wait and make u patient

5.   Python comes preinstalled with the Ubuntu Desktop,but we need some extra python libraries  as follows :

Pydeep
Sqlalchemy
Bson
DPKT
Yara
MAEC Python bindings
Jinja2
Magic
Chardet
Pymongo
tcpdump
mongodb
Volatility
Libvirt
Bottlepy
Django
Pefile

Step 1

Firstly we will install all the above mentioned libraries vide a single command.You need to slect the below text and paste as it is in the terminal

    | sudo apt-get install mongodb python-sqlalchemy python-bson python-dpkt python-jinja2 python-magic python-pymongo python-gridfs python-libvirt python-bottle python-pefile python-chardet tcpdump -y


Besides above,there are other python libraries that need PIP for installation.Pip is an alternative to Easy Install for installing Python packages and is largely recommended when used in virtual environments.

|   sudo apt-get install python-pip python-dev libxml2-dev libxslt-dev
|   sudo pip install django cybox 
|   sudo pip install MAEC

another important library tcpdump is required to be configured to allow Cuckoo to make use of it without requiring root.

|  sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump 

Two additional software Yara and Pydeep too need to be installed and the cuckoo documentation states these need to be installed separately, however Yara is provided in the Ubuntu universe repository. but before installing Pydeep , we need to install some dependencies with the following command line to install the following :

Build-essential
Git
Libpcre3
Libpcre3-dev
Libpcre++-dev

sudo apt-get install build-essential git libpcre3 libpcre3-dev libpcre++-dev

Cuckoo requires Yara 1.7 or higher and to install yara,run the following command

sudo apt-get install yara -y

Pydeep depends on ssdeep 2.8+ and ssdeep needs to be compiled from source and likewise for Pydeep. Before doing so, a few packages are needed. The following commands will work :

|   sudo apt-get install build-essential git python-dev -y
|   wget http://sourceforge.net/projects/ssdeep/files/ssdeep-2.12/ssdeep-2.12.tar.gz/download -O ssdeep.tar.gz

|   tar -xf ssdeep.tar.gz
|   cd ssdeep-2.12
|   ./configure
|   make
|   sudo make install
|   ssdeep -V

|   2.12(output for above)


We also need to install “git’:

sudo apt-get install git

Now cd to the directory Download, clone the pydeep project and install manually:

git clone https://github.com/kbandla/pydeep.git

cd pydeep

sudo python setup.py install

Install Yara

sudo apt-get install libtool automake

Then download yara form the git repository and install it:

cd && cd Downloads

wget https://github.com/plusvic/yara/archive/2.1.0.tar.gz

tar -xvzf 2.1.0.tar.gz

cd yara-2.1.0

chmod a+x build.sh

./build.sh

sudo make install

Now we need to install yara-python with the following commands:

cd yara-python

sudo python setup.py install

Volatility supports memory dumps from all major 32- and 64-bit Windows versions and service packs including XP, 2003 Server, Vista, Server 2008, Server 2008 R2, Seven, 8, 8.1, Server 2012, and 2012 R2 but in recent past now on supports Linux memory dumps in raw or LiME format and include 35+ plugins for analyzing 32- and 64-bit Linux kernels from 2.6.11 - 3.16 and distributions such as Debian, Ubuntu, OpenSuSE, Fedora, CentOS, and Mandrake.VOLATILITY is to be installed next,we need the following commands:

cd && cd Download

wget wget http://volatility.googlecode.com/files/volatility-2.3.1.zip

Once u download this, extract it and install it:

unzip volatility-2.3.1.zip

cd volatility-2.3.1

sudo python setup.py install

Installation time now for  Cuckoo

First we need to clone the git directory wherever we want to install Cuckoo, and we install it in /opt directory with the following commands:

cd /opt

sudo git clone https://github.com/cuckoobox/cuckoo.git

sudo chown -R user:usergroup cuckoo

Where user:usergroup is the user used to login to the ubuntu machine and the group is the group to which user belong

Now we shift our attention to configuring networks for Virtual Box and parent machine.So I assume you have installed Windows 7 in virtual box with Adobe,Microsoft Office and a Mozilla/Chrome browser.



 Configure as shown next below :






Vide the above,the two IP addresses I have configured to ping are :

Parent/Host OS : 192.168.56.1
Virtual Windows Machine : 192.168.56.101

Just ping from each IP to other,if they ping all is set now to work ahead.

and one important step that remains is to configure the conf files in the cuckoo configuration,Few important configuration files that we effect to work with are mentioned below with brief functionality:

cuckoo.conf : This configuration file contains information about the general behavior and analysis options in Cuckoo Sandbox.
machinemanager.conf : This file holds the information about your virtual
machine configuration: Depends on the name of virtualization that we used.
processing.conf : This file is used for enabling/configuring the processing of modules.
reporting.conf : This file contains information about reporting methodologies.

There are a few things required to be changed in the configuration files as follows:
[I used gedit to edit and make amends to these conf files]

/opt/cuckoo/conf/cuckoo.conf

[cuckoo]

memory_dump = on

[resultserver]

ip = [ip address of the vboxnet0 interface, to check it issue on terminal ifconfig vboxnet0, usually 192.168.56.1]

/opt/cuckoo/conf/virtualbox.conf

[cuckoo1]

label = [Name of the Windows guest virtual machine as configured on VirtualBox]

ip = [ip address configured i the windows guest]

snapshot = [the name of the snapshot taken with virtual box]

/opt/cuckoo/conf/memory.conf 

[basic]

delete_memdump = yes

/opt/cuckoo/conf/processing.conf 

[memory]

enabled = yes

[virustotal]

enabled = yes

key = [key of the virus total API, could be obtained registering in http://www.virustotal.com

/opt/cuckoo/conf/reporting.conf 

[maec40]

enabled = yes

[mongodb]

enabled = yes

Now we can run Cuckoo after all the hardwork :

run the command as shown below  and you should get the screen as below :

sudo python /opt/cuckoo/cuckoo.py



Now we need to do a submission of a file vide a script as shown below :

python /opt/cuckoo/utils/submit.py —package PACKAGE PATH_TO_FILE

or as I type for my screen shot command :

python /opt/cuckoo/utils/submit.py /home/cuckoo/Desktop/cuccccck/shared/malware.pdf


or there is a way for a web interface too :

cd /opt/cuckoo/utils and then run ./web.py as shown below :




Now you r ready to analyse with the Cuckoo installed....next post will focus on analyzing the files with Cuckoo...........
Powered By Blogger