Category: Malware

All about Malware!

Malware

VirusTotal Uploader for Debian

VirusTotal API Dependencies sudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-devsudo apt-get install automake autoconf libtool libjansson-dev libcurl4-openssl-dev Download git clone https://github.com/VirusTotal/c-vtapi.gitgit clone https://github.com/VirusTotal/c-vtapi.git cd c-vtapicd c-vtapi Compile autoreconf -fiautoreconf -fi ./configure./configure makemake sudo make installsudo make install Configure sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’sudo sh -c ‘echo "/usr/local/lib" > /etc/ld.so.conf.d/usr-local-lib.conf’ sudo ldconfigsudo ldconfig …

Malware, Malware Analysis

Extract patterns of interest from suspicious files

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns. Balbuzard tools balbuzard is a tool to extract patterns …

Malware, Reversing

Open source .NET deobfuscator and unpacker

de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren’t (usually) part …

Malware, Reversing

Automatically extract obfuscated strings from malware

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility …

Malware, Malware Analysis

Analyze multi-byte xor cipher

A tool to do some xor analysis guess the key length (based on count of equal chars) guess the key (base on knowledge of most frequent char) Download https://github.com/hellman/xortool git clone https://github.com/hellman/xortool.gitgit clone https://github.com/hellman/xortool.git Usage xortool [-h|–help] [OPTIONS] [filename] Options: -l,–key-length length of the key (integer) -c,–char most possible char (one char or hex code) …

Honeypot

Honeypot Linux distribution

HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients …

Honeypot

Targeted geolocation and tracking

HoneyBadger is a framework for targeted geolocation. HoneyBadger is used to identify the physical location of a web user using a combination of geolocation techniques using a browser’s share location feature, the visible WIFI networks, and the IP address. The associated Metasploit Framework modules can be found here. Prerequisites — PHP — Python — SQLite3 …

Malware Analysis

Ask questions about your Linux and OSX infrastructure

Kolide is an agentless osquery web interface and remote api server. Kolide uses the osquery remote apis to do ad-hoc distributed queries, osqueryd configurations and the collection and processing of scheduled queries (packs). Kolide was designed to be extremely portable (a single binary) and performant while keeping the codebase simple. osquery allows you to easily …

Malware Analysis

Analyze Microsoft Office OLE2 files

libolecf is a library to access the OLE 2 Compound File (OLECF) format. The OLE 2 Compound File format is used to store certain versions of Microsoft Office files, thumbs.db and other file formats.   Source code Download from Github. git clone https://github.com/libyal/libolecfgit clone https://github.com/libyal/libolecf Note: that the git repository holds the development version of …

Malware Analysis

Malware Memory Footprint Analysis

VolDiff is a Python script that leverages the Volatility framework to identify malware threats on Windows 7 memory images. VolDiff can be used to run a collection of Volatility plugins against memory images captured before and after malware execution. It creates a report that highlights system changes based on memory (RAM) analysis. VolDiff can also …