Uchambuzi wa Malware

Reading time: 10 minutes

CheatSheets za Forensics

https://www.jaiminton.com/cheatsheet/DFIR/#

Huduma za Mtandaoni

• VirusTotal
• HybridAnalysis
• Koodous
• Intezer
• Any.Run

Zana za Antivirus na Ugunduzi zisizo mtandaoni

Yara

Usakinishaji

sudo apt-get install -y yara

Tayarisha rules

Tumia script hii kupakua na kuunganisha yara malware rules zote kutoka github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Unda saraka rules na uiendeshe. Hii itaunda faili iitwayo malware_rules.yar ambayo ina yara rules zote za malware.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Scan

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder

YaraGen: Angalia malware na unda rules

Unaweza kutumia zana YaraGen kutengeneza yara rules kutoka kwa binary. Angalia mafundisho haya: Part 1, Part 2, Part 3

python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/

ClamAV

Sakinisha

sudo apt-get install -y clamav

Skana

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder

Capa

Capa huigundua capabilities zinazoweza kuwa za uharibifu katika executables: PE, ELF, .NET. Hivyo itapata vitu kama Att&ck tactics, au capabilities zenye shaka kama:

• check for OutputDebugString error
• run as a service
• create process

Pata kutoka Github repo.

IOCs

IOC inamaanisha Indicator Of Compromise. IOC ni seti ya conditions that identify baadhi ya software zinazoweza kuwa zisizohitajika au malware iliyothibitishwa. Blue Teams hutumia aina hii ya ufafanuzi ili kutafuta aina hizi za faili zenye uharibifu katika mifumo na mitandao yao.
Kushiriki ufafanuzi huu ni muhimu sana kwani pale ambapo malware inapogundulika kwenye kompyuta na IOC ya malware hiyo inatengenezwa, Blue Teams nyingine zinaweza kuitumia kumtambua malware haraka zaidi.

Chombo cha kuunda au kubadilisha IOCs ni IOC Editor.
Unaweza kutumia zana kama Redline ili kutafuta IOCs zilizofafanuliwa kwenye kifaa.

Loki

Loki ni skana kwa Simple Indicators of Compromise.
Ugunduzi unategemea njia nne za kutambua:

1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)

Linux Malware Detect

Linux Malware Detect (LMD) ni skana ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyoundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya mwenyeji wa pamoja. Inatumia data za vitisho kutoka kwa network edge intrusion detection systems ili kuibua malware zinazotumika kwa vitendo katika mashambulizi na kutengeneza signatures za utambuzi. Zaidi ya hayo, data za vitisho pia hupatikana kutoka kwa mawasilisho ya watumiaji kupitia LMD checkout feature na rasilimali za jamii ya malware.

rkhunter

Zana kama rkhunter zinaweza kutumika kukagua mfumo wa faili kwa ajili ya rootkits zinazowezekana na malware.

sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]

FLOSS

FLOSS ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia techniques mbalimbali.

PEpper

PEpper inakagua mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, baadhi ya yara rules).

PEstudio

PEstudio ni zana inayoruhusu kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kutambua potential Att&ck techniques.

Detect It Easy(DiE)

DiE ni zana ya kugundua kama faili ni encrypted na pia kupata packers.

NeoPI

NeoPI ni script ya Python inayotumia aina mbalimbali za statistical methods kugundua obfuscated na encrypted content ndani ya text/script files. Madhumuni yaliyokusudiwa ya NeoPI ni kusaidia katika detection of hidden web shell code.

php-malware-finder

PHP-malware-finder inafanya juhudi zake kubaini obfuscated/dodgy code pamoja na faili zinazotumia functions za PHP zinazotumika mara kwa mara na malwares/webshells.

Apple Binary Signatures

Wakati wa kukagua malware sample unapaswa kila mara check the signature ya binary, kwa sababu developer aliyesaini inaweza tayari kuwa related na malware.

#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app

Detection Techniques

File Stacking

Ikiwa unajua kwamba folda fulani inayojumuisha mafaili ya web server ilisababisha sasisho la mwisho tarehe fulani. Angalia tarehe ambazo mafaili yote kwenye web server yaliundwa na yalibadilishwa, na ikiwa tarehe yoyote ni ya kushuku, chunguza faili hiyo.

Baselines

Ikiwa mafaili ya folda hayapaswi kuwa yamebadilishwa, unaweza kuhesabu hash ya mafaili ya awali ya folda na kuwa linganisha na yale ya sasa. Kitu chochote kilichobadilishwa kitakuwa cha kutiliwa shaka.

Statistical Analysis

Wakati taarifa zimehifadhiwa katika logs unaweza kuangalia takwimu kama mara ngapi kila faili ya web server ilifikiwa, kwani web shell inaweza kuwa miongoni mwa faili zinazopatikana mara nyingi.

Android in-app native telemetry (no root)

Kwenye Android, unaweza ku-instrument native code ndani ya mchakato wa app lengwa kwa ku-preload maktaba ndogo ya logger kabla ya maktaba nyingine za JNI kuanzishwa. Hii inatoa uonekano wa mapema wa tabia za native bila hooks za mfumo mzima au root. Njia maarufu ni SoTap: weka libsotap.so kwa ABI inayofaa ndani ya APK na sindika mwito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha kusanya logs kutoka njia za ndani/za nje au kutumia Logcat kama fallback.

See the Android native reversing page for setup details and log paths:

Reversing Native Libraries

Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers)

Modern malware families heavily abuse Control-Flow Graph (CFG) obfuscation: instead of a direct jump/call they compute the destination at run-time and execute a jmp rax or call rax. A small dispatcher (typically nine instructions) sets the final target depending on the CPU ZF/CF flags, completely breaking static CFG recovery.

The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator.

1. Locate every indirect jump / call

import idautils, idc

for ea in idautils.FunctionItems(idc.here()):
mnem = idc.print_insn_mnem(ea)
if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax":
print(f"[+] Dispatcher found @ {ea:X}")

2. Toa byte-code ya dispatcher

import idc

def get_dispatcher_start(jmp_ea, count=9):
s = jmp_ea
for _ in range(count):
s = idc.prev_head(s, 0)
return s

start = get_dispatcher_start(jmp_ea)
size  = jmp_ea + idc.get_item_size(jmp_ea) - start
code  = idc.get_bytes(start, size)
open(f"{start:X}.bin", "wb").write(code)

3. Iga mara mbili kwa kutumia Unicorn

from unicorn import *
from unicorn.x86_const import *
import struct

def run(code, zf=0, cf=0):
BASE = 0x1000
mu = Uc(UC_ARCH_X86, UC_MODE_64)
mu.mem_map(BASE, 0x1000)
mu.mem_write(BASE, code)
mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf)
mu.reg_write(UC_X86_REG_RAX, 0)
mu.emu_start(BASE, BASE+len(code))
return mu.reg_read(UC_X86_REG_RAX)

Endesha run(code,0,0) na run(code,1,1) ili kupata malengo ya branch za false na true.

4. Rekebisha direct jump / call

import struct, ida_bytes

def patch_direct(ea, target, is_call=False):
op   = 0xE8 if is_call else 0xE9           # CALL rel32 or JMP rel32
disp = target - (ea + 5) & 0xFFFFFFFF
ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('<I', disp))

Baada ya patching, lazimisha IDA ifanye re-analyse ya function ili full CFG na Hex-Rays output virudishwe:

import ida_auto, idaapi
idaapi.reanalyze_function(idc.get_func_attr(ea, idc.FUNCATTR_START))

5. Weka lebo kwa API calls zisizo za moja kwa moja

Mara tu lengo halisi la kila call rax linapojulikana, unaweza kumwambia IDA ni nini ili aina za parameta na majina ya variables zirudishwe kiotomatiki:

idc.set_callee_name(call_ea, resolved_addr, 0)  # IDA 8.3+

Manufaa ya vitendo

• Inarejesha CFG halisi → decompilation inabadilika kutoka 10 mistari hadi maelfu.
• Inawawezesha string-cross-reference & xrefs, na kufanya urejeshaji wa tabia kuwa rahisi.
• Scripts zinaweza kutumika tena: ziweke katika loader yoyote iliyo na ulinzi sawa kwa hila ile ile.

AdaptixC2: Uchimbaji wa Usanidi na TTPs

Angalia ukurasa maalum:

Adaptixc2 Config Extraction And Ttps

Marejeo

• Unit42 – Evolving Tactics of SLOW#TEMPEST: A Deep Dive Into Advanced Malware Techniques
• SoTap: Lightweight in-app JNI (.so) behavior logger – github.com/RezaArbabBot/SoTap
• Unit42 – AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks