Comments (19)
from cape.
It very easy to do it with signature+volatility
from cape.
This is a malwareconfig decoder I found, not sure if it works or not. I wanted see if this could be used with CAPE. I've looked at the other decoders to use as an example, but I'm still unclear what the best approach is to implement it.
https://github.com/kevthehermit/RATDecoders/blob/master/decoders/TrickBot.py
from cape.
I ran a trickbot sample and found that process dumps contained not only the trickbot loader, which has both the 32-bit and 64-bit main bot executables as resources, but also the 32-bit main executable. At this point the config is in the resources of the executable. I'm unsure how to proceed from here. I can of course manually pull the config and decode it using python script. What's the best way to integrate with CAPE?
from cape.
Ah fantastic I didn't reaslise there was a new malwareconfig.com signature and parser. I have already integrated malwareconfig/RATDecoders so all that is needed is to put the Yara sig into data/yara/CAPE and put the parser into modules/processing/parsers/malwareconfig. I've just added these and pushed so do a quick pull and see if it works. Would you be able to share the hash(es) for the samples you are looking at so I can test?
Cheers
from cape.
0a8a65f81001f20152e3b7591b01cfc82d3af55dd6a45187f8cdf38e15c23875 is the one I've been looking at.
from cape.
Process Name: 0a7a54e70000e10041d2a6480a00beb71c2ae44cc5a34076e7bce27d04b12764.exe
PID: 3416
Dump Size: 96256 bytes
Module Path: C:\Users\carlos\AppData\Roaming\winapp\0a7a54e70000e10041d2a6480a00beb71c2ae44cc5a34076e7bce27d04b12764.exe
Type: PE image: 32-bit executable
MD5: fc02b19daa60f2a0b0fab45ba7f2ac85
SHA1: 3bcddd949eb8b024a7f36c3627c8e91ad3fd35ea
SHA256: 66a7d7fc706a6c29314416fb66d448124157eaf45f39f41c866aa8b8c5417f8b
CRC32: 45FF8456
Ssdeep: 1536:v6bgEmPRnvuNbysAvZCoyUb5jV3DjpHzJ2T983SBcQ4xwZlYozj6csLWGAMnUnux:vogtPRnvabZAQVy3BTm983e4uZlYozj8
ClamAV: Win.Trojan.Trickbot-6335790-0
Yara:
network_dns - Communications use DNS
Visual_Cpp_2005_Release_Microsoft -
VC8_Microsoft_Corporation -
Armadillo_v4x -
Microsoft_Visual_Cpp_8 -
IsPE32 -
IsWindowsGUI -
HasRichSignature - Rich Signature Check
CAPE Yara: None matched
Dump Filename: 66a7d7fc706a6c29314416fb66d448124157eaf45f39f41c866aa8b8c5417f8b
Here's the results after running with your commit. This is the 32-bit bot exe with the encrypted config resource. Doesn't appear to have been decoded and/or the yara signature didn't match.
from cape.
Right, I have added a bit of code from this version to the yara sig to detect the 32-bit main exe. The config parser should now work - I get the following from this sample:
Type TrickBot Config
servs
84.238.198.166:449,91.139.236.92:449,84.40.65.85:449,51.254.164.249:443,188.165.62.15:443,67.21.84.23:443,210.16.102.251:443,188.165.62.8:443,185.147.34.95:443,185.158.115.151:443,104.152.187.28:443,5.152.210.179:443,178.156.202.227:443,216.107.149.57:443,194.87.237.129:443,194.87.235.164:443,93.95.97.180:443,194.87.238.42:443,178.156.202.226:443,185.117.73.4:443
ver
1000044
gtag
kas7
autorun
[[('ctl', 'GetSystemInfo'), ('name', 'systeminfo')], [('name', 'injectDll
Let me know if it works for you.
from cape.
Did you submit the 32-bit main manually? I submitted the original and it didn't detect. I would have expected the yara rule to trigger on the dumped process. Is that incorrect?
from cape.
My bad - the bit I added to the sig had an address in it which turns out to be variable - I've pushed a fix now.
You are right - the Yara sig should trigger on the process dump, as well as on some of the payloads from the resulting Extraction job. Let me know if it's working now.
from cape.
Latest commit worked.
I noticed the following in the log, not sure if it's anything to be concerned about.
ERROR: CAPE: malwareconfig parsing error with TrickBot: not well-formed (invalid token): line 1, column 1
from cape.
That is xml related
from cape.
Ok thanks.
from cape.
I didn't see that error myself, but if the config looks complete it may not be worth worrying about. But to investigate it, I would probably either run/debug the standalone decoder on the extracted payload (or process dump) or alternatively debug the decoder within CAPE using Python Tools for Visual Studio. Let me know if you want any pointers in doing either of these.
from cape.
Will PT for VS allow for remote debugging to a linux server running CAPE?
from cape.
Yep this is what I use to debug CAPE - it works really well, although the setup is a bit of a faff. Worth it though.
from cape.
Then I will definitely take whatever pointers you can offer to get it setup. I'll Google around and see how far I get. Thanks.
from cape.
Currently for this I'm using VS2012 and PTVS 2.1, once you've got it set up you launch the solution then Debug->Attach to Process then pick Python remote debugging to connect to the server. On the server side, you need to add a few of lines to the top of cuckoo.py:
import ptvsd
ptvsd.enable_attach(secret=None)
ptvsd.wait_for_attach()
before launching it obviously. It will appear hung waiting until you connect from VS then you will be running and can set breakpoints etc accordingly. Let me know how you get on.
from cape.
Can you run this sample and see if you get a config?
I get empty config results, but it does recognize it as TrickBot.
4b6a4fdafa64cf28891d2811416b23590b99269015ab90b2f4f3f3f8bd347399
Nevermind. I found a silly bug I introduced in the TrickBot.py file.
from cape.
Related Issues (20)
- Alembic not updating db properly HOT 5
- Error when installing from requirements.txt HOT 4
- VPN not selectable in Web Interface HOT 36
- x64 DLL Extraction module doesn't work HOT 1
- Which commit was capemon.dll compiled from HOT 4
- Small bug on web UI submission template HOT 1
- File not detected as being in VT HOT 2
- Injection vs Extraction HOT 4
- Agent.py HOT 3
- KeyError: (<weakref at 0x7fbf4a8f5d68; to 'function' at 0x7fbf43b9dd90 (go)>,) HOT 4
- Permission for Scraping https://www.capesandbox.com/analysis/ HOT 2
- [Feature Request] Add support for Unfurl HOT 1
- Invalid URL under C2Server HOT 1
- Memory Dump on proxmox HOT 1
- Samples not analyzed on Linux guest (Ubuntu 18.04 32-bits) HOT 2
- The PCAP file does not exist
- Result Server Binding error HOT 1
- Cape Sandbox linux analysis
- Linux Analysis of Cape Sandbox
- Getting zero mal score in linux analysis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cape.