# Malware Uchambuzi {{#include ../../banners/hacktricks-training.md}} ## CheatSheets za Forensics [https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/) ## Huduma za Mtandaoni - [VirusTotal](https://www.virustotal.com/gui/home/upload) - [HybridAnalysis](https://www.hybrid-analysis.com) - [Koodous](https://koodous.com) - [Intezer](https://analyze.intezer.com) - [Any.Run](https://any.run/) ## Zana za Antivirus na Ugunduzi Zisizo Mtandaoni ### Yara #### Sakinisha ```bash sudo apt-get install -y yara ``` #### Tayarisha rules Tumia script hii kupakua na kuunganisha yote yara malware rules kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\ Unda saraka ya _**rules**_ na uiendeshe. Hii itaunda faili iitwayo _**malware_rules.yar**_ ambayo ina yara rules zote za malware. ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules python malware_yara_rules.py ``` #### Skana ```bash yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar folder #Scan the whole folder ``` #### YaraGen: Angalia malware na unda yara rules Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kutengeneza yara rules kutoka kwa binary. Angalia mafunzo haya: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) ```bash python3 yarGen.py --update python3.exe yarGen.py --excludegood -m ../../mals/ ``` ### ClamAV #### Sakinisha ``` sudo apt-get install -y clamav ``` #### Skana ```bash sudo freshclam #Update rules clamscan filepath #Scan 1 file clamscan folderpath #Scan the whole folder ``` ### [Capa](https://github.com/mandiant/capa) **Capa** hugundua inaweza kuwa hatari **sifa** katika faili zinazotekelezeka: PE, ELF, .NET. Hivyo itaona vitu kama Att\&ck tactics, au sifa zenye shaka kama: - angalia OutputDebugString error - run as a service - create process Pata kwenye [**Github repo**](https://github.com/mandiant/capa). ### IOCs IOC inamaanisha Indicator Of Compromise. IOC ni seti ya **vigezo vinavyoitambulisha** baadhi ya programu zinazoweza kutakiwa au kuthibitishwa kuwa **malware**. Blue Teams hutumia aina hii ya ufafanuzi ili **kutafuta aina hizi za faili zenye madhara** katika **mifumo** na **mitandao** yao.\ Kushiriki ufafanuzi hizi ni muhimu kwa sababu wakati malware inapotambuliwa kwenye kompyuta na IOC ya malware hiyo ikianzishwa, Blue Teams wengine wanaweza kuitumia kutambua malware kwa haraka. Chombo cha kuunda au kubadilisha IOCs ni [**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\ Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta **IOCs zilizofafanuliwa kwenye kifaa**. ### Loki [**Loki**](https://github.com/Neo23x0/Loki) ni scanner kwa Simple Indicators of Compromise.\ Ugundaji unategemea mbinu nne za kugundua: ``` 1. File Name IOC Regex match on full file path/name 2. Yara Rule Check Yara signature matches on file data and process memory 3. Hash Check Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files 4. C2 Back Connect Check Compares process connection endpoints with C2 IOCs (new since version v.10) ``` ### Linux Malware Detect [**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni scan ya malware kwa Linux iliyotolewa chini ya leseni ya GNU GPLv2, iliyobuniwa kuangalia vitisho vinavyokumbwa katika mazingira ya hosting ya pamoja. Inatumia data za vitisho kutoka kwa mfumo wa kugundua uvamizi kwenye mipaka ya mtandao ili kupata malware zinazotumika katika mashambulio na kuzalisha saini za kugundua. Zaidi ya hayo, data za vitisho hupatikana pia kutoka kwa michango ya watumiaji kupitia kipengele cha LMD checkout na rasilimali za jamii za malware. ### rkhunter Vyombo kama [**rkhunter**](http://rkhunter.sourceforge.net) vinaweza kutumika kukagua filesystem kwa uwezekano wa **rootkits** na malware. ```bash sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress] ``` ### FLOSS [**FLOSS**](https://github.com/mandiant/flare-floss) ni zana itakayejaribu kupata obfuscated strings ndani ya executables kwa kutumia mbinu mbalimbali. ### PEpper [PEpper ](https://github.com/Th3Hurrican3/PEpper) huchunguza mambo ya msingi ndani ya executable (binary data, entropy, URLs and IPs, some yara rules). ### PEstudio [PEstudio](https://www.winitor.com/download) ni zana inayowezesha kupata taarifa za Windows executables kama imports, exports, headers, lakini pia itakagua virus total na kubaini potential Att\&ck techniques. ### Detect It Easy(DiE) [**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni zana ya kugundua kama faili ime **encrypted** na pia kupata **packers**. ### NeoPI [**NeoPI** ](https://github.com/CiscoCXSecurity/NeoPI) ni script ya Python inayotumia aina mbalimbali za **statistical methods** kugundua **obfuscated** na **encrypted** content ndani ya text/script files. Madhumuni ya NeoPI ni kusaidia katika **detection of hidden web shell code**. ### **php-malware-finder** [**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) hufanya kila iwezalo kugundua **obfuscated**/**dodgy code** pamoja na files zinazotumia **PHP** functions zinazotumiwa mara kwa mara na **malwares**/webshells. ### Apple Binary Signatures Wakati wa kukagua baadhi ya **malware sample** unapaswa kila mara **check the signature** ya binary kwani **developer** aliyesaini anaweza kuwa tayari **related** na **malware**. ```bash #Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" #Check if the app’s contents have been modified codesign --verify --verbose /Applications/Safari.app #Check if the signature is valid spctl --assess --verbose /Applications/Safari.app ``` ## Detection Techniques ### File Stacking Ikiwa unajua kwamba folda fulani iliyo na **faili** za seva ya wavuti ilisasishwa **mwisho tarehe fulani**, **angalia** **tarehe** ambazo **faili** zote kwenye **seva ya wavuti** ziliundwa na kubadilishwa, na ikiwa tarehe yoyote ni **ya kushuku**, angalia faili hiyo. ### Baselines Kama **faili** za folda **hazikutakiwa kubadilishwa**, unaweza kuhesabu **hash** ya **faili za awali** za folda na kuzi **linganisha** na za **sasa**. Kile chochote kilichobadilishwa kitakuwa **cha kushuku**. ### Statistical Analysis Wakati taarifa zinahifadhiwa kwenye logs unaweza **kuangalia takwimu, kwa mfano ni mara ngapi kila faili ya seva ya wavuti ilifikiwa, kwani web shell inaweza kuwa miongoni mwa zilizofikiwa mara nyingi**. --- ### Android in-app native telemetry (no root) On Android, unaweza kuiweka instrument native code ndani ya mchakato wa target app kwa preload library ndogo ya logger kabla libraries nyingine za JNI hazijaanzishwa. Hii inatoa uonekano wa mapema juu ya tabia za native bila hooks za mfumo mzima au root. Mbinu maarufu ni SoTap: weka libsotap.so kwa ABI sahihi ndani ya APK na ingiza wito wa System.loadLibrary("sotap") mapema (mfano, static initializer au Application.onCreate), kisha ukusanye logs kutoka njia za ndani/za nje au kwa fallback ya Logcat. See the Android native reversing page for setup details and log paths: {{#ref}} ../../mobile-pentesting/android-app-pentesting/reversing-native-libraries.md {{#endref}} --- ## Deobfuscating Dynamic Control-Flow (JMP/CALL RAX Dispatchers) Familia za kisasa za malware zinatumia kupitiliza obfuscation ya Control-Flow Graph (CFG): badala ya jump/call ya moja kwa moja wanahesabu marudio wakati wa utekelezaji na kutekeleza `jmp rax` au `call rax`. *dispatcher* ndogo (kawaida maagizo tisa) huweka lengo la mwisho kulingana na bendera za CPU `ZF`/`CF`, ikivunja kabisa urejeshaji wa CFG kwa static. The technique – showcased by the SLOW#TEMPEST loader – can be defeated with a three-step workflow that only relies on IDAPython and the Unicorn CPU emulator. ### 1. Pata kila jump / call isiyo ya moja kwa moja ```python import idautils, idc for ea in idautils.FunctionItems(idc.here()): mnem = idc.print_insn_mnem(ea) if mnem in ("jmp", "call") and idc.print_operand(ea, 0) == "rax": print(f"[+] Dispatcher found @ {ea:X}") ``` ### 2. Toa byte-code ya dispatcher ```python import idc def get_dispatcher_start(jmp_ea, count=9): s = jmp_ea for _ in range(count): s = idc.prev_head(s, 0) return s start = get_dispatcher_start(jmp_ea) size = jmp_ea + idc.get_item_size(jmp_ea) - start code = idc.get_bytes(start, size) open(f"{start:X}.bin", "wb").write(code) ``` ### 3. Iga mara mbili na Unicorn ```python from unicorn import * from unicorn.x86_const import * import struct def run(code, zf=0, cf=0): BASE = 0x1000 mu = Uc(UC_ARCH_X86, UC_MODE_64) mu.mem_map(BASE, 0x1000) mu.mem_write(BASE, code) mu.reg_write(UC_X86_REG_RFLAGS, (zf << 6) | cf) mu.reg_write(UC_X86_REG_RAX, 0) mu.emu_start(BASE, BASE+len(code)) return mu.reg_read(UC_X86_REG_RAX) ``` Endesha `run(code,0,0)` na `run(code,1,1)` ili kupata malengo ya matawi *false* na *true*. ### 4. Rekebisha tena direct jump / call ```python import struct, ida_bytes def patch_direct(ea, target, is_call=False): op = 0xE8 if is_call else 0xE9 # CALL rel32 or JMP rel32 disp = target - (ea + 5) & 0xFFFFFFFF ida_bytes.patch_bytes(ea, bytes([op]) + struct.pack('