File IOC

File

file test.exe

ExifTools

exiftools test.exe

md5sum

md5sum test.exe

sha256sum

sha256sum test.exe

strings

strintgs test.exe

clamAV

sudo clamscan -v test.exe

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder

yara

sudo apt-get install -y yara

Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Scan

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder

(VirusTotal ) vt-scanner

python vt-scanner.py test.exe

Sensitive Scripts

capa

Capa detects potentially malicious capabilities in executables: PE, ELF, .NET. So it will find things such as Att&ck tactics, or suspicious capabilities such as:

check for OutputDebugString error
run as a service
create process

Example of capa capabilities:

Persistence: Identifies if the binary tries to establish persistence on a system (e.g., by modifying the registry).
Networking: Detects if the malware attempts to communicate over a network, such as sending HTTP requests or opening sockets.
Encryption: Recognizes the use of encryption algorithms like AES or RC4.
File System Interaction: Tracks file creation, deletion, or modification activities.

capa test.exe

More Information

Here are some sample outputs and usage examples of capa, a tool used for analyzing executables (especially malware) by identifying their capabilities. These examples showcase the kind of information capa extracts when analyzing a file, including behavioral patterns, techniques, and malware capabilities.

1. Basic capa Usage

First, run capa on an executable file. For example:

capa malware_sample.exe

Sample Output:

+------------------------+---------------------------------------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                                                |
|------------------------+---------------------------------------------------------------------------------|
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]                                         |
| DISCOVERY              | Query Registry [T1012]                                                          |
| DISCOVERY              | Query Information from Local System [T1082]                                     |
| EXECUTION              | Shared Modules [T1129]                                                          |
+------------------------+---------------------------------------------------------------------------------+

+----------------------------+--------------------------------------------------------------------------+
| MBC Objective               | MBC Behavior                                                            |
|----------------------------+--------------------------------------------------------------------------|
| ANTI-BEHAVIORAL ANALYSIS    | Obfuscate or Encrypt Code [B0030.003]                                    |
| DISCOVERY                   | System Information Discovery [F0022]                                     |
+----------------------------+--------------------------------------------------------------------------+

+------------------------------+------------------------------------------------------------------------+
| CAPABILITY                    | DESCRIPTION                                                           |
|------------------------------+------------------------------------------------------------------------|
| Allocate RWX memory           | The sample allocates memory with Read, Write, and Execute permissions  |
| Get computer name             | The sample retrieves the computer name of the system                   |
| Create a file                 | The sample creates or opens a file                                     |
| Sleep (anti-analysis)         | The sample uses the Sleep function, often used to evade sandboxing     |
| Use Windows API calls         | The sample directly uses Windows API calls                             |
+------------------------------+------------------------------------------------------------------------+

capa: finished analysis of malware_sample.exe

2. Example capa Findings

Below is a breakdown of what the capa output might show, based on the capabilities of the analyzed binary.

Memory Manipulation:

Allocate RWX memory: This indicates that the malware sample is allocating memory with read, write, and execute permissions, a common technique in exploits or to inject malicious code.

File Manipulation:

Create a file: The malware creates or opens files, which could mean it’s writing data to disk, perhaps as part of a payload or for persistence.

System Discovery:

Get computer name: The malware is querying the system for information about the computer, likely as part of reconnaissance to adjust its behavior based on the environment.

Anti-Analysis Techniques:

Sleep (anti-analysis): The sample uses the Sleep function, a common technique to evade analysis by delaying execution and making it harder for sandbox environments to catch malicious behavior.

Persistence and Execution:

Use Windows API calls: The sample interacts directly with Windows API functions, a key method used for many forms of malware to carry out malicious activities like process injection, registry manipulation, or file access.

3. Identifying Malware Capabilities

Here’s another sample capa output that indicates more specific malware behaviors:

+------------------------------+--------------------------------------------------------------------------+
| CAPABILITY                    | DESCRIPTION                                                             |
|------------------------------+--------------------------------------------------------------------------|
| Read PE header                | The malware reads the Portable Executable (PE) header of a file          |
| Query disk information        | The malware queries disk information (size, type, etc.)                  |
| Encrypt data                  | The malware performs data encryption, possibly to protect its payload    |
| Communicate using HTTP        | The malware communicates over HTTP, potentially exfiltrating data        |
| Open process                  | The malware opens a process, possibly for injection or manipulation      |
| Modify registry key           | The malware modifies a registry key, likely for persistence or evasion   |
+------------------------------+--------------------------------------------------------------------------+

Detailed Behavior:

Read PE header: This shows that the malware inspects other executables, perhaps for infection purposes or to check system files.
Query disk information: The sample gathers information about the disk, potentially to detect virtualized environments or understand system configurations.
Encrypt data: This indicates ransomware-like behavior where data is encrypted.
Communicate using HTTP: The malware can communicate with remote servers using HTTP, possibly for exfiltrating stolen data or receiving commands.
Open process: Opening a process might indicate process injection or other malicious actions on running processes.
Modify registry key: Common in malware that establishes persistence on a victim machine, allowing it to run on startup.

4. Running capa with Custom YARA Rules

capa supports YARA rules for more customized detection. You can provide custom rules to extend capa’s detection capabilities.

Example command:

capa --rules /path/to/custom/rules malware_sample.exe

This will use your custom rules (in addition to capa’s standard rule set) to analyze the file for specific behaviors you’re looking for.

5. Detecting Specific Techniques Using ATT&CK

Another useful aspect of capa is its mapping to the MITRE ATT&CK framework, which categorizes various techniques used by adversaries.

+------------------------+---------------------------------------------------+
| ATT&CK Tactic          | ATT&CK Technique                                  |
|------------------------+---------------------------------------------------|
| PERSISTENCE            | Modify Registry [T1112]                           |
| EXECUTION              | Command-Line Interface [T1059]                    |
| CREDENTIAL ACCESS      | Credential Dumping [T1003]                        |
| DEFENSE EVASION        | Obfuscated Files or Information [T1027]           |
+------------------------+---------------------------------------------------+

Example of ATT&CK Techniques:

Modify Registry: The malware modifies the Windows registry to ensure it persists across reboots.
Command-Line Interface: It uses the command-line for execution, indicating it may execute system commands as part of its operation.
Credential Dumping: The sample could be trying to extract sensitive information like passwords or authentication tokens.
Obfuscated Files: Indicates that the malware may be packed or obfuscated to hide its true intent from analysis tools.

Loki

Loki is a scanner for Simple Indicators of Compromise.
Detection is based on four detection methods:

1. File Name IOC
   Regex match on full file path/name

2. Yara Rule Check
   Yara signature matches on file data and process memory

3. Hash Check
   Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files
   
4. C2 Back Connect Check
   Compares process connection endpoints with C2 IOCs (new since version v.10)

Floss

is a tool that will try to find obfuscated strings inside executables using different techniques.
The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically extract and deobfuscate all strings from malware binaries. You can use it just like strings.exe to enhance the basic static analysis of unknown binaries.

floss malware.exe

Only extract stack and tight strings:

floss --only stack tight -- suspicious.exe

Do not extract static strings:

floss --no static -- backdoor.exe

Display the help/usage screens:

floss -h  # show core arguments
floss -H  # show all supported arguments

Link

IOCS

Simple Indicators of Compromise (IoCs) are data points or clues that suggest a system may be compromised or under attack by malware or other malicious activity. These indicators provide evidence of potential security breaches and are used by security teams to detect, investigate, and respond to cyber threats.

Examples of Simple IoCs:

File Names:
- Unusual or suspicious file names that match known malware patterns.
- Example: A file named evil.exe or msword_update.bat may indicate the presence of malware.
File Hashes:
- Cryptographic hash values (e.g., MD5, SHA1, SHA256) of known malicious files. These hashes are unique to specific files, allowing quick identification of malware samples.
- Example: Hash d41d8cd98f00b204e9800998ecf8427e matches a known malicious file.
Suspicious IP Addresses or Domains:
- IP addresses or domain names known to be associated with command-and-control (C2) servers used by attackers to communicate with compromised systems.
- Example: An IP address or domain such as malicious-c2.com might indicate the system is connected to a threat actor.
Suspicious File Paths:
- Files stored in unusual directories or locations often used by malware to avoid detection.
- Example: C:\Users\Public\System32\drivers\svchost.exe in a directory that is normally clean may raise suspicion.
Registry Keys:
- Abnormal or unexpected modifications to the Windows Registry that malware may use to establish persistence or manipulate system settings.
- Example: A registry key set to run a suspicious program every time the system starts.
Unusual Network Activity:
- Unexplained outgoing connections to known malicious IP addresses, unexpected high levels of traffic, or suspicious protocols being used.
- Example: A machine connecting to an IP address in a foreign country at unusual hours.
Executable Code Signatures:
- Executables with invalid or unknown digital signatures can be IoCs, indicating tampering or unauthorized modifications.
- Example: A binary file with a signature mismatch that was altered by malware.
Suspicious Processes or Services:
- Processes or services running on a system that are unusual, unexpected, or match known malware behavior.
- Example: A process named randomsvc.exe masquerading as a legitimate Windows service.

Why Are IoCs Important?

Simple IoCs serve as early warning signals that a security breach might have occurred. They allow organizations to:

Detect compromises in their environment before more damage is done.
Investigate the nature of the attack by tracing these indicators back to their source.
Respond and mitigate the threat quickly, stopping the attacker from causing further harm.

Types of Indicators of Compromise:

While simple IoCs tend to be more specific and straightforward, such as file names or hashes, there are also more complex IoCs that include:

Behavioral IoCs: Patterns of actions or behaviors, such as lateral movement or privilege escalation.
Tactical IoCs: Higher-level indicators that describe techniques, tactics, and procedures (TTPs) used by attackers.

NeoPI

NeoPI is a Python script that uses a variety of statistical methods to detect obfuscated and encrypted content within text/script files. The intended purpose of NeoPI is to aid in the detection of hidden web shell code. The development focus of NeoPI was creating a tool that could be used in conjunction with other established detection methods such as Linux Malware Detect or traditional signature/keyword based searches.

PEpper

checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).

python pepper.py test.exe

Rkhunter

sudo rkhunter --check

chkrootkit

sudo chkrootkit

Maldet

sudo maldet -a /

sudo maldet -a /home/koosha/Dowmloads

-c, –checkout FILE : This command will upload suspected malware to rfxn.com for review & hashing into signatures

sudo maldet -c /home/koosha/Downloads/malware.ml

-l, –log : This command will view maldet log file events.

maldet -l

Check your Scan Results from Maldet

maldet -report <SCAN-ID>

Remove all detected Malware based on a Scan Report

maldet -quarantine <SCAN-ID>

maldet –quarantine 08594-19634.85478

Restoring a File you accidentally removed with Maldet

maldet -restore Folder/File

Update Maldet database

sudo maldet -u

upgrade maldet installation version

maldet -d

radare2

Radare2

Radare2 (r2) is a highly versatile tool that can do everything from reverse engineering and analyzing malware to debugging, patching, and disassembling binaries. Here’s more in-depth information to extend your understanding of Radare2, including its advanced commands, scripting capabilities, and use cases.

1. File Analysis in Radare2

Radare2 allows you to inspect various parts of a binary or a file, such as the file format, sections, segments, and more. This helps you understand the structure of a binary and how it operates.

Basic File Analysis Commands

File Header Information:
```
iI
```
This shows general information like file type, architecture, and entry point.
File Sections:
```
iS
```
Displays the various sections in the binary like .text, .data, .bss, etc.
File Symbols:
- Imports: ii
- Exports: iE
- Functions: afl

Analyze All at Once

If you want to perform a full analysis on the binary (functions, symbols, strings):

aaa

This is a more comprehensive version of the aa command, which provides deeper insights into function boundaries, basic blocks, and control flow.

2. Exploring Functions and Disassembly

Radare2 provides a rich set of commands to analyze and explore functions within a binary.

View Functions in the Binary

List all functions:
```
afl
```
Each function will be displayed with its address, size, and name.
Disassemble Function:
```
pdf @ <address>
```
This disassembles a function at a specific address, showing instructions line by line.
View Graph of a Function:
```
agf @ <function_address>
```
Radare2 will output a textual representation of a function’s control flow graph (CFG). Use Cutter (Radare2’s GUI) for a graphical representation.

3. Control Flow Graphs and Basic Blocks

A control flow graph (CFG) represents all possible paths that a program can take through its code. Basic blocks (single-entry, single-exit blocks of code) are the fundamental units within these graphs.

CFG Commands

View control flow graph: In visual mode, press V to see the control flow graph.
List basic blocks in a function:
```
afb @ <function_address>
```

Analyze function’s control flow:

To get details on how a function branches, loops, and calls other functions:
```
afcf @ <function_address>
```

4. Scripting and Automation in Radare2

Radare2 is scriptable, allowing users to automate repetitive tasks or perform advanced analysis through custom scripts. You can execute sequences of Radare2 commands via a script.

Creating and Running a Script

Create a text file script.r2 with Radare2 commands:

aa
pdf @ main

Run the script:

r2 -i script.r2 <binary_file>

This automates the process of analyzing the binary and disassembling the main function.

Embedded Scripting Languages

Radare2 supports scripting with Python, Lua, or r2pipe, a library that can interface with Radare2 from external programs.

For example, using r2pipe in Python:

import r2pipe
r2 = r2pipe.open("/bin/ls")
r2.cmd("aa")
functions = r2.cmd("afl")
print(functions)

5. Binary Patching with Radare2

Radare2 allows you to modify (patch) binaries directly. You can inject or modify machine code, change program behavior, or patch security vulnerabilities.

Patch Instructions

Patch with an Assembly instruction:

wa <instruction> @ <address>

Example:

wa nop @ 0x08048450

Patch with raw bytes:

wx <hex_bytes> @ <address>

Example:

wx 909090 @ 0x08048450   # Write 3 NOP instructions

Save changes:
After modifying the binary, save it with:
```
w
q
```

6. Debugging with Radare2

You can debug live applications or examine core dumps with Radare2. The debugging mode offers breakpoints, stepping, inspecting memory, and more.

Start Debugging

r2 -d ./binary

Set and Manage Breakpoints

Set breakpoint:
```
db <address>
```
Example:
```
db main
```
List breakpoints:
```
db
```

Execution Controls

Continue execution:
```
dc
```
Step into an instruction:
```
ds
```
Step over:
```
dso
```

Inspecting Registers, Memory, and Stack

View registers:
```
dr
```

View memory:

x @ <address>

Example:

px 32 @ rsp   # View 32 bytes at the stack pointer

7. Working with Strings and References

Radare2 can help you extract strings and find code references to specific functions or addresses, which is essential for analyzing malware or proprietary binaries.

Extract Strings

To find strings within the binary (e.g., for format strings or error messages):

iz

Find Code References

Find cross-references to a function or address:
```
axt @ <address>
```
Find all the locations where a function is called:
```
axt @ sym.main
```

8. Visual Mode in Radare2

Radare2 has a powerful “Visual Mode,” which is helpful for disassembling, analyzing control flow, and browsing the binary interactively.

Enter Visual Mode

To enter visual mode, type:

Views in Visual Mode

Disassembly view: p then d
Hexdump view: p then x
Graph view: Press V again to visualize the control flow graph (CFG).

You can navigate through the disassembly or CFG using the arrow keys.

Change Display Themes

Change the theme in visual mode:

e scr.color=3   # Enable theme colors

9. Advanced Analysis

Radare2 can perform deeper binary analysis, which includes reconstructing control flow, analyzing the program’s structure, and even emulating the program.

Advanced Analysis Commands

Function arguments and locals:
```
afv
```
This command lists function arguments and local variables.
Stack layout of a function:
```
afS
```

Emulation (Simulate program execution):

aei    # Enable emulation
aeip   # Emulate one instruction

Symbolic Execution

Radare2 supports symbolic execution via plugins like ESIL, which allows you to simulate the execution of binary code. This is helpful for tracing paths, checking registers, or evaluating program behavior without actually running the code.

Enable ESIL emulation:
```
aeim   # Initialize memory for ESIL
```
Set ESIL registers and step:
```
aeim
aeip
```

Radare2 Extended Commands

Radare2 (r2) is a powerful tool that can handle reverse engineering, binary patching, malware analysis, and much more. Below is a more extensive set of commands and use cases, with examples to guide you through various tasks.

1. Basic File Analysis and Exploration

Analyze Binary Structure

r2 <binary_file>
aa  # Analyze binary

Example:

r2 /bin/ls
aa

List Strings in a Binary

iz

Example:

iz | grep "error"  # Find strings related to "error"

Inspect Hexdump

px <number_of_bytes> @ <address>

Example:

px 64 @ 0x00400000

2. Function Analysis and Disassembly

List All Functions

afl

Example:

afl | grep main  # Search for main function

Disassemble Function

pdf @ <function_address>

Example:

pdf @ sym.main

Control Flow Graph (CFG) in Visual Mode

V   # Enter visual mode
V   # Toggle control flow graph

3. Patching and Modifying Binaries

Patch a Single Instruction

wa <assembly_instruction> @ <address>

Example:

wa xor eax, eax @ 0x0804845a

Patch with Raw Bytes

wx <hex_bytes> @ <address>

Example:

wx 909090 @ 0x0804845a  # Write 3 NOPs at the specified address

Save and Exit
```
wq
```

4. Debugging

Start Debugging a Binary
```
r2 -d <binary_file>
```
Example:
```
r2 -d ./a.out
```

Set Breakpoint

db <address>

Example:

db 0x0804845a  # Set a breakpoint at a specific address

Continue Execution
```
dc
```
Inspect Registers
```
dr
```

5. Memory Inspection and Manipulation

Inspect Stack Memory

px 32 @ rsp   # View 32 bytes from the stack pointer

Dump Memory to a File

wtf <output_file> @ <address>

Example:

wtf dump.bin @ 0x00400000  # Dump memory to a file

Search for Specific Data in Memory

/x <hex_value>

Example:

/x 48b8    # Search for hex 0x48b8

6. Symbolic Execution and Emulation

Enable Emulation

aei   # Enable ESIL (Emulation)
aeim  # Initialize memory for ESIL
aeip  # Step through one instruction

Example:

aeim
aeip  # Execute one instruction using symbolic execution

Check ESIL Registers
```
aer
```

7. Scripting and Automation

Run Script
Create a script script.r2:

aa
pdf @ sym.main

Run the script:

r2 -i script.r2 <binary_file>

Using Python with r2pipe

import r2pipe
r2 = r2pipe.open("/bin/ls")
r2.cmd("aa")
functions = r2.cmd("afl")
print(functions)

8. Advanced Disassembly and Control Flow

Disassemble in Visual Mode
```
V
pd @ <address>
```
Example:
```
pd @ 0x08048450
```
View Function’s Control Flow Graph
```
agf @ <function_address>
```
Example:
```
agf @ sym.main
```

Analyze Function Variables and Stack

afv   # Analyze function variables
afS   # Analyze function stack

9. Finding and Analyzing References

Find All Code References

axt @ <address>

Example:

axt @ sym.main  # Find all references to 'main'

Find Function Calls
```
axtj @ sym.main
```
Find Data Cross-References
```
axtd @ <address>
```

10. Visual Mode Enhancements

Enable Color Themes

e scr.color=3  # Enable visual mode color theme

Switch Between Views in Visual Mode
- Disassembly: p then d
- Hexdump: p then x
- Control Flow: V

Ghidra

online Tools

1 - https://any.run/
2 - https://analyze.intezer.com/
3 - https://koodous.com/
4 - https://www.hybrid-analysis.com/
5 - https://www.virustotal.com/gui/home/upload