Tuesday, April 8, 2014

Pyew The Python Malware Analysis Tool

Pyew The Python Malware Analysis Tool. Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool. 
PE Analysis
Take the sample with MD5 b6bd1640dcbd7b81970f8e4606b215e1. Simply, open it with Pyew:
$ pyew b6bd1640dcbd7b81970f8e4606b215e1
PE Information
Sections:
   UPX0 0x1000 0x40000 0
   UPX1 0x41000 0x2f000 191488
   .rsrc 0x70000 0x2000 7680
Entry Point at 0x2ede0
Virtual Address is 0x46f9e0
Code Analysis ...
                                                                                                    0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 03 00 EB BF 70 4B 00 00 00 00    PE..L.....pK....
0110   00 00 00 00 E0 00 8F 81 0B 01 02 19 00 F0 02 00    ................
0120   00 20 00 00 00 00 04 00 E0 F9 06 00 00 10 04 00    . ..............
0130   00 00 07 00 00 00 40 00 00 10 00 00 00 02 00 00    ......@.........
0140   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
0150   00 20 07 00 00 10 00 00 00 00 00 00 02 00 00 00    . ..............
0160   00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00    .....@..........
0170   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0180   48 1A 07 00 C4 01 00 00 00 00 07 00 48 1A 00 00    H...........H...
0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01C0   98 FB 06 00 18 00 00 00 00 00 00 00 00 00 00 00    ................
01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01F0   00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00    ........UPX0....

When a PE file is opened with Pyew it starts the code analysis, shows section's names and the first block's hexadecimal dump. Checking the 1st block and section's names it seems the file is packed with UPX but to be sure we can check with Pyew executing the command "packer":

[0x00000000]> packer
MSLRH V0.31 -> emadicius
UPX -> www.upx.sourceforge.net

Anyway, just to be sure, we will check how many functions did Pyew found and the code at entry point:


[0x00000000]> print len(pyew.functions)
2
[0x00000000]> s ep[0x0002ede0:0x0046f9e0]> c0x0002ede0 ; FUNCTION start0x0002ede0 (01) 60                   PUSHA 0x0002ede1 (05) be 00104400          MOV ESI, 0x441000 0x0002ede6 (06) 8dbe 0000fcff        LEA EDI, [ESI-0x40000] 0x0002edec (0a) c787 88570500 047424b6 MOV DWORD [EDI+0x55788], 0xb6247404 0x0002edf6 (01) 57                   PUSH EDI 0x0002edf7 (03) 83cd ff              OR EBP, -0x1 0x0002edfa (02) eb 0e                JMP 0x0002ee0a     ; 1 0x0002edfa ----------------------------------------------------------------------
0x0002edfc (01) 90                   NOP 0x0002edfd (01) 90                   NOP 0x0002edfe (01) 90                   NOP 0x0002edff (01) 90                   NOP 

Yes, it's an UPX packed file. I will unpack it with the upx tool and open the unpacked sample (md5 fdbfe5494841163e7e74b0e541584d47):
$ pyew fdbfe5494841163e7e74b0e541584d47 
PE Information
Sections:
   .text 0x1000 0x53740 342016
   .itext 0x55000 0x774 2048
   .data 0x56000 0x1aac 7168
   .bss 0x58000 0x4cd0 0
   .idata 0x5d000 0x24d6 9728
   .tls 0x60000 0x34 0
   .rdata 0x61000 0x18 512
   .reloc 0x62000 0x5890 23040
   .rsrc 0x68000 0x4800 18432
Entry Point at 0x54314
Virtual Address is 0x455714
Code Analysis ...
                                                                               0000   4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00    MZP.............
0010   B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00    ........@.......
0020   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0030   00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00    ................
0040   BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90    ........!..L.!..
0050   54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73    This program mus0060   74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57    t be run under W0070   69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00    in32..$7........
0080   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0090   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00C0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
0100   50 45 00 00 4C 01 09 00 EB BF 70 4B 00 00 00 00    PE..L.....pK....
0110   00 00 00 00 E0 00 8F 81 0B 01 02 19 00 40 05 00    .............@..
0120   00 E6 00 00 00 00 00 00 14 57 05 00 00 10 00 00    .........W......
0130   00 60 05 00 00 00 40 00 00 10 00 00 00 02 00 00    .`....@.........
0140   04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00    ................
0150   00 D0 06 00 00 10 00 00 00 00 00 00 02 00 00 00    ................
0160   00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00    .....@..........
0170   00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00    ................
0180   00 D0 05 00 D6 24 00 00 00 80 06 00 00 48 00 00    .....$.......H..
0190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01B0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01C0   00 10 06 00 18 00 00 00 00 00 00 00 00 00 00 00    ................
01D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
01F0   00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00    .........text...

This sample appears to be non packed (a file packed many times is very typical in malware) but anyway we will check again with the command "packer":

[0x00000000]> packerBorland Delphi 3.0 (???)
Borland Delphi 4.0
Borland Delphi v3.0
Borland Delphi v6.0 - v7.0
BobSoft Mini Delphi -> BoB / BobSoft

OK, it's a binary compiled with Delphi. I will check how many functions did Pyew found:
[0x00000000]> len(pyew.functions)
191
Wow, a lot of functions! It's clear that the file is not packed anymore. I will check if any AV detects it with VirusTotal:

[0x00000000]> vtFile fdbfe5494841163e7e74b0e541584d47 with MD5 fdbfe5494841163e7e74b0e541584d47-------------------------------------------------------------------------------

F-Secure                 : Trojan.Crypt.Delf.AH
NOD32                    : Win32/Spy.Banker.SYR
F-Prot                   : W32/Trojan2.MFIB
VIPRE                    : BehavesLike.Win32.Malware.wlk (mx-v)
Sophos                   : Mal/Behav-053
Norman                   : W32/Malware
VBA32                    : Trojan.Win32.Delf.tqgAvast                    : Win32:Rootkit-gen
nProtect                 : Trojan.Crypt.Delf.AHGData                    : Trojan.Crypt.Delf.AHKaspersky                : Trojan.Win32.Delf.tqgBitDefender              : Trojan.Crypt.Delf.AHJiangmin                 : Trojan/Delf.rqcCommand                  : W32/Trojan2.MFIBPrevx                    : Medium Risk Malware
Antiy-AVL                : Trojan/Win32.Delf.gen
K7AntiVirus              : Trojan
AVG                      : Generic16.CMPFEmsisoft                 : Trojan.Win32.Delf.tqg!A2Avast5                   : Win32:Rootkit-genVirusBuster              : Trojan.Delf!/HJlkg0/NKU

Yes, some AV detect it and named it as Trojan Delf. 

Download

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.