lost and found ( for me ? )

analyze malware with zerowine on Linux ( Ubuntu 13.10 )


Here is how to install / use zerowine on Ubuntu 13.10.
You can analyze malware with zerowine.

# tail -1 /etc/lsb-release ; uname -ri
3.11.0-18-generic x86_64

install wine
# apt-get install qemu python-pefile

download zerowine qemu image from http://zerowine.sourceforge.net/
# bunzip2 zerowine-image-2.0.0.tar.bz2
# tar xvf zerowine-image-2.0.0.tar

start zerowine.
root@ubuntu:/home/hattori/bin/srv# pwd

# less start_img.sh

#qemu -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
kvm -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot

root@ubuntu:/home/hattori/bin/srv# ./start_img.sh
W: kvm binary is deprecated, please use qemu-system-x86_64 instead

zerowine will start.

# ps aux | grep qemu
root     14663  3.7  2.6 1596356 210088 pts/3  Sl+  02:10   0:47 qemu-system-x86_64 -machine accel=kvm:tcg -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
root     15190  0.0  0.0  14620   908 pts/12   S+   02:32   0:00 grep --color=auto qemu

user: malware
pass: malware

on the Ubuntu box ( not zerowine ), issue commands like this:
./xmlrpc_client.py http://localhost:8000/ <malware>.exe <report directory>
# pwd

# ./xmlrpc_client.py http://localhost:8000/ /home/hattori/Malware_samples/foobar.exe /home/hattori/Zerowine_reports
[Wed Mar 26 02:16:49 2014] Checking server http://localhost:8000/ status: [ALIVE]
[Wed Mar 26 02:17:04 2014] Writting dumped file num 1 [DONE]
[Wed Mar 26 02:17:04 2014] Writting behavior report [DONE]
[Wed Mar 26 02:17:04 2014] Writting dropped files [DONE]
[Wed Mar 26 02:17:04 2014] Dumping: [DONE]

reports will be stored under /home/hattori/Malware reports directory.

move to /home/hattori/Malware reports.
# pwd

root@ubuntu:/home/hattori/Zerowine_reports# ls
foobar.exe1395767824.71.dump  foobar.exe1395767824.71.tgz

# pwd

root@ubuntu:/home/hattori/Zerowine_reports# head -10 foobar.exe1395767824.71.rpt
Launching wine /tmp/vir/233185c90ebfeeec634b400f79b7d482/foobar.exe > 10
0009:malware:Call to CreateDirectoryW(L"C:\\windows")
0009:humanmalware:Creating directory L"C:\\windows"
0009:malware:Call to CreateDirectoryW(L"C:\\windows\\system32")
0009:humanmalware:Creating directory L"C:\\windows\\system32"
0009:malware:App (null) cmdline L"C:\\windows\\system32\\wineboot.exe --init"
0009:humanmalware:Opened process (null) with command line L"C:\\windows\\system32\\wineboot.exe --init"
0009:malware:Call to CreateFileW(L"C:\\windows\\system32\\wineboot.exe", GENERIC_READ FILE_SHARE_READ FILE_SHARE_DELETE , creation 3 attributes 0x0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows", 0, 0xbfe357dc, 0, (nil), 0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows\\system32", 0, 0xbfe357dc, 0, (nil), 0)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.