Reference
http://zerowine.sourceforge.net/
http://oc.gtisc.gatech.edu/
Here is how to install / use zerowine on Ubuntu 13.10.
You can analyze malware with zerowine.
# tail -1 /etc/lsb-release ; uname -ri
DISTRIB_DESCRIPTION="Ubuntu 13.10"
3.11.0-18-generic x86_64
|
install wine
# apt-get install qemu python-pefile
|
download zerowine qemu image from http://zerowine.sourceforge.net/
# bunzip2 zerowine-image-2.0.0.tar.bz2
# tar xvf zerowine-image-2.0.0.tar
|
start zerowine.
root@ubuntu:/home/hattori/bin/srv# pwd
/home/hattori/bin/srv
# less start_img.sh
#!/bin/sh
#qemu -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
kvm -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
root@ubuntu:/home/hattori/bin/srv# ./start_img.sh
W: kvm binary is deprecated, please use qemu-system-x86_64 instead
|
zerowine will start.
# ps aux | grep qemu
root 14663 3.7 2.6 1596356 210088 pts/3 Sl+ 02:10 0:47 qemu-system-x86_64 -machine accel=kvm:tcg -hda zerowine.img -boot c -m 1024 -redir tcp:8000::8000 -redir tcp:2022::22 -redir tcp:8001::8001 -snapshot
root 15190 0.0 0.0 14620 908 pts/12 S+ 02:32 0:00 grep --color=auto qemu
|
user: malware
pass: malware
on the Ubuntu box ( not zerowine ), issue commands like this:
# pwd
/home/hattori/bin/cli
# ./xmlrpc_client.py http://localhost:8000/ /home/hattori/Malware_samples/foobar.exe /home/hattori/Zerowine_reports
[Wed Mar 26 02:16:49 2014] Checking server http://localhost:8000/ status: [ALIVE]
[Wed Mar 26 02:17:04 2014] Writting dumped file num 1 [DONE]
[Wed Mar 26 02:17:04 2014] Writting behavior report [DONE]
[Wed Mar 26 02:17:04 2014] Writting dropped files [DONE]
[Wed Mar 26 02:17:04 2014] Dumping: [DONE]
|
reports will be stored under /home/hattori/Malware reports directory.
move to /home/hattori/Malware reports.
# pwd
/home/hattori/Zerowine_reports
root@ubuntu:/home/hattori/Zerowine_reports# ls
foobar.exe1395767824.71.dump foobar.exe1395767824.71.tgz
foobar.exe1395767824.71.rpt
# pwd
/home/hattori/Zerowine_reports
root@ubuntu:/home/hattori/Zerowine_reports#
root@ubuntu:/home/hattori/Zerowine_reports# head -10 foobar.exe1395767824.71.rpt
Launching wine /tmp/vir/233185c90ebfeeec634b400f79b7d482/foobar.exe > 10
0009:malware:Call to CreateDirectoryW(L"C:\\windows")
0009:humanmalware:Creating directory L"C:\\windows"
0009:malware:Call to CreateDirectoryW(L"C:\\windows\\system32")
0009:humanmalware:Creating directory L"C:\\windows\\system32"
0009:malware:App (null) cmdline L"C:\\windows\\system32\\wineboot.exe --init"
0009:humanmalware:Opened process (null) with command line L"C:\\windows\\system32\\wineboot.exe --init"
0009:malware:Call to CreateFileW(L"C:\\windows\\system32\\wineboot.exe", GENERIC_READ FILE_SHARE_READ FILE_SHARE_DELETE , creation 3 attributes 0x0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows", 0, 0xbfe357dc, 0, (nil), 0)
0009:malware:Call to FindFirstFileExW(L"C:\\windows\\system32", 0, 0xbfe357dc, 0, (nil), 0)
|
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.