Pescanner

From aldeid
Jump to: navigation, search

Description

pescanner.py is a PE analyzer written in python by the authors of the Malware Analysts Cookbook. It is available in the companion DVD shipped by the book but is also freely distributed on Google code.

The script has the ability to detect:

  • Files with TLS entries
  • Files with resource directories
  • Suspicious IAT entries
  • Suspicious entry point sections
  • Sections with zero-length raw sizes
  • Sections with extremely low or high entropy
  • Invalid timestamps
  • File version information

Among other things, this script is helpful to:

  • understand the behavior of an executable
  • classify malwares (UPX packed, trojan downloader, trojan dropper, ...)

Installation

Dependencies

  • pefile for python
$ cd /data/src/
$ wget http://pefile.googlecode.com/files/pefile-1.2.10-123.tar.gz
$ tar xzvf pefile-1.2.10-123.tar.gz
$ cd pefile-1.2.10-123/
$ python setup.py install
  • python-magic
$ sudo aptitude install python-magic
  • yara-python

Please refer to How to install Yara

  • python: ssdeep

Please refer to How to install ssdeep

  • ClamAV

Please refer to How to install ClamAV

pescanner.py

pescanner.py is a simple python script. There is nothing to install, just download it:

$ cd /data/tools/
$ wget http://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py

Configuration

Edit pescanner.py and modify following sections:

Path to clamscan
# path to clamscan (optional)
clamscan_path = '/usr/bin/clamscan'
Paths to Yara and PEiD databases
# You should fill these in with a path to your YARA rules and PEiD database
pescan = PEScanner(files, 'zbot.yara', 'UserDB.TXT')

Usage

Usage: python pescanner.py <file|directory>

Examples

Embedded Yara scan

Let's create a yara signature to detect Zeus bot:

$ python clamav_to_yara.py -f clamav-signatures/main.ndb -s Zbot -o yara-signatures/zbot.yara

###########################################################################
	Malware Analyst's Cookbook - ClamAV to YARA Converter 0.0.1

########################################################################### 

[+] Read 64556 lines from clamav-signatures/main.ndb

[+] Wrote 89 rules to yara-signatures/zbot.yara

Now we can use this signature in pescanner:

$ tail pescanner.py
               files.append(os.path.join(root, name))
   elif os.path.isfile(object):
       files.append(object)
   else:
       print "You must supply a file or directory!"
       sys.exit()
   
   # You should fill these in with a path to your YARA rules and PEiD database
   pescan = PEScanner(files, 'zbot.yara', 'UserDB.TXT')
   pescan.collect()
$ python pescanner.py /data/exploits/pdtrain.exe
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    /data/exploits/pdtrain.exe
Size:    88160 bytes
Type:    MS-DOS executable, MZ for MS-DOS
MD5:     1d59ccdfb5b726e1a6b4a83d4e6ca1ed
SHA1:    4ddc85fbc3a4429a3019d867be4b4e3e5f903667
ssdeep:  1536:ODL/7Yt8CWmuQ/hEvVRdPXdCZ5E3Zy3zKypZnQa94wTE1Sm3B/G2pjxziJoQb:OXDGAz1mNmypn0wm02pjxzY
Date:    0x21475346 [Fri Sep 11 01:35:02 1987 UTC] [SUSPICIOUS]
EP:      0x476560 ta 1/2 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x1a5aa [SUSPICIOUS]
Packers: FSG v1.33 (Eng) -> dulek/xt

Signature scans
================================================================================
YARA: Trojan_Spy_Zbot_456
   0x66d2 => 5746c3


Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_BITMAP          0x4000   0x5bca8  LANG_ENGLISH SUBLANG_ENGLISH_US       empty
RT_ICON            0x61104  0x8a8    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_GROUP_ICON      0x610f0  0x14     LANG_ENGLISH SUBLANG_ENGLISH_US       MS Windows icon resource - 1 icon

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
t          0x1000       0x60000      0x0          0.000000    [SUSPICIOUS]
ta         0x61000      0x16000      0x15659      7.836972    [SUSPICIOUS]

UPX packer

The following output shows the analysis of a UPX packed malware. Notice the following characteristics:

  • The packer version has been detected by the script: UPX 2.90
  • The Entry Point (EP) has been identified as suspicious because it lands in the UPX1 section
  • The UPX0 section is suspicious because it has an entropy of 0
  • The UPX1 section is suspicious because its entropy score is high (7.93/8.00)
  • Obviously the file version information have been obfuscated/randomized
$ python pescanner.py /data/exploits/cbzvl.exe
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    /data/exploits/cbzvl.exe
Size:    130048 bytes
Type:    PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed
MD5:     da604cd2fe82ebe56f8b3bc4913e6bb0
SHA1:    d93815eaa5e9af8752bacc5a513ced387e2862bc
ssdeep:  1536:dUcBQecXtiDUEuFO0Q/roqzC/dkbZaFcpzB+UWEdUY1XFpZxN2V1bBONxD:dWtWbuAnC/8BGUWEKY11p52nI
Date:    0x4BF62E35 [Fri May 21 06:54:45 2010 UTC]
EP:      0x4306c0 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x221ea [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
RT_ICON            0x3117c  0x10a8   LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_ICON            0x32228  0x468    LANG_ENGLISH SUBLANG_ENGLISH_US       GLS_BINARY_LSB_FIRST
RT_GROUP_ICON      0x32694  0x22     LANG_ENGLISH SUBLANG_ENGLISH_US       MS Windows icon resource - 2 icons, 32x32, 256-colors
RT_VERSION         0x326bc  0x2b0    LANG_ENGLISH SUBLANG_ENGLISH_US       data
RT_MANIFEST        0x32970  0x28f    LANG_ENGLISH SUBLANG_ENGLISH_US       XML document text

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
UPX0       0x1000       0x12000      0x0          0.000000    [SUSPICIOUS]
UPX1       0x13000      0x1e000      0x1da00      7.834543    [SUSPICIOUS]
.rsrc      0x31000      0x2000       0x1e00       5.302205    

Version info
================================================================================
LegalCopyright: Mkllv, Sggq, De
InternalName: Typosaw
FileVersion: 3.1.3600.4400
CompanyName: Geiraji
ProductName: Rrys
ProductVersion: 3.1.3600.4400
FileDescription: Fspirl
OriginalFilename: Tdclxd Rchyjr Jn
Translation: 0x0409 0x04b0

Trojan Dropper/Downloader

Let's create a yara signature to detect embedded executables:

$ cat embedded_exe.yara
rule embedded_exe
{
 strings:
     $a = "This program cannot be run in DOS mode"
 condition:
     any of them
}

Modify the pescan section in pescanner as follows:

pescan = PEScanner(files, 'embedded_exe.yara', 'UserDB.TXT')

And start pescanner:

$ python pescanner.py /data/downloads/download_scanner_5560_q66_mirascan6_3_q66_01_windows_zip.exe
################################################################################
Record 0
################################################################################

Meta-data
================================================================================
File:    /data/downloads/download_scanner_5560_q66_mirascan6_3_q66_01_windows_zip.exe
Size:    69568 bytes
Type:    PE32 executable (GUI) Intel 80386, for MS Windows
MD5:     729950aa2349f6f5f1f8117729b0e35d
SHA1:    4eede3f94b808cb1bf9614d0363e07531d911436
ssdeep:  1536:E/vsW0WkWHVwZMi2l/ygHgUNrie6TJU7m7:E1t9HVGV7arrie6dU7m
Date:    0x50D85BC6 [Mon Dec 24 13:42:30 2012 UTC]
EP:      0x401ecc .text 0/5
CRC:     Claimed: 0x0, Actual: 0x1954e [SUSPICIOUS]

Signature scans
================================================================================
YARA: embedded_exe
   0x4e => This program cannot be run in DOS mode
   0x9d06 => This program cannot be run in DOS mode
Clamav: /data/downloads/download_scanner_5560_q66_mirascan6_3_q66_01_windows_zip.exe: Win.Trojan.Downloader-3582 FOUND

Resource entries
================================================================================
Name               RVA      Size     Lang         Sublang                  Type
--------------------------------------------------------------------------------
BIN                0xc2b8   0xa00    LANG_RUSSIAN SUBLANG_RUSSIAN          PE32 executable (GUI) Intel 80386, for MS Windows
RT_ICON            0xccb8   0x25a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0xf260   0x10a8   LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x10308  0x988    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_ICON            0x10c90  0x468    LANG_RUSSIAN SUBLANG_RUSSIAN          GLS_BINARY_LSB_FIRST
RT_DIALOG          0x110f8  0x4d6    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_DIALOG          0x115d0  0x254    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_DIALOG          0x11824  0x210    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_GROUP_ICON      0x11a34  0x3e     LANG_RUSSIAN SUBLANG_RUSSIAN          MS Windows icon resource - 4 icons, 48x48, 256-colors
RT_VERSION         0x11a74  0x29c    LANG_RUSSIAN SUBLANG_RUSSIAN          data
RT_MANIFEST        0x11d10  0x279    LANG_ENGLISH SUBLANG_ENGLISH_US       ASCII text, with CRLF line terminators

Suspicious IAT alerts
================================================================================
InternetConnectA
HttpSendRequestA
InternetReadFile
ShellExecuteA
ShellExecuteExA

Sections
================================================================================
Name       VirtAddr     VirtSize     RawSize      Entropy     
--------------------------------------------------------------------------------
.text      0x1000       0x7ffd       0x8000       5.873990    
.rdata     0x9000       0x1306       0x1400       5.429786    
.data      0xb000       0xc          0x200        0.061163    [SUSPICIOUS]
.rsrc      0xc000       0x5f8c       0x6000       4.916794    
.reloc     0x12000      0x59e        0x600        5.577066    

Version info
================================================================================
LegalCopyright: Copyright c 2005 - 2012
InternalName: Downloader
FileVersion: 1, 0, 0, 0
ProductName: Downloader
ProductVersion: 1, 0, 0, 0
FileDescription: Downloader
OriginalFilename: Downloader.exe
Translation: 0x0419 0x04e3

The analyzed malware has the 2 following characteristics:

  • Malware downloader
    • the IAT alerts section discloses how the program behaves at run-time: socket related API functions are imported (InternetConnect, HttpSendRequest, InternetReadFile) as well as execution APIs (ShellExecute)
  • Malware dropper
    • our Yara embedded_exe signature triggered twice. This leverages the likelihood of the dropper behavior
    • there is a resource named BIN at RVA 0xc2b8 in the resource entries section with an executable file type. You can expect that this malware would drop a 0xa00 byte file when executed on a system.

Moreover:

  • the claimed CRC is 0x0 which is obviously suspicious
  • ClamAV identified the malware as Win.Trojan.Downloader-3582

Comments

blog comments powered by Disqus