Closed spideysec closed 1 year ago
CYB3RMX
commented
1 year ago Hello thank you for your feedback. According to error message pefile module says your .exe file is not valid. Did you checked its headers? If your answer is yes can you share that sample with me so I can check and fix the tool If DOS headers are actually correct
NOTE: By the way can you try to analyze another Windows executables?
spideysec
commented
1 year ago There is no function/API imports found.
Try --packer or --lang to see additional info about target file.
[*] Performing YARA rule matching...
Rule name: Big_Numbers0 ┏━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ 0x8272 │ b'C3344CC3344CC3344CC3' │ └────────┴─────────────────────────┘
Rule name: anti_dbg ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━┩ │ 0x30b21c │ b'kernel32.dll' │ │ 0x30c568 │ b'kernel32.dll' │ │ 0x313688 │ b'KERNEL32.dll' │ │ 0x337b8e │ b'KERNEL32.dll' │ │ 0x313762 │ b'IsDebuggerPresent' │ │ 0x337d58 │ b'IsDebuggerPresent' │ └──────────┴──────────────────────┘
Rule name: disable_antivirus ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ 0x31d02b │ b'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\' │ │ 0x312f36 │ b'RegSetValue' │ │ 0x337c1a │ b'RegSetValue' │ └──────────┴──────────────────────────────────────────────────────────────┘
Rule name: escalate_priv ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ 0x312f46 │ b'ADVAPI32.dll' │ │ 0x337824 │ b'ADVAPI32.dll' │ │ 0x312dc2 │ b'AdjustTokenPrivileges' │ └──────────┴──────────────────────────┘
Rule name: win_registry ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩ │ 0x312f46 │ b'ADVAPI32.dll' │ │ 0x337824 │ b'ADVAPI32.dll' │ │ 0x312e5a │ b'RegCloseKey' │ │ 0x3377f4 │ b'RegCloseKey' │ │ 0x312e5a │ b'RegCloseKey' │ │ 0x3377f4 │ b'RegCloseKey' │ └──────────┴─────────────────────┘
Rule name: win_token ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ 0x312f46 │ b'ADVAPI32.dll' │ │ 0x337824 │ b'ADVAPI32.dll' │ │ 0x312dc2 │ b'AdjustTokenPrivileges' │ │ 0x312dae │ b'OpenProcessToken' │ └──────────┴──────────────────────────┘
Rule name: win_files_operation ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩ │ 0x30b21c │ b'kernel32.dll' │ │ 0x30c568 │ b'kernel32.dll' │ │ 0x313688 │ b'KERNEL32.dll' │ │ 0x337b8e │ b'KERNEL32.dll' │ │ 0x31324e │ b'WriteFile' │ │ 0x337aae │ b'WriteFile' │ │ 0x313324 │ b'SetFilePointer' │ │ 0x31349e │ b'SetFilePointer' │ │ 0x337f8e │ b'SetFilePointer' │ │ 0x31324e │ b'WriteFile' │ │ 0x337aae │ b'WriteFile' │ │ 0x313492 │ b'ReadFile' │ │ 0x3131e2 │ b'FindClose' │ └──────────┴─────────────────────┘
Rule name: Embedded_PE ┏━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━┓ ┃ Offset ┃ Matched String/Byte ┃ ┡━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━┩ │ 0x19f16 │ b'MZ' │ │ 0x20ccb │ b'MZ' │ │ 0x2450d │ b'MZ' │ │ 0x30f2c │ b'MZ' │ │ 0x38d9d │ b'MZ' │ │ 0x5993a │ b'MZ' │ │ 0x5fcbe │ b'MZ' │ │ 0x69711 │ b'MZ' │ │ 0x6a0c5 │ b'MZ' │ │ 0x79f3a │ b'MZ' │ │ 0x95bb0 │ b'MZ' │ │ 0xa081b │ b'MZ' │ │ 0xa2713 │ b'MZ' │ │ 0xaf06e │ b'MZ' │ │ 0xb0503 │ b'MZ' │ │ 0xba323 │ b'MZ' │ │ 0xd3290 │ b'MZ' │ │ 0xe778d │ b'MZ' │ │ 0xf5aa1 │ b'MZ' │ │ 0x11a87f │ b'MZ' │ │ 0x1286a2 │ b'MZ' │ │ 0x145da0 │ b'MZ' │ │ 0x146a95 │ b'MZ' │ │ 0x1503e8 │ b'MZ' │ │ 0x15371d │ b'MZ' │ │ 0x15488f │ b'MZ' │ │ 0x161342 │ b'MZ' │ │ 0x1677a5 │ b'MZ' │ │ 0x194664 │ b'MZ' │ │ 0x1c2402 │ b'MZ' │ │ 0x1d534a │ b'MZ' │ │ 0x207483 │ b'MZ' │ │ 0x20bff2 │ b'MZ' │ │ 0x236103 │ b'MZ' │ │ 0x258ada │ b'MZ' │ │ 0x265ad4 │ b'MZ' │ │ 0x271bf5 │ b'MZ' │ │ 0x27b0c4 │ b'MZ' │ │ 0x2930a6 │ b'MZ' │ │ 0x295bd4 │ b'MZ' │ │ 0x2a03bc │ b'MZ' │ │ 0x2a8906 │ b'MZ' │ │ 0x2b44b6 │ b'MZ' │ │ 0x2d42a5 │ b'MZ' │ │ 0x2e4800 │ b'MZ' │ │ 0x2f4a9f │ b'MZ' │ │ 0x2f9e62 │ b'MZ' │ │ 0x3031d7 │ b'MZ' │ │ 0x320600 │ b'MZ' │ │ 0x3234e6 │ b'MZ' │ │ 0x326f0f │ b'MZ' │ │ 0x330377 │ b'MZ' │ │ 0x37950d │ b'MZ' │ │ 0x37c08e │ b'MZ' │ └──────────┴─────────────────────┘
Traceback (most recent call last):
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 359, in
CYB3RMX
commented
1 year ago Hmm looks like the yara rules find Windows API's but pefile or radare2 couldn't. I will check your binary and find out what is wrong. I checked your provided link there is 3 files in here 2 manual and 1 setup file. Did you analyze that .pdf files with --docs argument?
NOTE: --analyze argument won't work against document files
spideysec
commented
1 year ago Hi thanks for quick response again.
I don't want analyze pdf file just want do the software file that is my requirement . so please check what is issue & let me know. again thanks for prompt response :).
I don't know what is going wrong recently.
CYB3RMX
commented
1 year ago Okay then. I will check and fix that issue very soon. Thank you for your report :)
CYB3RMX
commented
1 year ago Hello again. I downloaded and analyzed the files your provided. Then I tried to check their headers and find out what is wrong. I saw these files are not actually windows executables. So this is why PEFormatError("DOS Header magic not found.") error occured.
After that I downloaded a malware sample from Malware Bazaar and running analysis against it and It worked.
Sample link: https://bazaar.abuse.ch/sample/7094cbca68bd05ba8068e7247cd8654e9603265a110adeaa30a604bf44efa078/
By the way I need to implement analysis techniques for CDF files.
spideysec
commented
1 year ago Hello,
I understand the issue now and appreciate you clarifying the real problem. Thank you for bringing it to my attention.
I hope that in the future, support for this type of file can be added. It would be beneficial to have such support.
Regarding your questions:
Which alternative tool can I use for static analysis of this type of file?
I am new to this analysis field and would like to pursue further knowledge. Could you suggest a starting roadmap for me?Thank you once again for your time and prompt response. I appreciate your dedication and hard work.
Keep up the good work!
CYB3RMX
commented
1 year ago Hello, I think I can recommend DidierStevens tools for analyze CDF files. In malware analysis roadmap I think you should do:
Thank you for your comments. I hope it will be helpfull :)
spideysec
commented
1 year ago Thank you for your valuable comments and recommendations. I really appreciate your input. Based on your suggestions, I will explore DidierStevens tools for analyzing CDF files.
In terms of the malware analysis roadmap, your insights are highly valuable. Once again, thank you for sharing these insights. Your contribution is greatly appreciated.
CYB3RMX
commented
1 year ago Thank you very much and you're welcome :)
I tried to debug it but can't able to solve the issue hope you will help into it. I am attaching the error I faced while running the script .
Error
Traceback (most recent call last): File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 359, in
Analyzer()
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 276, in Analyzer
pe = pf.PE(fileName)
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 2895, in init
self.parse(name, data, fast_load)
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 3031, in parse
raise PEFormatError("DOS Header magic not found.")
pefile.PEFormatError: 'DOS Header magic not found.'
Error in sys.excepthook:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/apport_python_hook.py", line 72, in apport_excepthook
from apport.fileutils import likely_packaged, get_recent_crashes
File "/usr/lib/python3/dist-packages/apport/init.py", line 5, in
from apport.report import Report
File "/usr/lib/python3/dist-packages/apport/report.py", line 32, in
import apport.fileutils
File "/usr/lib/python3/dist-packages/apport/fileutils.py", line 12, in
import os, glob, subprocess, os.path, time, pwd, sys, requests_unixsocket
File "/usr/lib/python3/dist-packages/requests_unixsocket/init.py", line 1, in
import requests
File "/usr/lib/python3/dist-packages/requests/init.py", line 95, in
from urllib3.contrib import pyopenssl
File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 46, in
import OpenSSL.SSL
File "/usr/lib/python3/dist-packages/OpenSSL/init.py", line 8, in
from OpenSSL import crypto, SSL
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1553, in
class X509StoreFlags(object):
File "/usr/lib/python3/dist-packages/OpenSSL/crypto.py", line 1573, in X509StoreFlags
CB_ISSUER_CHECK = _lib.X509_V_FLAG_CB_ISSUER_CHECK
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: module 'lib' has no attribute 'X509_V_FLAG_CB_ISSUER_CHECK'
Original exception was: Traceback (most recent call last): File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 359, in
Analyzer()
File "/opt/Qu1cksc0pe/Modules/winAnalyzer.py", line 276, in Analyzer
pe = pf.PE(fileName)
^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 2895, in init
self.parse(name, data, fast_load)
File "/usr/local/lib/python3.11/dist-packages/pefile.py", line 3031, in parse
raise PEFormatError("DOS Header magic not found.")
pefile.PEFormatError: 'DOS Header magic not found.'
Hope it will get sorted , or is anything from my side changes need to be done let me know I am using WLS 20.04.6 WLS. Even I tried on my kali linux virtual issue was same . Even I tried re-install the tool it was giving same issue :')