search

REMnux / salt-states

This repository maintains the SaltStack state files for the REMnux distro.
https://REMnux.org
39 stars 21 forks source link

New tool: MBCScan (Malware Behavior Catalog) #176

Closed accidentalrebel closed 3 years ago

accidentalrebel commented 3 years ago

Good day. I have a new tool called MBCScan. It scans a malicious file and then lists the related MBC behaviors (Malware Behavior Catalog). MBC is similar to Mitre ATTA&CK but is specifically made for cataloguing malware. More info here.

The tool determines the MBC behaviors using Flare's Capa as a library. The information is then presented via an interactive mode to make it easy to go through the result.

I am hoping this tool can be added to Remnux to spread more awareness about the MBC project. I think it has a lot of potential especially for making standardized malware reporting.

Here is a sneak peak of the tool:

$ sha256sum test.bin
f8ad6ecb49e68ac7cf261551f01d8ef3348e347cf4239368a26bb2b3ec372904  test.bin

$ ./mbcscan.py -i test.bin
[INFO] Setting up mbc database...
[INFO] Scanning test.bin...
================================================================================
Behaviors list:
================================================================================
(0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
(1) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
(2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
(3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
(4) [C0045]     File System Micro-objective::Copy File
(5) [C0047]     File System Micro-objective::Delete File
(6) [C0051]     File System Micro-objective::Read File
(7) [C0052]     File System Micro-objective::Writes File
(8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
(9) [C0040]     Process Micro-objective::Allocate Thread Local Storage
(10) [C0042]    Process Micro-objective::Create Mutex
(11) [C0041]    Process Micro-objective::Set Thread Local Storage Value
(12) [C0018]    Process Micro-objective::Terminate Process
    __  ___ ____   ______ _____                   
   /  |/  // __ ) / ____// ___/ _____ ____ _ ____ 
  / /|_/ // __  |/ /     \__ \ / ___// __ `// __ \
 / /  / // /_/ // /___  ___/ // /__ / /_/ // / / /
/_/  /_//_____/ \____/ /____/ \___/ \__,_//_/ /_/ 

    Type "?" r "help" to display help.

View the details of a specific entry with the select command.

(mbcscan) s 3

================================================================================
Name:           Write Pipe::Interprocess Communication
================================================================================
MBC_ID:         attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb
External ID:    C0003.004
Objectives:     [OC0006] Communication Micro-objective
Parent:         [C0003] Interprocess Communication
Related:        [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
                Create Pipe::Interprocess Communication, [C0003.002] Connect
                Pipe::Interprocess Communication, [C0003.003] Read
                Pipe::Interprocess Communication
Samples:        None

External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------

To view details of other entries, use the query command.

(mbcscan) q x0004
================================================================================
Name:           Dark Comet
================================================================================
MBC_ID:         malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52
External ID:    X0004
Objectives:     None
Parent:         None
Related:        None
Samples:        None

Description:    A Remote Access Trojan (RAT) that allows a user to control the
                system via a GUI. It has many features which allows a user to use
                it as administrative remote help tool; however, DarkComet has
                many features which can be used maliciously. DarkComet is
                commonly used to spy on the victims by taking screen captures,
                key-logging, or password stealing.

External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/xample-malware/dark-comet.md
- https://en.wikipedia.org/wiki/DarkComet
--------------------------------------------------------------------------------

I can open a pull request if you think this would be a good fit for Remnux users. Thanks!

lennyzeltser commented 3 years ago

Sounds very nice, @accidentalrebel. It would be great to receive a pull request for incorporating this tool into REMnux!