Closed WVAuditors closed 1 year ago
i guess it needs some detection for proper package selection
I just noticed that. Thank you.
Just looking at this now - my test ended up running as hta despite correct .one extension and selection code in analyzer/lib/core/packages.py
@WVAuditors can you share magic signature from ms one file to add it to sflock?
@doomedraven I sure can just fill me in on what magic signature is. Are you referring the 256SHA hash? Or do I need to look elsewhere?
magic = open(self.sample_path, "rb").read(16)
if magic == b"\xE4\x52\x5C\x7B\x8C\xD8\xA7\x4D\xAE\xB1\x53\x78\xD0\x29\x96\xD3":
# it's onenote
I am sorry not a clue.
I was able to add the analysis package one.py. Ran it through analysis and lots of bad behavior. I wish I could help you more on the magic signature part. Please pardon my ignorance I am just not familiar enough with what you are referring to.
Analysis on my private sandbox
Timestamp Source IP Source Port Destination IP Destination Port Protocol GID SID REV Signature Category Severity 2023-01-09 17:37:30.831129+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2034316 1 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic 2 2023-01-09 17:37:30.831129+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2035139 1 ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) Misc activity 3 2023-01-09 17:37:30.855537+0000 10.14.2.5 [VT] 50419 8.8.8.8 [VT] 53 UDP 1 2034316 1 ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) Potentially Bad Traffic 2
Signatures CAPE extracted potentially suspicious content Multiple direct IP connections DNS query to anonymous/temporary file storage service detected Created network traffic indicative of malicious activity
Analysis on public sandbox No Detections - Ran as vbs package
https://capesandbox.com/analysis/351206/
Filename
Invoice _00198683.one
File Type data
File Size 20584 bytes
MD5 af9e5a25e7ce6b5cdfbb8ebbede5de0c
SHA1 c87208e439945d3a15111475dce7a763fef75438
SHA256 15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f [VT] [MWDB] [Bazaar]
SHA3-384 7ff3b722fd4efa69ad4033a18d2cdbca395e2596a8ad071f654e6b510a392cbc5a21a64e88e12b0545d694fce3d3a0ed
CRC32 71EAF22C
TLSH T179927C253BD19159C5F968325AD3EB09656AFB112662070FFB89268C4F34340CEA1FEF
Ssdeep 384:itxsi54pydQRlAueAr+KDfx+ZJOEgJ+6eAL:itxsiWpDRlwkkwEgJ7
filetype/magic but i see that is data in cape
file --mime yaraQA.py
yaraQA.py: text/x-script.python; charset=us-ascii
file yaraQA.py
yaraQA.py: Python script text executable, ASCII text
i have released sflock2 with ms one detection, upgrade it to latest version pip3 install -U SFlock2 or poetry run pip install -U SFlock2
I was able to get the output below if that helps anything for magic signature.
b'\xe4R\{'
Installing collected packages: SFlock2 Attempting uninstall: SFlock2 Found existing installation: SFlock2 0.3.34 Uninstalling SFlock2-0.3.34: Successfully uninstalled SFlock2-0.3.34 Successfully installed SFlock2-0.3.41
Kevin provided proper magic for that. so now it should be autodetected and set to one package
>>> from sflock import unpack
>>> q = unpack(b"file.cab")
KeyboardInterrupt
>>> a = unpack(b"15212428deeeabcd5b11a1b8383c654476a3ea1b19b804e4aca606fac285387f")
>>> a.package
'one'
so that sets now proper package
About accounts on capesandbox.com
This is open source and you are getting free support so be friendly!
Prerequisites
Please answer the following questions for yourself before submitting an issue.
Expected Behavior
The expected behavior would be running [Invoice _00198683.one] for analysis. This is malware that we captured today. It seems this is a MS OneNote file.
Current Behavior
Detected as .vbs script. Are there any analysis packages for MS OneNote? If not is there a possible way to execute this malware to be analyzed running inside the onenote process with Cape?
Failure Information (for bugs)
No failure
Steps to Reproduce
Please provide detailed steps for reproducing the issue.
Context
Please provide any relevant information about your setup. This is important in case the issue is not reproducible except for under certain conditions. Operating system version, bitness, installed software versions, test sample details/hash/binary (if applicable).
$ git log \| head -n1
to find outFailure Logs
N/A