I noticed that while analyzing certain binaries offline there is an issue where the analysis stops abruptly before the
getting to the yara section of triage. The issue lies with check of IP addreses in the malware domains blacklist. When the internet
is unreachable rather than skip this section it timesout and the analysis just ends. The analysis when you internet access works fine but if are analyzing malware offline which is a very large percentage of time this could be troublesome.
The problem seems to arise on line 328 in ssma.py and the source file file_strings.py. see the analysis below.
================================================================================
No overlay Data Present
Suspicious flags in the characteristics of the PE file:
RELOCS_STRIPPED flag is set - This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address.
Flag has the effect of disabling Address Space Layout Randomization(ASLR) for the process.
================================================================================
This file contains a list of Windows functions commonly used by malware.
For more information use the Microsoft documentation.
IsDebuggerPresent - Checks to see if the current process is being debugged, often as part oan anti-debugging technique. This function is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
GetStartupInfoA - Retrieves a structure containing details about how the current process was configured to run, such as where the standard handles are directed.
QueryPerformanceCounter - Used to retrieve the value of the hardware-based performance counter. This function is sometimes using to gather timing information as part of an anti-debugging technique. It is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
GetTickCount - Retrieves the number of milliseconds since bootup. This function is sometimes used to gather timing information as an anti-debugging technique. GetTickCount is often added by the compiler and is included in many executables, so simply seeing it as an imported function provides little information.
CreateFileA - Creates a new file or opens an existing file.
GetVersionExA - Returns information about which version of Windows is currently running. This can be used as part of a victim survey or to select between different offsets for undocumented structures that have changed between different versions of Windows.
GetModuleHandleA - Used to obtain a handle to an already loaded module. Malware may use GetModuleHandle to locate and modify code in a loaded module or to search for a good location to inject code.
LoadLibraryA - Loads a DLL into a process that may not have been loaded when the program started. Imported by nearly every Win32 program.
GetProcAddress - Retrieves the address of a function in a DLL loaded into memory. Used to import functions from other DLLs in addition to the functions imported in the PE file header.
FindResourceA - Used to find a resource in an executable or loaded DLL. Malware some- times uses resources to store strings, configuration information, or other malicious files. If you see this function used, check for a .rsrc section in the malware’s PE header.
LoadResource - Loads a resource from a PE file into memory. Malware sometimes uses resources to store strings, configuration information, or other malicious files
WideCharToMultiByte - Used to convert a Unicode string into an ASCII string.
CallNextHookEx - Used within code that is hooking an event set by SetWindowsHookEx. CallNextHookEx calls the next hook in the chain. Analyze the function calling CallNextHookEx to determine the purpose of a hook set by SetWindowsHookEx.
GetForegroundWindow - Returns a handle to the window currently in the foreground of the desktop. Keyloggers commonly use this function to determine in which window the user is entering his keystrokes.
GetKeyState - Used by keyloggers to obtain the status of a particular key on the keyboard.
GetDC - Returns a handle to a device context for a window or the whole screen. Spyware that takes screen captures often uses this function.
SetWindowsHookExA - Sets a hook function to be called whenever a certain event is called. Commonly used with keyloggers and spyware, this function also provides an easy way to load a DLL into all GUI processes on the system. This function is sometimes added by the compiler.
CryptAcquireContextW - Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.
RegOpenKeyA - Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.
RegOpenKeyExA - Opens a handle to a registry key for reading and editing. Registry keys are sometimes written as a way for software to achieve persistence on a host. The registry also contains a whole host of operating system and application setting information.
OpenProcessToken - Opens a handle to another process running on the system. This handle can be used to read and write to the other process memory or to inject code into the other process.
AdjustTokenPrivileges - Used to enable or disable specific access privileges. Malware that performs process injection often calls this function to gain additional permissions.
CryptAcquireContextA - Often the first function used by malware to initialize the use of Windows encryption. There are many other functions associated with encryption, most of which start with Crypt.
CoCreateInstance - Creates a COM object. COM objects provide a wide variety of functionality. The class identifier (CLSID) will tell you which file contains the code that implements the COM object. See Chapter 7 for an in-depth explanation of COM.
================================================================================
Traceback (most recent call last):
File "/home/remnux/RE-tools/SSMA/ssma.py", line 328, in
strings = get_strings(filename=args.filename).get_result()
File "/home/remnux/RE-tools/SSMA/src/file_strings.py", line 17, in init
self.result = (is_website(strings), is_ip(strings), is_email(strings))
File "/home/remnux/RE-tools/SSMA/src/check_strings.py", line 39, in is_email
if validate_email(e, check_mx=True):
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 135, in validate_email
mx_hosts = get_mx_ip(hostname)
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 102, in get_mx_ip
MX_DNS_CACHE[hostname] = DNS.mxlookup(hostname)
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 54, in mxlookup
l = dnslookup(name, qtype = 'mx')
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 37, in dnslookup
result = Base.DnsRequest(name=name, qtype=qtype).req()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 323, in req
self.sendUDPRequest(server)
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 376, in sendUDPRequest
raise first_socket_error
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 351, in sendUDPRequest
r=self.processUDPReply()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 134, in processUDPReply
raise TimeoutError('Timeout')
DNS.Base.TimeoutError: Timeout
I noticed that while analyzing certain binaries offline there is an issue where the analysis stops abruptly before the getting to the yara section of triage. The issue lies with check of IP addreses in the malware domains blacklist. When the internet is unreachable rather than skip this section it timesout and the analysis just ends. The analysis when you internet access works fine but if are analyzing malware offline which is a very large percentage of time this could be troublesome.
The problem seems to arise on line 328 in ssma.py and the source file file_strings.py. see the analysis below.
███████╗███████╗███╗ ███╗ █████╗ ██╔════╝██╔════╝████╗ ████║██╔══██╗ Simple ███████╗███████╗██╔████╔██║███████║ Static ╚════██║╚════██║██║╚██╔╝██║██╔══██║ Malware ███████║███████║██║ ╚═╝ ██║██║ ██║ Analyzer ╚══════╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝
File Details: File: /home/remnux/Desktop/sample.bin Size: 419568 bytes Type: application/x-dosexec MD5: 62b59289e8651e5ed35e9a18f70dc28d SHA1: 286393dfb09a57aea9753596bc79a38ec1b96331 ssdeep: 6144:F5/h6De6n6ZU43/97xYqCo8HYsKjF8BrGtQothGbtj9aUuVcade7OcqXmBh3jIA:F1h6i6n6Z9Qo5EK/thGBjsUgcadYOeUA Date: Mon Jan 19 20:42:53 2015 PE file entropy: 6.744053952912414
================================================================================ Number of Sections: 4
Section VirtualAddress VirtualSize SizeofRawData Sections_MD5_Hash Section_Entropy .text 0x1000 204133 204800 b16b856703961e7c99a298e31c8bbf92 6.882997324536023 .rdata 0x33000 59016 61440 c3b090467254c6d2a5ab7d78d91473a1 6.097080594618708 .data 0x42000 45000 32768 1c0100bf3c97224e27fb34c7fc5802f6 6.473725101397605 .rsrc 0x4d000 102592 106496 f257d7a0bb661f5b85eaa5488fca8366 6.043580449076323
================================================================================ No overlay Data Present
Suspicious flags in the characteristics of the PE file: RELOCS_STRIPPED flag is set - This indicates that the file does not contain base relocations and must therefore be loaded at its preferred base address. Flag has the effect of disabling Address Space Layout Randomization(ASLR) for the process.
================================================================================ This file contains a list of Windows functions commonly used by malware. For more information use the Microsoft documentation.
================================================================================ Traceback (most recent call last): File "/home/remnux/RE-tools/SSMA/ssma.py", line 328, in
strings = get_strings(filename=args.filename).get_result()
File "/home/remnux/RE-tools/SSMA/src/file_strings.py", line 17, in init
self.result = (is_website(strings), is_ip(strings), is_email(strings))
File "/home/remnux/RE-tools/SSMA/src/check_strings.py", line 39, in is_email
if validate_email(e, check_mx=True):
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 135, in validate_email
mx_hosts = get_mx_ip(hostname)
File "/home/remnux/RE-tools/SSMA/ext/validate_email.py", line 102, in get_mx_ip
MX_DNS_CACHE[hostname] = DNS.mxlookup(hostname)
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 54, in mxlookup
l = dnslookup(name, qtype = 'mx')
File "/usr/local/lib/python3.4/dist-packages/DNS/lazy.py", line 37, in dnslookup
result = Base.DnsRequest(name=name, qtype=qtype).req()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 323, in req
self.sendUDPRequest(server)
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 376, in sendUDPRequest
raise first_socket_error
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 351, in sendUDPRequest
r=self.processUDPReply()
File "/usr/local/lib/python3.4/dist-packages/DNS/Base.py", line 134, in processUDPReply
raise TimeoutError('Timeout')
DNS.Base.TimeoutError: Timeout