adricnet

Some VBA notes

Tools

• Unix(Remnux): viper.li, oletools, & Didier's tools
• Windows: Office Excel (VBE) & Visual Studio Community (VSC), officemalscanner
• Editors: scite, VS Code

Dependencies

adricnet

Yay, one of my favourite topics :) I'm still learning malware analysis, and here's what's helped me:

Resources

• Books: PMA, and then Malware Analyst's Cookbook, Exploits, Reversing books once you get going
• Tools: Remnux for static and a safe execution environment for dynamic[1]
• Samples from books and courses and CTFs .. virusshare is cool too, please seed!
• Online courses: The http://opensecuritytraining.info/Training.html material is all fantastic and free.
• Do follow the recommended paths (see img ) if you don't know, say, x86 ASM, or you may get lost fast and not get as much out of it.

adricnet

for public benefit and so I can do it easier then next N times

Here's how I have built a quick and dirty dynamic analysis environment from free (for personal education) stuff. Other people do this better and have documented it extensively, eg in fine books like PMA, MAC and online classes like OST's MDA and of course FOR610 {FIXME add some links to prior work}.

I've done this on Windows, (Ubuntu) Linux and Mac machines with VirtualBox with little trouble. You can use other host OSes if you known them well enough and can use another VM if you have it, but the setup is a little different.

There are dozens of greats tools and hundreds of useful ones. Once you know what you like, need you can expand the build, but for now keep it simple (KISS) and get to work learning a thing.

Major components:

adricnet

PMA:

• Labs : next is 9-1 … trying 7-1 before 9-1 for IDA practice
• Reading: 12: Hooking

MDA (OST):

• Labs: PIvy
• slides: skimmed all

LoB (OST):

adricnet

Brad says:

Review the traffic and consult the alerts if necessary. You should be able to get the following information from the pcap:

The user's first and last name
The host name of the user's Windows computer
The MAC address of the user's Windows computer
What type(s) or item(s) of malware the user's computer is infected with.

How the user's computer got infected with the item(s) of malware.

adricnet

No workee with debug on 10.11.4, will check 10.11.5

```
$ brew reinstall dosbox --with-debugger
==> Reinstalling homebrew/games/dosbox with --with-debugger
==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz
Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz
==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec
==> make install
Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make:

adricnet

$ brew reinstall dosbox --with-debugger
==> Reinstalling homebrew/games/dosbox with --with-debugger
==> Downloading https://downloads.sourceforge.net/project/dosbox/dosbox/0.74/dosbox-0.74.tar.gz
Already downloaded: /Users/bsk/Library/Caches/Homebrew/dosbox-0.74.tar.gz
==> ./configure --prefix=/usr/local/Cellar/dosbox/0.74 --disable-sdltest --enable-core-inline --enable-debug --disable-dynrec
==> make install
Last 15 lines from /Users/bsk/Library/Logs/Homebrew/dosbox/02.make:
                            ^
/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.11.sdk/usr/include/curses.h:322:16: note: forward declaration of '_win_st'
typedef struct _win_st WINDOW;

adricnet

In which I detail some things that the pretty nifty free[1] IOC Editor (or potentially the OpenIOC format, or MIR ?) just won't do for me. Some of these are explained in the very nice User Guide (UG). Maybe some of the other openioc tools can do more, like ioc_writer[2] ...

1. Compare numbers, like file.size >= or <=
2. Process trees, in the manner of other products
3. Combine types in an boolean expression (UG)
4. Any fancy hashing, like ssdeep or imphash

This is cramping my style and preventing me from even trying to implement some simple (...) use cases from past and present casework, such as

1. IExplore.exe launches thing ... which launch things ... which launch vssadmin.exe (early Cryptowall)

adricnet

This week I had to deal with Encase tools output for some cases, and it's not likely to stop for awhile. I did some of this manually today and need to script that part, and then there's the actually hard part I need to think through.

The output I'm getting is the result of selecting some kinds of data and then exporting the results from Encase 7, rather than taking a PDF or RTF, which are much worse if you actually need to use the data for anything. It's tab separated columns of data, and is not an unfriendly format really but it does takes some work to get it into a state useful to do any analysis due to two things, which align with the two problems here:

1. The way the data is laid out in the output text file
2. The way the data is split into multiple pieces for each data type

Problem #1 is just a text data munging problem of the sort any scripter, sysadmin, or data analyst has probably already wrestled with and won against to some degree or another. The different data types are in columns seperated

adricnet

This answered some questions:

remnux@remnux:~/volatility-2.5$ for plugin in pslist psxview pstree connscann connections hivescan svcscan; do echo -n $plugin"|"; output=`python vol.py $plugin -h 2>&1 | grep 'Module Output Options:' | sed -e 's,Vola,,'| tail -1 `; echo $output; done
pslist|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
psxview|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
pstree|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
connscann|
connections|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
hivescan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx
svcscan|Module Output Options: dot, greptext, html, json, sqlite, text, xlsx