Last active
September 20, 2017 18:51
-
-
Save deeso/c6f8141bff00335f48369da81759ed55 to your computer and use it in GitHub Desktop.
Using pyhashdd to perform malware checks when a sandbox is not available
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hunting for MD5s on a Disk Image Using pyhashdd and Linux | |
0) Figure out how to mount the image (YMMV) depending on image type. Here we mount a raw disk image. | |
```fdisk msedge_disk.img``` | |
output: | |
``` | |
Welcome to fdisk (util-linux 2.27.1). | |
Changes will remain in memory only, until you decide to write them. | |
Be careful before using the write command. | |
Command (m for help): p <----- p to print the partition table | |
Disk disk.img: 40 GiB, 42949672960 bytes, 83886080 sectors | |
Units: sectors of 1 * 512 = 512 bytes | |
Sector size (logical/physical): 512 bytes / 512 bytes | |
I/O size (minimum/optimal): 512 bytes / 512 bytes | |
Disklabel type: dos | |
Disk identifier: 0xe3546e58 | |
Device Boot Start End Sectors Size Id Type | |
disk.img1 * 2048 83884031 83881984 40G 7 HPFS/NTFS/exFAT | |
``` | |
1) Mount the disk. Note the offset is calculated from 2048 (sector start of partition) * 512 (size of sectors) | |
```sudo mount -o ro,loop,offset=1048576 disk.img clean_disk``` | |
2) Create a clean set of hashes with pyhashdd: | |
```/usr/local/bin/hashdd -s -r clean_disk/ -q -a md5 > clean_hashdd_results.txt``` | |
2) Create a clean set of hashes with pyhashdd: | |
```sudo umount clean_disk``` | |
3) Now create a VM (if you have not already) copy over the binary and run how ever you want. | |
4) Shutdown the machine, mount the disk, and run pyhashdd again | |
```sudo mount -o ro,loop,offset=1048576 disk-mod.img tainted_disk | |
/usr/local/bin/hashdd -s -r tainted_disk/ -q -a md5 > tainted_hashdd_results.txt``` | |
5) Finding unknown hashes with python | |
``` | |
import json | |
taint_entrys = [i.strip() for i in open("tainted_hashdd_results.txt").readlines()] | |
clean_entrys = [json.loads(i.strip()) for i in open("clean_hashdd_results.txt").readlines()] | |
clean_md5s = set([i.get('hashdd_md5') for i in clean_entrys if 'hashdd_md5' in i]) | |
tainted_json = [json.loads(i) for i in taint_entrys] | |
unknown_entrys = [i for i in tainted_json if i.get('hashdd_md5', '') not in clean_md5s] | |
unknown_md5s = [i['hashdd_md5'] for i in unknown_entrys if 'hashdd_md5' in i] | |
open("unknown_md5s.txt", 'w').write("\n".join(unknown_md5s)) | |
``` | |
6) Now run the hashes through your favorite checker (e.g. cmyru or VirusTotal) | |
``` | |
# sudo pip install git+https://github.com/z-sean-huang/VirustotalAPI.git | |
import vtapi | |
config = open("~/.config/SECRETS").readlines() | |
_vt_key = [i for i in config if i.find('vt = ') == 0] | |
vt_key = _vt_key[0].split('vt = ')[1].strip() | |
hashes = [i.strip() for i in open("unknown_md5s.txt").readlines()] | |
# make sure the request are throttled according to your accounts allowance | |
vt = vtapi.VtApi(vt_key) | |
file_reports = {} | |
for h in hashes: | |
fr = vt.file_report(h) | |
if 'positives' not in fr or fr['positives'] == 0: | |
continue | |
print ("Hash: %s has a hit" % h) | |
file_reports[h] = vt.file_report(h) | |
``` |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment