Sunday, November 17, 2013

Suspicious File Analysis With PEFRAME

In this article I am going to conduct a walk through with a nice python tool named PeFrame. This tool should be an analyst’s first choice in order to analysis a piece of static malware. I am going to discuss each and every feature provided by this tool and I will also show you why it is important to find information through the malware.


What is Peframe?

This is a python-based. Tool used to assist in the analysis of PE files. There are many different tools available for malware analysis, but this tool is strictly built for portable executable malware analysis such as .exe and .dll files.

Features of Peframe

Currently this Peframe contains the following features:

1.       Auto Analysis

2.       Hash MD5 & SHA1

3.       PE file attributes

4.       Version info & metadata

5.       PE Identifier Signature

6.       Anti Virtual Machine

7.       Anti Debug

8.       Section analyzer

9.       Imported DLLs & API functions

10.            Search for suspicious API (Anti Debug) & sections

11.            Dumping all the information

12.            Extract all the strings

13.            Extract file name and url

14.            Hex dump

15.            List Entry instances

If you use auto analysis function it will compile a robust output containing the main features of this tool. This tool is created and maintained by Gainni Amato. There only  dependency for this tool is python version 2.7.x or above. Generally most new and advances Linux distros/security distros already have python 2.7.x or greater installed by default.

Let’s Get Started…

After downloading peframe I went to the folder and I saw one folder named “modules” and one file which was actually the peframe python script named peframe.py. In order to make this script executable under Linux I ran the following command:-

chmod u+x *

This command provides the necessary permissions in order to make it executable. The asterix(*) means that everything stored in the directory and/or subdirectories will also have these permissions applied (as the supper user).

Running the peframe python script without any options gives you the following output:

root@chintan:~/Desktop/peframe# ./peframe.py
peframe 0.4.1 by Gianni 'guelfoweb' Amato
http://code.google.com/p/peframe/
USAGE:
        peframe
OPTIONS:
        -h      --help          This help
        -a      --auto          Show Auto analysis
        -i      --info          PE file attributes
                --hash          Hash MD5 & SHA1
                --meta          Version info & metadata
                --peid          PE Identifier Signature
                --antivm        Anti Virtual Machine
                --antidbg       Anti Debug | Disassembler
                --sections      Section analyzer
                --functions     Imported DLLs & API functions
                --suspicious    Search for suspicious API & sections
                --dump          Dumping all the information
                --strings       Extract all the string
                --file-url      Extract File Name and Url
                --file-verbose  Discover potential file name
                --hexdump       Reverse Hex dump
                --import        List Entry Import instances
                --export        List Entry Export instances
                --resource      List Entry Resource instances
                --debug         List Entry DebugData instances
root@chintan:~/Desktop/peframe#

A
s you can see the usage it is as follows:

peframe

This means that we first have to call the script, then select any of all of the options from the list and lastly point it to the malware or suspicious file you wish to examine. Ensure that you are using these option, and pointing to the suspicious file without the <> brackets.

I have already had one suspicious sample which is named “malware.exe” and I copied it into this folder via “cp” command as shown in the below output:

root@chintan:~/Desktop# ls

master malware.exe  peframe  peframe-0.4.1.zip  rawr  Recon-Ng

root@chintan:~/Desktop# cp master\ malware.exe /root/Desktop/peframe

root@chintan:~/Desktop# cd peframe/

root@chintan:~/Desktop/peframe# ls


master malware.exe  modules  peframe.py

root@chintan:~/Desktop/peframe#


First we will use the auto feature which is robust fully automatically and probably many of you guys will be interested in that. To use that feature command is as follows:

root@chintan:~/Desktop/peframe# ./peframe.py -a master\ malware.exe

File Name:      master malware.exe
File Size:      1264795 byte
Compile Time:   2009-07-03 17:01:54
DLL:            False
Sections:       5
MD5   hash:     2bd10332ae061482d5d505314a97b40c
SHA-1 hash:     98dfbc07fe3c295732111bcf787eaf58ecc75dcc
Packer:         None
Anti Debug:     Yes
Anti VM:        None
File and URL discovery:
(Try option --file-verbose)
FILE:           %s.%d.tmp
FILE:           ADVAPI32.dll
FILE:           COMCTL32.DLL
FILE:           COMCTL32.dll
FILE:           COMDLG32.dll
FILE:           GDI32.dll
FILE:           KERNEL32.dll
FILE:           OLEAUT32.dll
FILE:           RC\accounts23.dat
FILE:           RC\apaths23.dat
FILE:           RC\bans23.dat
FILE:           RC\console23.dat
FILE:           RC\downlist23.dat
FILE:           RC\dstats23.dat
FILE:           RC\forwards23.dat
FILE:           RC\liteserve.exe
FILE:           RC\maildomains23.dat
FILE:           RC\mimes.txt
FILE:           RC\php\license.txt
FILE:           RC\php\php.exe
FILE:           RC\php\php4ts.dll
FILE:           RC\scripts23.dat
FILE:           RC\spaths23.dat
FILE:           RC\supaths23.dat
FILE:           RC\triggers23.dat
FILE:           RC\uplist23.dat
FILE:           RC\virtualpaths23.dat
FILE:           RC\webdomains23.dat
FILE:           SHELL32.dll
FILE:           USER32.dll
FILE:           liteserve.lnk
FILE:           ole32.dll
FILE:           riched20.dll
FILE:           riched32.dll
FILE:           server.lnk
FILE:           shlwapi.dll
URL:            RC\www\abortshutdown.php
URL:            RC\www\askreboot.php
URL:            RC\www\beep500.php
URL:            RC\www\beep5000.php
URL:            RC\www\beep50000.php
URL:            RC\www\beep500000.php
URL:            RC\www\capslock.php
URL:            RC\www\closeall.php
URL:            RC\www\closecd.php
URL:            RC\www\emptybin.php
URL:            RC\www\exitwin.php
URL:            RC\www\force60.php
URL:            RC\www\hibernate.php
URL:            RC\www\hideall.php
URL:            RC\www\hidedesktop.php
URL:            RC\www\lock.php
URL:            RC\www\logoff.php
URL:            RC\www\message.php
URL:            RC\www\minimize.php
URL:            RC\www\monitor.php
URL:            RC\www\monitor2.php
URL:            RC\www\mouseright.php
URL:            RC\www\mute.php
URL:            RC\www\nircmd.exe
URL:            RC\www\numlock.php
URL:            RC\www\opencd.php
URL:            RC\www\poweroff.php
URL:            RC\www\question.php
URL:            RC\www\question1.php
URL:            RC\www\question2.php
URL:            RC\www\reboot.php
URL:            RC\www\resize.php
URL:            RC\www\restartexplorer.php
URL:            RC\www\screensaver.php
URL:            RC\www\screensavertimeout.php
URL:            RC\www\screensavertimeout2.php
URL:            RC\www\screenshot.php
URL:            RC\www\server.exe
URL:            RC\www\showall.php
URL:            RC\www\showdesktop.php
URL:            RC\www\speak.php
URL:            RC\www\speak1.php
URL:            RC\www\speakfile.php
URL:            RC\www\standby.php
URL:            RC\www\stdbeep.php
URL:            RC\www\stopscreenshot.php
URL:            RC\www\transparent.php
URL:            RC\www\transparent2.php
URL:            RC\www\trayballoon.php
URL:            RC\www\trayballoon2.php
URL:            RC\www\trayballoon3.php
URL:            RC\www\trayballoon4.php
URL:            RC\www\volume.php
Suspicious API Functions:
Func. Name:     CreateDirectoryA
Func. Name:     CreateDirectoryW
Func. Name:     CreateFileA
Func. Name:     CreateFileW
Func. Name:     DeleteFileA
Func. Name:     DeleteFileW
Func. Name:     FindFirstFileA
Func. Name:     FindFirstFileW
Func. Name:     FindNextFileA
Func. Name:     FindNextFileW
Func. Name:     FindResourceA
Func. Name:     FindWindowExA
Func. Name:     GetCommandLineA
Func. Name:     GetFileAttributesA
Func. Name:     GetFileAttributesW
Func. Name:     GetModuleFileNameA
Func. Name:     GetModuleFileNameW
Func. Name:     GetModuleHandleA
Func. Name:     GetProcAddress
Func. Name:     GetTempPathA
Func. Name:     GetTickCount
Func. Name:     GetVersionExA
Func. Name:     LoadLibraryA
Func. Name:     OpenProcessToken
Func. Name:     RegCloseKey
Func. Name:     RegCreateKeyExA
Func. Name:     RegOpenKeyExA
Func. Name:     ShellExecuteExA
Func. Name:     Sleep
Func. Name:     WriteFile
Suspicious API Anti-Debug:
Anti Debug:     FindWindowExA
Suspicious Sections:
Sect. Name:     .CRT
MD5   hash:     686666d109c1b7ad91d3938f41d2712a
SHA-1 hash:     2b4e8377002fe7fbfee868ec21b6f9e5937dfb22
root@chintan:~/Desktop/peframe#
Now you can see above a robust list of dll files, strings, hashes & much ore. We will go through it in detail later on. Rather than using –a option you can also choose -–auto option. Both produce an identical result.

As you can see from the result it gives file name, date of compiling size etc.. With this output we can see that the last date this suspicious file was compiled completion of this malware is actually was at 2009-07-03 17:01:54 which makes it more than 3 years ago. Here we have got an anti-debug our put as “yes”, this means that peframe has checked to see if this piece of suspicious calls any debugging api or dll. Here we were lucky in that we have found an anti-debugging option “yes”. After this peframe will check for all files or dlls involved in execution of malware and list them. It does conduct the string analysis and fetches the results. So in this output below we can see which strings are actually fetched by this tool. Peframe will also determines which are the files and which are the URL strings. In this example you can see that the suspicious file contains some files and some URLs.

FILE:           ole32.dll
FILE:           riched20.dll
FILE:           riched32.dll
FILE:           server.lnk
FILE:           shlwapi.dll
URL:            RC\www\abortshutdown.php
URL:            RC\www\askreboot.php
URL:            RC\www\beep500.php
URL:            RC\www\beep5000.php
URL:            RC\www\beep50000.php
Peframe then continues its analysis and checks for specific suspicious functions which are commonly associated with malware or other malicious function calls. Below are the example functions which we received after analyzing this piece of suspicious file. These all are suspicious or partially suspicious functions which are responsible for the execution of that file.

Func. Name:     CreateFileA
Func. Name:     CreateFileW
Func. Name:     DeleteFileA
Func. Name:     DeleteFileW
Func. Name:     FindFirstFileA
Among the above files, we can see some of the functions which are responsible for the anti - debugging process. In this case we have found this function which probably searches for child windows. For more information about this function you may visit msdn website of Microsoft. One createFileA function information is available in the references below.

Anti Debug:     FindWindowExA

Then peframe checks the sections for any data, source, or certificate files. Which is suspicious it comes under this. Here we can see .CRT as a suspicious section. Highlight about CRT file description

Sect. Name:     .CRT


Lastly peframe pulls each and every submitted data to the file. In this case it is only 2 hash values such as MD5 & SHA1 which are as follows:

MD5   hash:     686666d109c1b7ad91d3938f41d2712a

SHA-1 hash:     2b4e8377002fe7fbfee868ec21b6f9e5937dfb22


If you Google for these hashes you will most likely get results for this peiece of suspicious (so be careful). Analyzing other file samples you may get additional information such as the internal name, file version, company name, product name, original file name, file description, translation and much more.

Instead of using the “auto” command you can also use each single option mentioned in the help, or you can compile some options together as well. I will show you some important option. First we will dump the data we analyzed from our sample file which can be done by using the following command:-


root@chintan:~/Desktop/peframe# ./peframe.py --dump master\ malware.exe > dump_result.txt

In this case I have dumped the data to a file named “dump result.txt”. The dumping result is too long, so I am not going to show you full results but I am going to show you some of the results via the screenshots below:

After dumping the malware we will use peframe with the string option which will fetch all those strings within this malware we will pull out that result outside in one text file named strings_results.txt. Here is the relevant command:


root@chintan:~/Desktop/peframe# ./peframe.py --strings master\ malware.exe > strings_result.txt

Like the dumping example above, the string result is also very long. But not as much the dump command. The following 3 screenshots lists the strings results which probably tells us which functions are involved within this piece of suspicious file, how the coding is done using PHP or html and which web pages are also part of the execution of the malware etc..

The string option lists file names, functions as well as URL links. It also includes random garbage text. As such it is often a very tedious job to locate file names and URLs from the strings output. Due to this fact it is better to use the following option –file-url.

To use this command enter the following:


root@chintan:~/Desktop/peframe# ./peframe.py --file-url master\ malware.exe

FILE:           %s.%d.tmp
FILE:           ADVAPI32.dll
FILE:           COMCTL32.DLL
FILE:           COMCTL32.dll
FILE:           COMDLG32.dll
FILE:           GDI32.dll
FILE:           KERNEL32.dll
FILE:           OLEAUT32.dll
FILE:           RC\accounts23.dat
FILE:           RC\apaths23.dat
FILE:           RC\bans23.dat
FILE:           RC\console23.dat
FILE:           RC\downlist23.dat
FILE:           RC\dstats23.dat
FILE:           RC
FILE:           RC\virtualpaths23.dat
FILE:           RC\webdomains23.dat
FILE:           SHELL32.dll
FILE:           USER32.dll
FILE:           liteserve.lnk
FILE:           ole32.dll
FILE:           riched20.dll
FILE:           riched32.dll
FILE:           server.lnk
FILE:           shlwapi.dll
URL:            RC\www\abortshutdown.php
URL:            RC\www\askreboot.php
URL:            RC\www\beep500.php
URL:            RC\www\beep5000.php
URL:            RC\www\beep50000.php
URL:            RC\www\beep500000.php
As you can see from the output that, peframe is listing some files along with their extensions as well as a URL list.

If you want to use --hex-dump option then it runs fine within this tool. The only command you will need is as follows:


root@chintan:~/Desktop/peframe# ./peframe.py –hex-dump master\ malware.exe > hexdummp_results.txt

Here is the result.

Conclusion

Through this paper I have demonstrated how one can perform static suspicious file or malware analysis using the advanced and robust tool peframe. Through analysis I have come certain things about the suspicious file such as the hash analysis, PE file attributes, version and metadata information, PE identifier signatures etc.. It is a good practice for all those forensics investigators to analyze suspicious files or malwares through this open source tool. The advantage of this tool is, there is no need to configure this tool through a config file which ordinary other tools have generally.

References



No comments: