~Dissecting Malware
f0wL's Blog about Malware Analysis and Reverse Engineering
~Dissecting Malware
Setting up a Malware Exchange for 36C3 with Viper

Since my original project for 36c3 (something with chinese gear and coreboot) didn't really work out in time I had an even better idea: Setting up a Malware Sample Exchange

After checking the projects and self-organized Sessions I couldn't find anything related to Malware Research or a place to discuss reverse engineering (besides CTF maybe), so with the "Malware XCHG" I want to create a place for attendees to share malicious binaries and discuss them at the same time.

To host this project at the MysteryHack Assembly I wanted to use a small but capable enough machine which is why I used the Intel NUC NUC7I3BNH that I had lying around at the time. Of course the box has to be isolated from the congress network so everyone interested will have to plug in via Ethernet over a switch. At first I wanted to set up a Cuckoo Sandbox instance, but because of a lack of time and computing resources the Viper Framework became the tool of choice.

Title Picture


Viper is available on Github:


The first thing we should do is install all the dependencies viper requires to run properly.

sudo apt install git build-essential python3 python3-dev python3-pip exiftool clamav-daemon tor libdpkg-perl libssl-dev swig libffi-dev ssdeep libfuzzy-dev unrar p7zip-full


And because installing dependencies is fun let's install some more! This time we'll take care of the necessary Python modules.

sudo pip3 install olefile pdftools pypdns pydeep virustotal-api yara pefile scrapy


Logo


And a custom module for the viper-framework:

sudo pip3 install git+https://github.com/sebdraven/verify-sigs.git


After that is done we can finally install the viper-framework via pip:

sudo pip3 install viper-framework


Running viper for the first time will create a folder called .viper in your home directory. This is were all the files, databases, notes etc. are saved.

And let's not forget the django Webinterface for viper:

cd .viper
git clone https://github.com/jdsnape/viper-web.git
cd viper-web
./viper-web

Of course viper-web has some dependencies as well:

sudo pip3 install -r requirements.txt


Up we have to configure the Webinterface in viper.conf located in .viper:

Scroll down to the [web] section and define a user/password combo and the host + port settings. I chose Port 4434 and 0.0.0.0 as the host to make it reachable for connecting devices.

[web]
host = 0.0.0.0
port = 4434
tls = False
certificate =
key =
admin_username = ccc
admin_password = malwarexchg

Finally we can run ./viper-web to start up viper and the django server.

Django Server


One last step to get it operational: Setting up networking and iptables sorta correctly. (I locked myself out twice while writing this, so ideally you want to have physical access to the machince whilst installing this).

The following screenshot shows the netplan config I'm using.

Netplan config


And here's a short exerpt from my iptables. (I'm using iptables-persistent)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  330 24289 ACCEPT     tcp  --  any    any     192.168.42.0/24      anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     localhost/8          anywhere             tcp dpt:ssh
  337 35307 ACCEPT     tcp  --  any    any     192.168.42.0/24      anywhere             tcp dpt:4434
    0     0 ACCEPT     tcp  --  any    any     localhost/8          anywhere             tcp dpt:4434
    0     0 ACCEPT     udp  --  any    any     192.168.42.0/24      anywhere             udp dpt:4434
    0     0 ACCEPT     udp  --  any    any     localhost/8          anywhere             udp dpt:4434
  552 41468 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable


Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination  

Chain OUTPUT (policy ACCEPT 965 packets, 602K bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  any    any     192.168.42.0/24      anywhere             tcp dpt:4434
    0     0 ACCEPT     udp  --  any    any     192.168.42.0/24      anywhere             udp dpt:4434
    0     0 ACCEPT     tcp  --  any    any     localhost/8          anywhere             tcp dpt:4434
    0     0 ACCEPT     udp  --  any    any     localhost/8          anywhere             udp dpt:4434
    0     0 ACCEPT     tcp  --  any    any     localhost/8          anywhere             tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     192.168.42.0/24      anywhere             tcp dpt:ssh
    0     0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable


Update 27.12.2019:

Here is a photo of the Project at 36c3 in Leipzig

Setup at 36c3


Update 04.01.2020:

Thanks to everyone who shared samples at the Exchange and for the great conversations as well. See you all at 37c3 I guess :D

Here is a digest of all samples that were uploaded to the box by the end of Day 4:


36c3-malwarexchg-part1.zip: > Malshare

36c3-malwarexchg-part2.zip: > Malshare

36c3-malwarexchg-part3.zip: > Malshare

FancyBear (archive to large for malshare): > Hybrid Analysis

CozyBear (archive to large for malshare): > Hybrid Analysis


I literally can't think of a fitting pun - MrDec Ransomware

I took notice of the Ransomware Family after a series of posts in the Bleeping Computer Forum.

It employs techniques that are not seen very often in other ransomware samples, so the Analysis is actually quite difficult, but I'm hoping reading this is also a bit interesting atleast. Work in Progress Because Christmas and 36c3 is coming up in the next few I days I might have to push this analysis back a bit. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption...

Read More
Another one for the collection - Mespinoza (Pysa) Ransomware

Back in October of 2019 the Mespinoza Ransomware family first surfaced via Malspam. On the 14th of December it returned with a new extension .pysa so let's see if any changes have been made.

Fun Fact: The Extension "pysa" is probably derived from the Zanzibari Coin with the same name. Apparently it's quite popular with collectors. But enough of the pocket change, so let me put my two cents in on this sample :D A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning...

Read More
A "Project.exe" that should have stayed in a drawer - MZRevenge / MaMo434376

I first read about this strain on Twitter but it didn't seem like a big thing. Turns out I Was wrong: In the last 3 days I collected over 35 samples :O

Searching for "Project.exe" on AnyRun yields more than a healthy list of results all matching this strain. Oh would you look at that: Looks like we have a Borland Delphi application here 🧐 Yep, it's that ugly it definitely is Deplhi :D And the criminals seem to have a very strong opinion about the Land of the Free but no arguments to back it up (since the rest...

Read More
A B C, easy as один, два, три - Lockbit (ABCD) Ransomware

Let's continue with the obscure music -> malware references by analysing Lockbit, a strain that has been around for a few weeks, but with very little Info about is origin and behaviour.

I got this sample from one of the victims posting in the Bleeping Computer Forum thread. From what I gather their systems fell to yet another RDP Bruteforce attack (one user was affected on multiple systems in their domain). A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware...

Read More
God save the Queen [...] 'cause Ransom is money - SaveTheQueen Encryptor

Honestly I couldn't decide between the title above and "All crimes are paid", but Sex Pistols fans will get it regardless ¯\(ツ)/¯

I found this sample while browsing the new public submissions on AnyRun on the 1st of December. It peaked my interest because there were just three samples of it on the platform at the time of writing this and they were all uploaded very recently. A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your...

Read More
Quick and painless - Reversing DeathRansom / "Wacatac"

No flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should DeathRansom will take your data with it to its grave. Or will it ?

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live. DeathRansom @ AnyRun | VirusTotal | HybridAnalysis --> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01 The plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Read More


Receive Updates

ATOM

About me

DissectingMalwa.re Logo

Hey there! My Name is Marius Genheimer aka f0wL and I'm a Computer Science Student from Germany. As you can probably tell I like to analyse malware (especially Ransomware) in my spare time.

https://ransomware.email

A searchable database of E-Mail addresses used in Ransomnotes plus facts and analysis

"Security is #1 priority"

Key OpenPGP Key

Some of my Blogposts are listed on Malpedia, an invaluable resource for Malware Research. Check it out!

Malpedia