peframe análisis portable de malware

Cuando nos dedicamos al análisis de malware es muy bueno poder tener una vista previa del binario a analizar, de esta manera avanzaremos en el análisis del mismo.

Para que podáis ver la salida de un binario en concreto he realizado el análisis de un bot de un troyano Citadel.

seifreed@darkmac:~/tools/malware/peframe:python peframe.py –auto citadel.exeFile Name: citadel.exeFile Size: 214528 byteCompile Time: 2012-06-15 21:29:40DLL: FalseSections: 3MD5 hash: 230f7b7bb0640136ccdd932e42842378SHA-1 hash: 8a1a9ea594f148234f3884c574ababd92270b298Packer: NoneAnti Debug: YesFile and URL:FILE: update.exeFILE: gdiplus.dllFILE: ole32.dllFILE: gdi32.dllFILE: .swfFILE: facebook.comURL: http://www.google.com/webhpFILE: userenv.dllFILE: urlmon.dllFILE: cabinet.dllURL: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.phpFILE: KERNEL32.dllFILE: USER32.dllFILE: ADVAPI32.dllFILE: SHLWAPI.dllFILE: SHELL32.dllFILE: Secur32.dllFILE: ole32.dllFILE: GDI32.dllFILE: WS2_32.dllFILE: CRYPT32.dllFILE: WININET.dllFILE: OLEAUT32.dllFILE: NETAPI32.dllFILE: VERSION.dllFILE: WINMM.dllSuspicious API Functions:Func. Name: VirtualAllocFunc. Name: GetModuleHandleAFunc. Name: GetThreadContextFunc. Name: GetTempFileNameWFunc. Name: FindFirstFileWFunc. Name: ReadProcessMemoryFunc. Name: GetTempPathWFunc. Name: GetFileSizeExFunc. Name: VirtualProtectExFunc. Name: VirtualAllocExFunc. Name: VirtualAllocExFunc. Name: FindNextFileWFunc. Name: VirtualProtectFunc. Name: GetModuleHandleWFunc. Name: GetTickCountFunc. Name: CreateFileMappingWFunc. Name: CreateFileMappingWFunc. Name: DeleteFileWFunc. Name: TerminateProcessFunc. Name: WriteProcessMemoryFunc. Name: GetFileAttributesExWFunc. Name: GetModuleFileNameWFunc. Name: GetVersionExWFunc. Name: GetComputerNameWFunc. Name: GetCommandLineWFunc. Name: MapViewOfFileFunc. Name: CreateThreadFunc. Name: LoadLibraryAFunc. Name: LoadLibraryAFunc. Name: CreateToolhelp32SnapshotFunc. Name: Process32NextWFunc. Name: Process32FirstWFunc. Name: OpenProcessFunc. Name: CreateRemoteThreadFunc. Name: GetProcAddressFunc. Name: CreateFileWFunc. Name: GetFileAttributesWFunc. Name: SleepFunc. Name: LoadLibraryWFunc. Name: CreateDirectoryWFunc. Name: ExitThreadFunc. Name: WriteFileFunc. Name: CreateProcessWFunc. Name: SetKeyboardStateFunc. Name: GetUpdateRgnFunc. Name: GetUpdateRectFunc. Name: GetWindowThreadProcessIdFunc. Name: RegCreateKeyWFunc. Name: RegEnumKeyWFunc. Name: RegCloseKeyFunc. Name: RegDeleteValueWFunc. Name: CreateProcessAsUserAFunc. Name: CreateProcessAsUserWFunc. Name: RegOpenKeyExWFunc. Name: RegEnumKeyExWFunc. Name: OpenProcessTokenFunc. Name: RegCreateKeyExWFunc. Name: ShellExecuteWFunc. Name: WSASendFunc. Name: CertDeleteCertificateFromStoreFunc. Name: InternetOpenAFunc. Name: InternetCloseHandleFunc. Name: InternetQueryDataAvailableFunc. Name: InternetQueryDataAvailableFunc. Name: InternetQueryOptionWFunc. Name: InternetQueryOptionAFunc. Name: GetUrlCacheEntryInfoWFunc. Name: HttpSendRequestAFunc. Name: HttpSendRequestWFunc. Name: InternetReadFileFunc. Name: InternetReadFileExAFunc. Name: InternetCrackUrlAFunc. Name: HttpSendRequestExWFunc. Name: HttpQueryInfoAFunc. Name: InternetConnectAFunc. Name: HttpSendRequestExASuspicious API Anti-Debug:Anti Debug: TerminateProcessAnti Debug: Process32NextWAnti Debug: Process32FirstWAnti Debug: GetWindowThreadProcessIdSuspicious Sections:

La herramienta funciona a las mil maravillas, como elementos a destacar:

El binario posee técnicas anti-debug, además ha sido capaz de extraer 3 URL harcodeadas en el binario

URL: http://www.google.com/webhpURL: http://%02x%02x%02x%02x%02x%02x%02x%02x.com/%02x%02x%02x%02x/%02x%02x%02x%02x.php

Citadel cuando detecta que se está ejecutando en un entorno controlado arroja datos falsos. Entre ellos la URL que hay.