Skip to content

Malware analysis

looking for the perfect virus

[Python] malware analysis helper

May 18
Tools and Scripts
'''
    Malware analysis helper v1
  Licenta de utilizare:
1. acest script poate fi folosit in mod gratuit de orice persoana strict in scop personal (NO money involved)
2. utilizarea acestui script se face pe propria raspundere, nu se acorda nici un fel de garantie

  Utilizare:
python numescript.py nume_fisier_executabil.exe
  Python 2.7
 '''
import sys
import win32api
import hashlib
import os

numef = sys.argv[1]
numeoutf = numef + ".txt"
outf = open(numeoutf, "a")
txteditor = '"c:\\Program Files\\Notepad++\\Notepad++.exe"'
deschidtxt = txteditor +" "+ numeoutf

def md5Checksum(filePath): 
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
    return m.hexdigest()

#==============================================================================
def getFileProperties(fname):
#==============================================================================
    """
    all credits for funtion getFileProperties go to: http://stackoverflow.com/a/7993095
    Read all properties of the given file return them as a dictionary.
	"""
    propNames = ('Comments', 'InternalName', 'ProductName', 'CompanyName', 'LegalCopyright', 'ProductVersion', 'FileDescription', 'LegalTrademarks', 'PrivateBuild', 'FileVersion', 'OriginalFilename', 'SpecialBuild')

    props = {'FixedFileInfo': None, 'StringFileInfo': None, 'FileVersion': None}

    try:
        # backslash as parm returns dictionary of numeric info corresponding to VS_FIXEDFILEINFO struc
        fixedInfo = win32api.GetFileVersionInfo(fname, '\\')
        props['FixedFileInfo'] = fixedInfo
        props['FileVersion'] = "%d.%d.%d.%d" % (fixedInfo['FileVersionMS'] / 65536,
                fixedInfo['FileVersionMS'] % 65536, fixedInfo['FileVersionLS'] / 65536,
                fixedInfo['FileVersionLS'] % 65536)

        # \VarFileInfo\Translation returns list of available (language, codepage)
        # pairs that can be used to retreive string info. We are using only the first pair.
        lang, codepage = win32api.GetFileVersionInfo(fname, '\\VarFileInfo\\Translation')[0]

        # any other must be of the form \StringfileInfo\%04X%04X\parm_name, middle
        # two are language/codepage pair returned from above

        strInfo = {}
        for propName in propNames:
            strInfoPath = u'\\StringFileInfo\\%04X%04X\\%s' % (lang, codepage, propName)
            ## print str_info
            strInfo[propName] = win32api.GetFileVersionInfo(fname, strInfoPath)

        props['StringFileInfo'] = strInfo
    except:
        pass

    return props

md5 = md5Checksum(numef)
print >>outf, "Name:", numef 
print >>outf, "Size:", os.path.getsize(numef) 
print >>outf, "Md5 hash:", md5, "\n"

version = getFileProperties(numef)

for a in version.keys():
	if type(version[a]) == type(dict()):
		#print "este un dictionar"
		dict1 = version[a]
		for b in dict1.keys():
			try:
				#print "sunt in try:"
				if dict1[b] != "None":
					print >>outf, b + ": " + dict1[b]
			except:
				#print "sunt in except:"
				pass
	else:
		print>>outf, a, ":", version[a]

print >>outf, " "
print >>outf, "<strong>antivirus detection:</strong>","\n"
print >>outf, "<strong>process:</strong>","\n"
print >>outf, "<strong>network activity:</strong>","\n"
print >>outf, "<strong>persistence:</strong>","\n"
print >>outf, "<strong>new files:</strong>","\n"
print >>outf, "<strong>registry:</strong>","\n"
print >>outf, "<strong>memory strings:</strong>","\n"
print >>outf, "<strong>malware type:</strong>","\n"
print >>outf, "<strong>removal:</strong>","\n"
print >>outf, "<strong></strong>","\n",

outf.close()
os.system(deschidtxt)

Exemplu output: 2013 HACK UPDATE V4.2.ex.txt

Name: 2013 HACK UPDATE V4.2.ex
Size: 397312
Md5 hash: e78198b08ce510e27183fee01886125f

FileVersion : 0.4.0.0
InternalName: 11
FileVersion: 0.04
CompanyName: SIMPLY THE WORST
ProductName: msi
ProductVersion: 0.04
OriginalFilename: 11.exe

antivirus detection:

process:

network activity:

persistence:

new files:

registry:

memory strings:

malware type:

removal:

Leave a Comment

[Python] rebus, integrame, criptanaliza helper

May 9
Tools and Scripts

     Util in: descoperirea unui cuvant cand se cunosc doar cateva litere, rebus, integrame, scrabble, criptanaliza, fazan, etc.

Ex de utilizare:

rebus, integrame, scrabble, criptanaliza, fazan

rebus, integrame, scrabble, criptanaliza, fazan

     Pentru a putea fi utilizat este necesar un dictionar (un fisier dex.txt ce contine un cuvant/linie), in directorul “dex/”, acesta va fi impartit in mai multe fisiere in functie de nr literelor fiecarui cuvant cu ajutorul scriptului “split dex”.

# Licenta de utilizare:
#1. acest script poate fi folosit in mod gratuit de orice persoana strict in scop personal (NO money involved)
#2. utilizarea acestui script se face pe propria raspundere, nu se acorda nici un fel de garantie

#python 2.7.3

import sys
import re

director = "dex\\"
extensie =".txt"

lung = len(sys.argv)

if lung <=1 :
	print "ceva trebuie sa cauti..."

for i in range(1,lung):
	print "\n"
	lungcuv =str(len(sys.argv[i]))
	cuvant = sys.argv[i]
	print cuvant, ":",
	cuvant = re.sub("\?",".",cuvant)
	numefisier = director + lungcuv + extensie
	try:
		fisier = open(numefisier, "r")
		for linie in fisier:
			gasit = re.search(cuvant,linie)
			if gasit:
				print gasit.group(),
	except:
		print "n-am gasit fisierul: ", lungcuv + extensie

Split dex:

# Licenta de utilizare:
#1. acest script poate fi folosit in mod gratuit de orice persoana strict in scop personal (NO money involved)
#2. utilizarea acestui script se face pe propria raspundere, nu se acorda nici un fel de garantie

#python 2.7.3

dex ="dex\dex.txt"
dex = open (dex,"r")
extensie =".txt"

def creazafisier(cuvant,lungime):
	temp = "dex\\" + lungime + extensie
	scriu = open(temp, "a")
	print >>scriu, cuvant
	scriu.close()	

for line in dex:
	line=line.lstrip()
	line=line.rstrip()
	litere =len(line)
	creazafisier(line,str(litere))
	print line, litere
Leave a Comment

[Python] online file auto back-up

May 8
Tools and Scripts

face cam acelasi lucru cu free file back-up script doar ca salveaza fisierul pe un server ftp si datele de configurare pot fi modificate direct in script

# Licenta de utilizare:
#1. acest script poate fi folosit in mod gratuit de orice persoana strict in scop personal (NO money involved)
#2. utilizarea acestui script se face pe propria raspundere, nu se acorda nici un fel de garantie

#python 2.7.3

from ftplib import FTP
import hashlib
import time

# config ############################
minute = "30"
locatie = "C:\\Python27\\"
numefisier = "back-up-online.py"

#ftp login data
utilizator = "user-login"
parola = "pass"
adresaftp = "ftp.drivehq.com"
ftpbackupdir = "backup"
#####################################

def md5Checksum(filePath): 
    fh = open(filePath, 'rb')
    m = hashlib.md5()
    while True:
        data = fh.read(8192)
        if not data:
            break
        m.update(data)
	return m.hexdigest()

def ftp_up(ftpaddr,username,password,ftpbkdir,dir,filefullpath,localfile):
	f = FTP(ftpaddr)
	#print f.getwelcome()
	f.login(username, password)
	#print f.pwd()
	#print f.retrlines("LIST")
	f.cwd(ftpbkdir)
	f.mkd(dir)
	f.cwd(dir)
	upfile = open(filefullpath, 'rb')
	f.storbinary('STOR %s' % localfile, upfile)
	upfile.close()
	print "...done"
	f.quit()

calecompletafisier = locatie + numefisier
hash0 = md5Checksum(calecompletafisier) 

##back-up initial 
(an,luna,zi,ora,min,sec,temp1,temp2,temp3) = time.strptime(time.ctime())
print "incep: "+ "Data: " +str(an) + "-" + str(luna) + "-" + str(zi) + " Ora: " + str(ora) + "-"+ str(min) + "-" + str(sec) + " Md5 Hash: "+ str(hash0)
orig = str(an) + "-" + str(luna) + "-" + str(zi) + "_" + str(ora) + "-"+ str(min) + "-" + str(sec)
print "back-up initial ",
ftp_up(adresaftp,utilizator,parola,ftpbackupdir,orig,calecompletafisier,numefisier)

###back-up la intervalul prestabilit 
while True:
	time.sleep(float(minute*60))
	hash1 = md5Checksum(calecompletafisier)
	if hash0 != hash1 :
		(an,luna,zi,ora,min,sec,temp1,temp2,temp3) = time.strptime(time.ctime())
		numedir = str(an) + "-" + str(luna) + "-" + str(zi) + "_" + str(ora) + "-"+ str(min) + "-" + str(sec)
		print "fac back-up", numedir,
		ftp_up(adresaftp,utilizator,parola,ftpbackupdir,numedir,calecompletafisier,numefisier)
	else :
		print "nu fac back-up"
	hash0 = hash1
Leave a Comment
Malware analysis
Copyright © 2013 Malware analysis Design by SRS Solutions top