MA Backlog

Created: 28.07.2022

Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/.

Types

From ChatGPT

  1. File infectors: These viruses infect executable files and are spread when the infected file is executed. When an infected file is run, the virus code is activated and can spread to other files on the system. Examples include the Cascade virus and the Jerusalem virus.
  2. Boot sector viruses: These viruses infect the boot sector of a disk, usually a floppy disk, and are activated when the computer is booted from the infected disk. The virus then spreads to other disks that are accessed by the infected system. Examples include the Stoned virus and the Michelangelo virus.
  3. Macro viruses: These viruses infect documents that contain macro code, such as Microsoft Word or Excel documents. When the infected document is opened, the virus code is executed and can infect other documents on the system. Examples include the Melissa virus and the ILOVEYOU virus.
  4. Stealth viruses: These viruses are designed to hide their presence from antivirus software and other detection methods. They do this by intercepting system calls and modifying the results, or by hooking into the operating system and altering its behavior. Examples include the Whale virus and the Meve virus.
  5. Multipartite viruses: These viruses infect both files and boot sectors, making them harder to detect and remove. They typically spread through infected files and then infect the boot sector of the system, allowing them to survive a system reboot. Examples include the Flip virus and the Invader virus.
  6. Polymorphic viruses: These viruses use encryption or other techniques to change their code each time they infect a new system, making them difficult to detect and remove. Examples include the W95/CIH virus and the Satanbug virus
  7. Worms: While not technically viruses, worms are self-replicating malware that spread through networks or the internet. They typically exploit vulnerabilities in software or operating systems to spread, and can cause significant damage to systems and networks. Examples include the Morris worm and the WannaCry worm.

PE

Import tables and how this works, how to do it.

macOS

Are there packers for macOS? Is there are process for restoring import table there?

https://medium.com/hackernoon/writing-an-keylogger-for-macos-in-python-24adfa22722

https://stackoverflow.com/questions/61077760/python3-keylogger-for-macos-script-not-working

Windows

https://2018.offzone.moscow/report/secrets-windows-dpapi/ https://2018.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/ youtube.com/watch?v=NqCqfBCV_18 https://www.apriorit.com/dev-blog/727-win-guide-to-hooking-windows-apis-with-python

General

Malware Unicorn - https://malwareunicorn.org/#/. Labs to check out. The Art of Mac Malware - read and try samples on the OneEye or something. Incident response stuff - https://www.youtube.com/c/TaggartTech

Check out Blue Jupyter tool. Could be very useful for IR as well.

Samples Repos

Go Merlin - https://github.com/Ne0nd0g/merlin

Info

πŸ”₯ https://unprotect.it/techniques/ - attack techniques, code samples and detection rules. πŸ”₯ https://malapi.io - common Windows API invoked by the malware.

https://glances.readthedocs.io/en/latest/ https://www.hybrid-analysis.com/sample/9fe55c51af6230c8640e140104645b32ba83ac868bf0f1571733f14761701247 https://www.f-secure.com/v-descs/trojan-spy_w32_finspy_a.shtml https://malshare.com/

Malicious websites: https://zeltser.com/lookup-malicious-websites/

https://mail.google.com/mail/u/0/#inbox

My own is maintained in Notion for now. Planning to turn this into a SQL DB + CLI.

Network

https://malware-traffic-analysis.net https://packettotal.com/malware-archive.html

Walkthroughs

GoLang Malware Palo Altro Research Programming Language Recognition & Analyzing a Go Service Backdoor video

Delphi

macOS - In a report on a recent Lazarus APT Group macOS implant, I noted that the group’s capabilities continue to evolve, as evidenced in β€œa new sample with the ability to remotely download and execute payloads directly from memory,” thus thwarting various file-based security tools.”13 In β€œFinFisher Filleted,” yet another write-up on a piece of sophisticated macOS malware, I discussed the use of a kernel-level rootkit component. I noted that the rootkit β€œcontains the logic to remove the target process of interest, by unlinking it from the (process) list. Once removed, the process is now hidden.” (Patrick Wardle, “FinFisher Filleted: a triage of the FinSpy (macOS) malware,” Objective-See, September 26, 2020, https://objective-see.com/blog/blog_Ox4F.html and Patrick Wardle, “Lazarus Group Goes ‘Fileless’,” Objective-See, December 3,2019, https://objective-see.com/blog/blog_0x51.html.)In a detailed report, β€œAll Your Macs Are Belong To Us,” on a vulnerability now patched as CVE-2021-30657, I wrote about how malware was exploiting this flaw to run unsigned and unnotarized code, β€œbypassing all File Quarantine, Gatekeeper, and Notarization requirements.”

macOS Malware

Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/.

Mami, Dacls, FinSpy, IPStorm, and GravityRAT, like Kitm, NetWire, and WindTail.

NetWire

Persists both as a login item and a lauch agent (see the persistence artefacts for more information).

GMERA

Launch item. Has a run.sh in the Resources/ dir.

EvilQuest

Prefers being run as a Launch Daemon. But if it finds itself only running with user privileges, it instead creates a user launch agent.

Janicab

Persists a python script as a cron job. https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab

Wardle, Patrick. The Art of Mac Malware (p. 31). No Starch Press. Kindle Edition.

References

Expand… Something here