Threat Level: green Handler on Duty: Tom Webb

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

SSMA Usage

Published: 2017-03-23
Last Updated: 2017-03-23 01:06:48 UTC
by Tom Webb (Version: 1)
1 comment(s)

 

SSMA is handy tool for quickly getting an idea if a file is malicious.  

 

Install

sudo apt-get install python3-pip

 

git clone https://github.com/secrary/SSMA

cd SSMA

sudo pip3 install -r requirements.txt


 

Usage

To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask you if you want to continue analysis. In this example I used a version mebroot for testing.

 

python3 ssma.py -h

python3 /home/twebb/Downloads/SSMA/ssma.py -k VT_API_KEY 00000025.exe


 

Results

 

????????????????????   ???? ??????

????????????????????? ????????????? Simple

??????????????????????????????????? Static

??????????????????????????????????? Malware

??????????????????? ??? ??????  ??? Analyzer

???????????????????     ??????  ???

 

File Details:

File: /home/twebb/malware/2-mar-2010 torpig/00000025.exe

Size: 280960 bytes

Type: application/x-dosexec

MD5:  ae26e139311e2cacef53cce6d8da09da

SHA1: b9942fd44e798073821dd4b1d9b21f1814d766ad

Date: Fri Nov 28 00:33:22 2003

PE file entropy: 7.618302492203651

Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.

 

================================================================================

Continue? [Y/n] y

 

Number of Sections: 5

 

Section VirtualAddress VirtualSize SizeofRawData Entropy

.code   0x480                26965         27008 6.511691201650016

.rdata  0x6e00                 152           256 2.401459977262458

.data   0x6f00              251148        251264 7.654305920976193

INIT    0x44480                306           384 4.063770965426124

.reloc  0x44600                854           896 1.656681300794013

 

Very high or very low entropy means that file/section is compressed or encrypted since truly random data is not common.

 

SUSPICIOUS section names: INIT

================================================================================

Continue? [Y/n] y

 

Virustotal:

F-Secure - Gen:Rootkit.Heur.ruW@CS!sLed

NOD32 - a variant of Win32/Mebroot.CK

Ikarus - Backdoor.Win32.Sinowal

McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen

Symantec - Suspicious.Insight

BitDefender - Gen:Rootkit.Heur.ruW@CS!sLed

AntiVir - TR/Crypt.ZPACK.Gen

GData - Gen:Rootkit.Heur.ruW@CS!sLed

nProtect - Gen:Rootkit.Heur.ruW@CS!sLed

a-squared - Backdoor.Win32.Sinowal!IK

 

================================================================================

Continue? [Y/n] y

 

Scan file using Yara-rules.

With Yara rules you can create a "description" of malware families to detect new samples.

For more information: https://virustotal.github.io/yara/

 

Downloading Yara-rules...


 

These Yara rules specialised on the identification of well-known malware.

Result:

QuarianCode - Quarian code features

Quarian - Quarian

 

================================================================================

Continue? [Y/n] y

 

These Yara Rules aimed to detect well-known software packages, that can be used by malware to hide itself.

Result:

Visual_Cpp_2003_DLL_Microsoft

 

================================================================================

Continue? [Y/n] y

 

These Yara rules aimed to detect the existence of cryptographic algorithms.

Detected cryptographic algorithms:

contentis_base64 - This rule finds for base64 strings

 

================================================================================

Continue? [Y/n] y



 

There are lots of tools like this, but this one is worth giving a try due to how quick and easy the install was.  What yours favorite static analysis tool?


 

--

Tom Webb

@twsecblog

Keywords:
1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

"Blank Slate" malspam still pushing Cerber ransomware
Mar 22nd 2017
1 day ago by Brad (2 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 days ago by Brad (11 comments)

Searching for Base64-encoded PE Files
Mar 19th 2017
4 days ago by Xme (0 comments)

Example of Multiple Stages Dropper
Mar 18th 2017
6 days ago by Xme (3 comments)

View All Diaries →

Latest Discussions

CTI Summit Keynote - Cliff Stoll - (Still) Stalking the Wily Hacker
created Mar 11th 2017
1 week ago by Russell (1 reply)

Critical RCE on Apache Struts2 is being actively exploited [CVE-2017-5638]
created Mar 9th 2017
2 weeks ago by Anonymous (0 replies)

abnormal DNS queries mostly from AWS
created Mar 1st 2017
3 weeks ago by Anonymous (5 replies)

The format of BGP messages with routeviews
created Feb 22nd 2017
4 weeks ago by samara (3 replies)

Platform Markings on Headlines
created Feb 9th 2017
1 month ago by Anonymous (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Dyn.com DDoS Attack
Oct 21st 2016
5 months ago by Johannes (9 comments)

Malspam with password-protected Word documents
Mar 21st 2017
3 days ago by Brad (11 comments)

Microsoft Patch Tuesday Delayed
Feb 18th 2017
1 month ago by Johannes (7 comments)

How was your stay at the Hotel La Playa?
Feb 18th 2017
1 month ago by Xme (9 comments)

Critical Vulnerability in Cisco WebEx Chrome Plugin
Jan 24th 2017
1 month ago by Johannes (10 comments)