Analyse de malware — Triage rapide

Fichier suspect reu
       
       
1 Hashing  VirusTotal lookup
        Malveillant confirm Oui Passer  IOC extraction
        Non/Inconnu
       
2 Analyse statique
   Strings PE headers imports
       
       
3 Sandbox dynamique
   Comportement rseau FS registry
       
       
4 IOC extraction  partage TIP
       
       
5 YARA rule creation

# Type de fichier réel (ignorer l'extension)
file suspiciousexe
file suspiciouspdf
# Entropie — haute entropie = packed/chiffré
python3 -c 
import sys math
data  open'suspicious.exe' 'rb'read
freq  
for b in data
    freqb  freqgetb 0  1
entropy  -sum((c/len(data))  mathlog2c/lendata for c in freqvalues
printf'Entropy: {entropy:.2f} bits/byte (> 7.0 = likely packed)'
# Hashes — collecte complète
md5sum suspiciousexe
sha256sum suspiciousexe
sha1sum suspiciousexe
# Ou PowerShell
Get-FileHash suspiciousexe -Algorithm MD5 SHA1 SHA256 | Format-List

# VirusTotal via API
VT_API"{{VT_API_KEY}}"
SHA256sha256sum suspiciousexe | cut -d'  -f1)
curl -s "https://www.virustotal.com/api/v3/files/$SHA256" 
  -H "x-apikey: $VT_API" | jq 
    name dataattributesmeaningful_name
    malicious dataattributeslast_analysis_statsmalicious
    undetected dataattributeslast_analysis_statsundetected
    first_seen dataattributesfirst_submission_date
    family dataattributespopular_threat_classificationsuggested_threat_label
  
# MalwareBazaar lookup (pas de clé requise pour query)
curl -s -X POST "https://mb-api.abuse.ch/api/v1/" 
  -d "query=get_info&hash=$SHA256" | jq data0 | 
    file_name file_type signature tags reporter
  

# Strings basiques
strings suspiciousexe | grep -iE "(http|ftp|\\\\|cmd|power|shell|download|upload)"
# Strings Unicode
strings -el suspiciousexe | head -100
# Strings avec offset (pour corrélation avec dissassembly)
strings -t x suspiciousexe | grep -iE "(CreateRemoteThread|VirtualAlloc|WriteProcessMemory)"
# Strings suspects — fonctions d'injection mémoire
SUSPECT_FUNCS
  "VirtualAlloc" "VirtualAllocEx" "WriteProcessMemory"
  "CreateRemoteThread" "NtCreateThreadEx" "RtlCreateUserThread"
  "ShellExecute" "WinExec" "CreateProcess"
  "RegSetValue" "RegCreateKey"
  "InternetOpen" "InternetConnect" "HttpSendRequest"
  "WSAStartup" "connect" "send" "recv"
for func in "${SUSPECT_FUNCS[@]}"; do
  countstrings suspiciousexe | grep -c "$func" 2>/dev/null
   "$count" -gt 0  && echo "FOUND [$count]: $func"
done

# Python — analyse PE avec pefile
import pefile
import sys
pe = pefile.PE("suspicious.exe")
print("=== PE INFO ===")
print(f"Machine: {hex(pe.FILE_HEADER.Machine)}")
print(f"Timestamp: {pe.FILE_HEADER.dump_dict()['TimeDateStamp']['Value']}")
print(f"Subsystem: {pe.OPTIONAL_HEADER.Subsystem}")
print(f"Entry Point: {hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)}")
print("\n=== SECTIONS ===")
for s in pe.sections:
    entropy = s.get_entropy()
    print(f"  {s.Name.decode().strip()} | VSize={s.Misc_VirtualSize} | Entropy={entropy:.2f}")
    if entropy > 7.0:
        print(f"    ^^^ HIGH ENTROPY — possible packed/encrypted section")
print("\n=== IMPORTS ===")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    for lib in pe.DIRECTORY_ENTRY_IMPORT:
        print(f"  {lib.dll.decode()}")
        for imp in lib.imports:
            if imp.name:
                func = imp.name.decode()
                if any(s in func for s in ["VirtualAlloc", "CreateRemoteThread", "WriteProcess",
                                           "LoadLibrary", "GetProcAddress", "ShellExec"]):
                    print(f"    *** SUSPICIOUS: {func}")
print("\n=== EXPORTS ===")
if hasattr(pe, 'DIRECTORY_ENTRY_EXPORT'):
    for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
        if exp.name:
            print(f"  {exp.name.decode()}")

# Soumettre un fichier à Cuckoo
cuckoo submit --timeout 120 suspiciousexe
# Soumettre une URL
cuckoo submit --url "http://{{MALICIOUS_URL}}"
# Vérifier le résultat
cuckoo api  # Port 8090 par défaut
curl http//localhost8090/tasks/report/{{TASK_ID}}/json | jq '.signatures[].name'
# Extraire les IOCs du rapport
curl http//localhost8090/tasks/report/{{TASK_ID}}/json | jq 
  domains networkdomainsdomain
  ips networkhosts
  mutexes behaviorsummarymutexes
  files behaviorsummaryfiles
  registry behaviorsummarykeys

rule Malware_FamilyName_Variant {
    meta:
        author      = "{{ANALYST_NAME}}"
        date        = "2025-05-13"
        description = "Détecte {{MALWARE_FAMILY}} variant X"
        hash        = "{{SHA256_HASH}}"
        reference   = "https://{{REPORT_URL}}"
        mitre       = "T1059.001, T1071.001"
    strings:
        // Strings ASCII/Wide
        $s1 = "CreateRemoteThread" ascii
        $s2 = "VirtualAlloc" ascii
        $s3 = "{{C2_DOMAIN}}" wide ascii nocase
        // Pattern hexadécimal (shellcode signature)
        $hex1 = { 60 89 E5 31 D2 64 8B 52 30 }
        // Regex
        $re1 = /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/ // GUID mutex
    condition:
        uint16(0) == 0x5A4D          // MZ header (PE file)
        and filesize < 5MB
        and (
            (2 of ($s*)) or
            $hex1 or
            ($re1 and 1 of ($s*))
        )
}

# Tester sur un fichier
yara ruleyar suspiciousexe -s
# Tester sur un répertoire
yara -r ruleyar /malware_samples/
# Tester depuis un dossier de règles (SigmaHQ style)
yara rules target_fileexe --no-warnings
# Vérifier les faux positifs sur binaires légitimes
yara ruleyar /Windows/System32/ 2>/dev/null | head -20

# Wireshark / tshark — filtres pour trafic malware
# Connexions HTTP suspectes
tshark -r capturepcap -Y "http.request" 
  -T fields -e ipsrc -e ipdst -e httphost -e httprequesturi -e httpuser_agent
# DNS — domaines résolus
tshark -r capturepcap -Y "dns.flags.response == 0" 
  -T fields -e ipsrc -e dnsqryname -e dnsqrytype
# Certificats TLS — extraction CN et SANs
tshark -r capturepcap -Y "ssl.handshake.type == 11" 
  -T fields -e x509satuTF8String -e ipdst
# Extraction automatique de fichiers HTTP (payloads)
tshark -r capturepcap --export-objects http/tmp/http_objects/
# Suricata sur PCAP existant
suricata -r capturepcap -l /tmp/suricata_output/ -c /etc/suricata/suricata.yaml
jq '.alert.signature' /tmp/suricata_output/eve.json | sort | uniq -c | sort -rn

# Avant de détonner en sandbox : rechercher des marqueurs d'évasion dans les strings
strings suspiciousexe | grep -iE "(vmware|virtualbox|sandbox|wine|cuckoo|vbox|qemu)"
strings suspiciousexe | grep -iE "(SbieDll|sbiedrvr|snxhk|avghookx)"
# Marqueurs courants de VM detection
# - CPUID checks (hypervisor bit)
# - Registry keys : HKLM\SOFTWARE\VMware Inc.
# - Fichiers : C:\windows\system32\drivers\vmmouse.sys
# - Process : vmtoolsd.exe, vboxservice.exe
# - MAC prefix : 00:0C:29 (VMware), 08:00:27 (VirtualBox)
# - Timing attacks : RDTSC delta anormal