This is a python script designed to analyze malware.
f77fb43fd86a787ae3fc329382c635e64ea97b2fd9947f2d04eb20033722e76a
#!/usr/bin/python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# Greetz to all Darkc0de ,AI,ICW Memebers
#Shoutz to r45c4l,j4ckh4x0r,silic0n,smith,baltazar,d3hydr8,lowlz,Eberly,Sumit,zerocode,dalsim,7
#The application can be used to perform intial malware analysis phase.
import os,sys,re
if sys.platform == 'linux-i386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
elif sys.platform == 'win32' or sys.platform == 'dos' or sys.platform[0:5] == 'ms-dos':
SysCls = 'cls'
else:
SysCls = 'unknown'
os.system(SysCls)
print "\n|---------------------------------------------------------------|"
print "| beenudel1986[@]gmail[dot]com |"
print "| Malware Analyser(Static) 1.0 |"
print "| 06/2009 analyse_malware.py |"
print "| Do Visit www.BeenuArora.com |"
print "|---------------------------------------------------------------|\n"
if (len (sys.argv) <2):
print "\n Usage: ./malware_analyse.py <file_name>\n"
sys.exit(0)
malware=sys.argv[1]
INTERESTING_CALLS = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons",
"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",
"^([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])\.([01]?\d\d?|2[0-4]\d|25[0-5])",
"OutputDebugString",
"FindWindow",
"IsDebuggerPresent"
]
REGISTRY_CALLS =["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
ONLINE_WORK =["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","POMG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
try:
hosts= open(malware,'r').readlines()
except (IOError):
print " \n\nSite List Missing ..Exiting :("
sys.exit(0)
def start_analysis_system_calls():
performed=[]
for line in hosts:
for calls in INTERESTING_CALLS:
if re.search(calls, line):
if not calls in performed:
print "[+] Found an Interesting call to: ",calls
performed.append(calls)
def start_analysis_registry():
for line in hosts:
for calls in REGISTRY_CALLS:
if re.search(calls, line):
print "[+] Malware is Adding a Key at Hive: ",calls
print line
def start_analysis_online():
performed=[]
for line in hosts:
for calls in ONLINE_WORK:
if re.search(calls, line):
if not calls in performed:
print "[+] Malware Seems to be IRC BOT: Verified By String :",calls
performed.append(calls)
#print line
print "\n Analysing if PE file...\n"
check = file(malware, "rb")
buff = check.read(2)
check.close()
if buff == "MZ":
print "\n[+] Valid PE file.\n"
print "\n[!] Displaying Interesting System Calls Made.\n"
start_analysis_system_calls()
print "\n\n[!] Displaying Registry Hives Edited.\n"
start_analysis_registry()
print "\n\n[!] Displaying A Little Online Behaviour.\n"
start_analysis_online()
else:
print "[-]\n Not a Valid PE File. Exiting.!"
sys.exit(0)