Sign in
Follow

How to analyze malicious file downloads

Many NIDS Events will let you know that a file has been downloaded to an asset.  You may be researching a BAD IP event and you see related 'download' events that you need to research.  Here are some examples.  

  • ET POLICY PDF With Embedded File;
  • ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile;
  • ET POLICY Binary Download Smaller than 1 MB Likely Hostile;
  • ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection;
  • ET CURRENT_EVENTS rechnung zip file download;
  • ET INFO Microsoft Compact Office Document Format File Download;
  • ET MALWARE UPX encrypted file download possible malware;
  • Suricata ruleset contains  a lot of rules which are created to detect the download of suspicious files and files with high security risk (e.g. executable files smaller than 1 MB)

You can see some of these with the following query: https://dsap.netwatcher.com/5Sqy7 

Here are the basic steps to follow in your research:

  • Analyzing JavaScript:
    • http://jsbeautifier.org/ - This little beautifier will reformat and re-indent bookmarklets, ugly JavaScript, unpack scripts packed by Dean Edward’s popular packer, as well as deobfuscate scripts processed by javascriptobfuscator.com
    • http://jsunpack.jeek.org/ - Jsunpack by Blake Hartstein is designed for automatically examining and deobfuscating JavaScript. Its features also include carving contents of network packet capture (PCAP) files and identifying common client-side exploits. It can also examine PDF files for malicious JavaScript artifacts. (The example I uploaded used Flash, rather than PDF, so Jsunpack didn’t locate malicious artifacts in this case.
  • Analyzing PDF Documents:
  • Analyzing Microsoft Office Documents:
    • https://github.com/decalage2/oletools/wiki - oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

 

 

 

Comments

Powered by Zendesk