# Imports

In [1]:
import json
import pandas as pd

# Config

## Paths

In [2]:
current_malware = "Cerber"

In [3]:
project_root = "/home/jevenari/PycharmProjects/ForensicalAnalysis"

In [4]:
config_path = "/home/jevenari/PycharmProjects/ForensicalAnalysis/config/config.json"
config = json.load(open(config_path, "r"))
config = config[current_malware]

In [5]:
procmon_path = f"{config['Dynamic']}/{config['ProcessMonitor']}"

In [6]:
regshot_path = f"{project_root}/data/{current_malware}/{config['Regshot']}"

## Pandas

In [7]:
pd.set_option('display.min_rows', 1000)
pd.set_option("display.max_rows", 10000)

# Process Monitor Analysis

## Load data

In [123]:
df_procmon = pd.read_csv(procmon_path)

In [124]:
df_procmon

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:06,1603512",gandcrab_v4.exe,3160,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."
1,"10:56:06,1603836",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8304
2,"10:56:06,2112472",gandcrab_v4.exe,3160,Load Image,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,SUCCESS,"Image Base: 0x400000, Image Size: 0x31000"
3,"10:56:06,2114178",gandcrab_v4.exe,3160,Load Image,C:\Windows\System32\ntdll.dll,SUCCESS,"Image Base: 0x7ffffb750000, Image Size: 0x1f5000"
4,"10:56:06,2117512",gandcrab_v4.exe,3160,Load Image,C:\Windows\SysWOW64\ntdll.dll,SUCCESS,"Image Base: 0x77660000, Image Size: 0x1a3000"
5,"10:56:06,2120814",gandcrab_v4.exe,3160,CreateFile,C:\Windows\Prefetch\GANDCRAB_V4.EXE-89137057.pf,NAME NOT FOUND,"Desired Access: Generic Read, Disposition: Ope..."
6,"10:56:06,2125736",gandcrab_v4.exe,3160,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,REPARSE,Desired Access: Query Value
7,"10:56:06,2126382",gandcrab_v4.exe,3160,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,Desired Access: Query Value
8,"10:56:06,2126780",gandcrab_v4.exe,3160,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session ...,NAME NOT FOUND,Length: 80
9,"10:56:06,2127071",gandcrab_v4.exe,3160,RegCloseKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,


## Get unique operations

In [125]:
sorted(list(df_procmon["Operation"].unique()))

['CloseFile',
 'CreateFile',
 'CreateFileMapping',
 'Load Image',
 'Process Create',
 'Process Exit',
 'Process Start',
 'QueryBasicInformationFile',
 'QueryNameInformationFile',
 'QuerySecurityFile',
 'QueryStandardInformationFile',
 'ReadFile',
 'RegCloseKey',
 'RegEnumKey',
 'RegEnumValue',
 'RegOpenKey',
 'RegQueryKey',
 'RegQueryValue',
 'RegSetInfoKey',
 'Thread Create',
 'Thread Exit']

## Get Process Create/Process Exit/Process Start events)

In [126]:
df_process_create = df_procmon.query("Operation == 'Process Create'")

In [127]:
df_process_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
286,"10:56:06,8133601",gandcrab_v4.exe,3160,Process Create,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,SUCCESS,"PID: 8312, Command line: C:\Users\Cuckoo\Downl..."


In [128]:
df_process_start = df_procmon.query("Operation == 'Process Start'")

In [129]:
df_process_start

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:06,1603512",gandcrab_v4.exe,3160,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."
287,"10:56:06,8133707",gandcrab_v4.exe,8312,Process Start,,SUCCESS,"Parent PID: 3160, Command line: C:\Users\Cucko..."


In [130]:
df_process_exit = df_procmon.query("Operation == 'Process Exit'")

In [131]:
df_process_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
375,"10:56:06,8261341",gandcrab_v4.exe,3160,Process Exit,,SUCCESS,"Exit Status: 0, User Time: 0.0000000 seconds, ..."


## Get Thread Create/Thread Exit

In [143]:
df_thread_create = df_procmon.query("Operation == 'Thread Create'")

In [144]:
df_thread_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
1,"10:56:06,1603836",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8304
223,"10:56:06,2708867",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 7964
260,"10:56:06,8095995",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8264
288,"10:56:06,8133802",gandcrab_v4.exe,8312,Thread Create,,SUCCESS,Thread ID: 8208


In [145]:
df_thread_exit = df_procmon.query("Operation == 'Thread Exit'")

In [146]:
df_thread_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
372,"10:56:06,8251512",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 8264, User Time: 0.0000000, Kernel ..."
373,"10:56:06,8252626",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 7964, User Time: 0.0000000, Kernel ..."
374,"10:56:06,8253525",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 8304, User Time: 0.0000000, Kernel ..."


## Get RegCreateKey/RegSetValue data

In [132]:
df_reg_value_set = df_procmon.query("Operation == 'RegCreateKey'")

In [133]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail


In [134]:
df_reg_value_set = df_procmon.query("Operation == 'RegSetValue'")

In [135]:
df_reg_value_set.count()

Time of Day     0
Process Name    0
PID             0
Operation       0
Path            0
Result          0
Detail          0
dtype: int64

In [136]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail


## Get loaded DLLs

In [137]:
df_loaded_dlls = df_procmon.query("Operation == 'Load Image'")

In [138]:
unique_dlls = pd.unique(df_loaded_dlls["Path"])

In [139]:
df_unique_dlls = pd.DataFrame(unique_dlls, columns=["Path"])

In [140]:
df_unique_dlls["DLL"] = df_unique_dlls["Path"].apply(lambda path: path.split("\\")[-1])

In [141]:
df_unique_dlls

Unnamed: 0,Path,DLL
0,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,gandcrab_v4.exe
1,C:\Windows\System32\ntdll.dll,ntdll.dll
2,C:\Windows\SysWOW64\ntdll.dll,ntdll.dll
3,C:\Windows\System32\wow64.dll,wow64.dll
4,C:\Windows\System32\wow64win.dll,wow64win.dll
5,C:\Windows\System32\wow64cpu.dll,wow64cpu.dll
6,C:\Windows\SysWOW64\kernel32.dll,kernel32.dll
7,C:\Windows\SysWOW64\KernelBase.dll,KernelBase.dll
8,C:\Windows\SysWOW64\apphelp.dll,apphelp.dll
9,C:\Windows\SysWOW64\msvcrt.dll,msvcrt.dll


# Regshot Analysis

## Load data

In [9]:
df_regshot_data = pd.read_csv(regshot_path, delimiter=";")

In [11]:
df_operation_query = df_regshot_data.query("Operation == 'Deleted'")

In [13]:
df_operation_query.count()

Type         210
Operation    210
Path         210
dtype: int64

In [10]:
df_regshot_data

Unnamed: 0,Type,Operation,Path
0,File,Deleted,C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864...
1,File,Deleted,C:\Users\All Users\Mozilla-1de4eec8-1241-4177-...
2,File,Deleted,C:\Users\Cuckoo\AppData\Local\Mozilla\Firefox\...
3,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
4,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
5,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
6,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
7,File,Deleted,C:\Users\Cuckoo\AppData\Roaming\Mozilla\Firefo...
8,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...
9,File,Deleted,C:\Users\Cuckoo\Desktop\Tools\SpyStudio-v2-x64...
