# Imports

In [1]:
import json
import pandas as pd

# Config

## Paths

In [80]:
current_malware = "GandCrabV4"

In [81]:
project_root = "/home/jevenari/PycharmProjects/ForensicalAnalysis"

In [82]:
config_path = "/home/jevenari/PycharmProjects/ForensicalAnalysis/config/config.json"
config = json.load(open(config_path, "r"))
config = config[current_malware]

In [83]:
procmon_path = f"{config['Dynamic']}/{config['ProcessMonitor']}"

In [84]:
regshot_path = f"{project_root}/data/{current_malware}/{config['Regshot']}"

## Pandas

In [85]:
pd.set_option('display.min_rows', 1000)
pd.set_option("display.max_rows", 10000)

# Process Monitor Analysis

## Load data

In [86]:
df_procmon = pd.read_csv(procmon_path)

In [87]:
df_procmon

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:06,1603512",gandcrab_v4.exe,3160,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."
1,"10:56:06,1603836",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8304
2,"10:56:06,2112472",gandcrab_v4.exe,3160,Load Image,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,SUCCESS,"Image Base: 0x400000, Image Size: 0x31000"
3,"10:56:06,2114178",gandcrab_v4.exe,3160,Load Image,C:\Windows\System32\ntdll.dll,SUCCESS,"Image Base: 0x7ffffb750000, Image Size: 0x1f5000"
4,"10:56:06,2117512",gandcrab_v4.exe,3160,Load Image,C:\Windows\SysWOW64\ntdll.dll,SUCCESS,"Image Base: 0x77660000, Image Size: 0x1a3000"
5,"10:56:06,2120814",gandcrab_v4.exe,3160,CreateFile,C:\Windows\Prefetch\GANDCRAB_V4.EXE-89137057.pf,NAME NOT FOUND,"Desired Access: Generic Read, Disposition: Ope..."
6,"10:56:06,2125736",gandcrab_v4.exe,3160,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,REPARSE,Desired Access: Query Value
7,"10:56:06,2126382",gandcrab_v4.exe,3160,RegOpenKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,Desired Access: Query Value
8,"10:56:06,2126780",gandcrab_v4.exe,3160,RegQueryValue,HKLM\System\CurrentControlSet\Control\Session ...,NAME NOT FOUND,Length: 80
9,"10:56:06,2127071",gandcrab_v4.exe,3160,RegCloseKey,HKLM\System\CurrentControlSet\Control\Session ...,SUCCESS,


## Get unique operations

In [88]:
sorted(list(df_procmon["Operation"].unique()))

['CloseFile',
 'CreateFile',
 'CreateFileMapping',
 'Load Image',
 'Process Create',
 'Process Exit',
 'Process Start',
 'QueryBasicInformationFile',
 'QueryNameInformationFile',
 'QuerySecurityFile',
 'QueryStandardInformationFile',
 'ReadFile',
 'RegCloseKey',
 'RegEnumKey',
 'RegEnumValue',
 'RegOpenKey',
 'RegQueryKey',
 'RegQueryValue',
 'RegSetInfoKey',
 'Thread Create',
 'Thread Exit']

## Get Process Create/Process Exit/Process Start events)

In [89]:
df_process_create = df_procmon.query("Operation == 'Process Create'")

In [90]:
df_process_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
286,"10:56:06,8133601",gandcrab_v4.exe,3160,Process Create,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,SUCCESS,"PID: 8312, Command line: C:\Users\Cuckoo\Downl..."


In [91]:
df_process_start = df_procmon.query("Operation == 'Process Start'")

In [92]:
df_process_start

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
0,"10:56:06,1603512",gandcrab_v4.exe,3160,Process Start,,SUCCESS,"Parent PID: 3640, Command line: ""C:\Users\Cuck..."
287,"10:56:06,8133707",gandcrab_v4.exe,8312,Process Start,,SUCCESS,"Parent PID: 3160, Command line: C:\Users\Cucko..."


In [93]:
df_process_exit = df_procmon.query("Operation == 'Process Exit'")

In [94]:
df_process_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
375,"10:56:06,8261341",gandcrab_v4.exe,3160,Process Exit,,SUCCESS,"Exit Status: 0, User Time: 0.0000000 seconds, ..."


## Get Thread Create/Thread Exit

In [95]:
df_thread_create = df_procmon.query("Operation == 'Thread Create'")

In [96]:
df_thread_create.count()

Time of Day     4
Process Name    4
PID             4
Operation       4
Path            0
Result          4
Detail          4
dtype: int64

In [97]:
df_thread_create

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
1,"10:56:06,1603836",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8304
223,"10:56:06,2708867",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 7964
260,"10:56:06,8095995",gandcrab_v4.exe,3160,Thread Create,,SUCCESS,Thread ID: 8264
288,"10:56:06,8133802",gandcrab_v4.exe,8312,Thread Create,,SUCCESS,Thread ID: 8208


In [98]:
df_thread_exit = df_procmon.query("Operation == 'Thread Exit'")

In [99]:
df_thread_exit

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail
372,"10:56:06,8251512",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 8264, User Time: 0.0000000, Kernel ..."
373,"10:56:06,8252626",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 7964, User Time: 0.0000000, Kernel ..."
374,"10:56:06,8253525",gandcrab_v4.exe,3160,Thread Exit,,SUCCESS,"Thread ID: 8304, User Time: 0.0000000, Kernel ..."


## Get RegCreateKey/RegSetValue data

In [100]:
df_reg_value_set = df_procmon.query("Operation == 'RegCreateKey'")

In [101]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail


In [102]:
df_reg_value_set = df_procmon.query("Operation == 'RegSetValue'")

In [103]:
df_reg_value_set.count()

Time of Day     0
Process Name    0
PID             0
Operation       0
Path            0
Result          0
Detail          0
dtype: int64

In [104]:
df_reg_value_set

Unnamed: 0,Time of Day,Process Name,PID,Operation,Path,Result,Detail


## Get loaded DLLs

In [105]:
df_loaded_dlls = df_procmon.query("Operation == 'Load Image'")

In [106]:
unique_dlls = pd.unique(df_loaded_dlls["Path"])

In [107]:
df_unique_dlls = pd.DataFrame(unique_dlls, columns=["Path"])

In [108]:
df_unique_dlls["DLL"] = df_unique_dlls["Path"].apply(lambda path: path.split("\\")[-1])

In [109]:
df_unique_dlls.count()

Path    12
DLL     12
dtype: int64

In [110]:
df_unique_dlls

Unnamed: 0,Path,DLL
0,C:\Users\Cuckoo\Downloads\gandcrab_v4.exe,gandcrab_v4.exe
1,C:\Windows\System32\ntdll.dll,ntdll.dll
2,C:\Windows\SysWOW64\ntdll.dll,ntdll.dll
3,C:\Windows\System32\wow64.dll,wow64.dll
4,C:\Windows\System32\wow64win.dll,wow64win.dll
5,C:\Windows\System32\wow64cpu.dll,wow64cpu.dll
6,C:\Windows\SysWOW64\kernel32.dll,kernel32.dll
7,C:\Windows\SysWOW64\KernelBase.dll,KernelBase.dll
8,C:\Windows\SysWOW64\apphelp.dll,apphelp.dll
9,C:\Windows\SysWOW64\msvcrt.dll,msvcrt.dll


# Regshot Analysis

## Load data

In [119]:
df_regshot_data = pd.read_csv(regshot_path, delimiter=";")

## Show unique types & operations

In [120]:
sorted(df_regshot_data["Type"].unique())

['File', 'Key', 'Value']

In [121]:
sorted(df_regshot_data["Operation"].unique())

['Added', 'Deleted', 'Modified']

## Files Created

In [122]:
df_files_created = df_regshot_data.query("Type == 'File' & Operation == 'Added'")

In [123]:
df_files_created

Unnamed: 0,Type,Operation,Path
1,File,Added,C:\$Recycle.Bin\S-1-5-21-714192414-4250913369-...
2,File,Added,C:\$Recycle.Bin\S-1-5-21-714192414-4250913369-...
3,File,Added,C:\Users\Cuckoo\Desktop\Tools\Results\Logfile.CSV
4,File,Added,C:\Windows\Prefetch\GANDCRAB_V4.EXE-89137057.pf
5,File,Added,C:\Windows\Prefetch\GANDCRAB_V4.EXE-89137057.pf


In [124]:
df_files_created.count()

Type         5
Operation    5
Path         5
dtype: int64

## Files modified

In [125]:
df_files_modiefied = df_regshot_data.query("Type == 'File' & Operation == 'Modified'")

In [126]:
df_files_modiefied

Unnamed: 0,Type,Operation,Path
10,File,Modified,C:\ProgramData\Microsoft\Windows Defender\Scan...
11,File,Modified,C:\ProgramData\Microsoft\Windows Defender\Scan...
12,File,Modified,C:\Users\All Users\Microsoft\Windows Defender\...
13,File,Modified,C:\Users\All Users\Microsoft\Windows Defender\...
14,File,Modified,C:\Users\Cuckoo\AppData\Roaming\Microsoft\Wind...
15,File,Modified,C:\Users\Cuckoo\ntuser.dat.LOG1
16,File,Modified,C:\Windows\bootstat.dat
17,File,Modified,C:\Windows\Prefetch\DLLHOST.EXE-5E46FA0D.pf
18,File,Modified,C:\Windows\Prefetch\SEARCHFILTERHOST.EXE-77482...
19,File,Modified,C:\Windows\Prefetch\SEARCHPROTOCOLHOST.EXE-0CB...


In [127]:
df_files_modiefied.count()

Type         18
Operation    18
Path         18
dtype: int64

## Files Deleted

In [128]:
df_files_deleted = df_regshot_data.query("Type == 'File' & Operation == 'Deleted'")

In [129]:
df_files_deleted

Unnamed: 0,Type,Operation,Path


In [130]:
df_files_deleted.count()

Type         0
Operation    0
Path         0
dtype: int64

## Folders Created

In [131]:
df_folders_created = df_regshot_data.query("Type == 'Folder' & Operation == 'Added'")

In [132]:
df_folders_created

Unnamed: 0,Type,Operation,Path


In [133]:
df_folders_created.count()

Type         0
Operation    0
Path         0
dtype: int64

## Folders modified

In [134]:
df_folders_modified = df_regshot_data.query("Type == 'Folder' & Operation == 'Modified'")

In [135]:
df_folders_modified

Unnamed: 0,Type,Operation,Path


In [136]:
df_folders_modified.count()

Type         0
Operation    0
Path         0
dtype: int64

## Folders Deleted

In [137]:
df_folders_deleted = df_regshot_data.query("Type == 'Folder' & Operation == 'Deleted'")

In [138]:
df_folders_deleted

Unnamed: 0,Type,Operation,Path


In [139]:
df_folders_deleted.count()

Type         0
Operation    0
Path         0
dtype: int64

## Registry Keys Created

In [140]:
df_reg_keys_created = df_regshot_data.query("Type == 'Key' & Operation == 'Added'")

In [141]:
df_reg_keys_created

Unnamed: 0,Type,Operation,Path
0,Key,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [142]:
df_reg_keys_created.count()

Type         1
Operation    1
Path         1
dtype: int64

## Registry Keys modified

In [143]:
df_reg_keys_modfied = df_regshot_data.query("Type == 'Key' & Operation == 'Modified'")

In [144]:
df_reg_keys_modfied

Unnamed: 0,Type,Operation,Path


In [145]:
df_reg_keys_modfied.count()

Type         0
Operation    0
Path         0
dtype: int64

## Registry Keys Deleted

In [146]:
df_reg_keys_deleted = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [147]:
df_reg_keys_deleted

Unnamed: 0,Type,Operation,Path
107,Value,Deleted,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVers...
108,Value,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [148]:
df_reg_keys_deleted.count()

Type         2
Operation    2
Path         2
dtype: int64

## Registry Values Created
<h4 style="color: red">CAUTION: This part could not be parsed correctly, since the actual values were distributed over multiple lines resulting in a random pattern, that was impossible to parse.</h4>

In [149]:
df_reg_values_created = df_regshot_data.query("Type == 'Value' & Operation == 'Added'")

In [150]:
df_reg_values_created

Unnamed: 0,Type,Operation,Path
6,Value,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1...
7,Value,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1...
8,Value,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1...
9,Value,Added,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [151]:
df_reg_values_created.count()

Type         4
Operation    4
Path         4
dtype: int64

## Registry Values modified

In [152]:
df_reg_values_modified = df_regshot_data.query("Type == 'Value' & Operation == 'Modified'")

In [153]:
df_reg_values_modified

Unnamed: 0,Type,Operation,Path
28,Value,Modified,HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journ...
29,Value,Modified,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0...
30,Value,Modified,HKLM\SOFTWARE\Microsoft\Multimedia\Audio\Journ...
31,Value,Modified,00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0...
32,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion...
33,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion...
34,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVers...
35,Value,Modified,01 00 70 00 00 00 05 00 00 00 65 A6 9E 00 01 0...
36,Value,Modified,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVers...
37,Value,Modified,01 00 70 00 00 00 05 00 00 00 65 A6 9E 00 01 0...


In [154]:
df_reg_values_modified.count()

Type         78
Operation    78
Path         78
dtype: int64

## Registry Values Deleted

In [155]:
df_reg_values_deleted = df_regshot_data.query("Type == 'Value' & Operation == 'Deleted'")

In [156]:
df_reg_values_deleted

Unnamed: 0,Type,Operation,Path
107,Value,Deleted,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVers...
108,Value,Deleted,HKU\S-1-5-21-714192414-4250913369-3940896113-1...


In [157]:
df_reg_values_deleted.count()

Type         2
Operation    2
Path         2
dtype: int64

## Generate Read Flow

In [158]:
read_data = {
    "Type": "File",
    "Operation": "Read",
    "Path": "C:\\Users\\Cuckoo\\Documents\\Images\\a-panther-is-seen-after-being-sedated-in-league-of-the-protection-of-animals-lpa-shelter-in-lille.jpg",
}
read_data_series = pd.Series(read_data)

In [64]:
read_data_series

Type                                                      File
Operation                                                 Read
Path         C:\Users\Cuckoo\Documents\Images\a-panther-is-...
dtype: object

In [65]:
df_files_deleted.iloc[16]

Type                                                      File
Operation                                              Deleted
Path         C:\Users\Cuckoo\Documents\Images\a-panther-is-...
Name: 16, dtype: object

In [66]:
df_files_created.iloc[18]

Type                                                     File
Operation                                               Added
Path         C:\Users\Cuckoo\Documents\Images\1kheunZNVv.b507
Name: 236, dtype: object

In [75]:
data = [
    read_data_series,
    df_files_created.iloc[18],
    df_files_deleted.iloc[16],
]

In [76]:
df_data = pd.DataFrame(data)

In [77]:
df_data

Unnamed: 0,Type,Operation,Path
Unnamed 0,File,Read,C:\Users\Cuckoo\Documents\Images\a-panther-is-...
236,File,Added,C:\Users\Cuckoo\Documents\Images\1kheunZNVv.b507
16,File,Deleted,C:\Users\Cuckoo\Documents\Images\a-panther-is-...


In [78]:
pd.options.display.width = 0

In [79]:
from pandas import option_context

with option_context('display.max_colwidth', 400):
    display(df_data)

Unnamed: 0,Type,Operation,Path
Unnamed 0,File,Read,C:\Users\Cuckoo\Documents\Images\a-panther-is-seen-after-being-sedated-in-league-of-the-protection-of-animals-lpa-shelter-in-lille.jpg
236,File,Added,C:\Users\Cuckoo\Documents\Images\1kheunZNVv.b507
16,File,Deleted,C:\Users\Cuckoo\Documents\Images\a-panther-is-seen-after-being-sedated-in-league-of-the-protection-of-animals-lpa-shelter-in-lille.jpg
