Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New tool: MBCScan (Malware Behavior Catalog) #176

Closed
accidentalrebel opened this issue Apr 1, 2021 · 1 comment · Fixed by #177
Closed

New tool: MBCScan (Malware Behavior Catalog) #176

accidentalrebel opened this issue Apr 1, 2021 · 1 comment · Fixed by #177

Comments

@accidentalrebel
Copy link
Contributor

Good day. I have a new tool called MBCScan. It scans a malicious file and then lists the related MBC behaviors (Malware Behavior Catalog). MBC is similar to Mitre ATTA&CK but is specifically made for cataloguing malware. More info here.

The tool determines the MBC behaviors using Flare's Capa as a library. The information is then presented via an interactive mode to make it easy to go through the result.

I am hoping this tool can be added to Remnux to spread more awareness about the MBC project. I think it has a lot of potential especially for making standardized malware reporting.

Here is a sneak peak of the tool:

$ sha256sum test.bin
f8ad6ecb49e68ac7cf261551f01d8ef3348e347cf4239368a26bb2b3ec372904  test.bin

$ ./mbcscan.py -i test.bin
[INFO] Setting up mbc database...
[INFO] Scanning test.bin...
================================================================================
Behaviors list:
================================================================================
(0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
(1) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
(2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
(3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
(4) [C0045]     File System Micro-objective::Copy File
(5) [C0047]     File System Micro-objective::Delete File
(6) [C0051]     File System Micro-objective::Read File
(7) [C0052]     File System Micro-objective::Writes File
(8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
(9) [C0040]     Process Micro-objective::Allocate Thread Local Storage
(10) [C0042]    Process Micro-objective::Create Mutex
(11) [C0041]    Process Micro-objective::Set Thread Local Storage Value
(12) [C0018]    Process Micro-objective::Terminate Process
    __  ___ ____   ______ _____                   
   /  |/  // __ ) / ____// ___/ _____ ____ _ ____ 
  / /|_/ // __  |/ /     \__ \ / ___// __ `// __ \
 / /  / // /_/ // /___  ___/ // /__ / /_/ // / / /
/_/  /_//_____/ \____/ /____/ \___/ \__,_//_/ /_/ 

    Type "?" r "help" to display help.

View the details of a specific entry with the select command.

(mbcscan) s 3

================================================================================
Name:           Write Pipe::Interprocess Communication
================================================================================
MBC_ID:         attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb
External ID:    C0003.004
Objectives:     [OC0006] Communication Micro-objective
Parent:         [C0003] Interprocess Communication
Related:        [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
                Create Pipe::Interprocess Communication, [C0003.002] Connect
                Pipe::Interprocess Communication, [C0003.003] Read
                Pipe::Interprocess Communication
Samples:        None

External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------

To view details of other entries, use the query command.

(mbcscan) q x0004
================================================================================
Name:           Dark Comet
================================================================================
MBC_ID:         malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52
External ID:    X0004
Objectives:     None
Parent:         None
Related:        None
Samples:        None

Description:    A Remote Access Trojan (RAT) that allows a user to control the
                system via a GUI. It has many features which allows a user to use
                it as administrative remote help tool; however, DarkComet has
                many features which can be used maliciously. DarkComet is
                commonly used to spy on the victims by taking screen captures,
                key-logging, or password stealing.

External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/xample-malware/dark-comet.md
- https://en.wikipedia.org/wiki/DarkComet
--------------------------------------------------------------------------------

I can open a pull request if you think this would be a good fit for Remnux users. Thanks!
@lennyzeltser
Copy link
Contributor

Sounds very nice, @accidentalrebel. It would be great to receive a pull request for incorporating this tool into REMnux!

@accidentalrebel accidentalrebel mentioned this issue Apr 6, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added MBCScan tool. accidentalrebel/salt-states
2 participants
@accidentalrebel @lennyzeltser