Skip to content

therealunicornsecurity/tricard

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits

img

img

 
 

tmpbuild

tmpbuild

 
 

tmpsrc

tmpsrc

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

dispatcher.py

dispatcher.py

 
 

magic.h

magic.h

 
 

recon.cpp

recon.cpp

 
 

srv.py

srv.py

 
 

Repository files navigation

tricard

Malware sandboxes fingerprinting

Glossary

IoC: Indicator of compromise
IoD: Indicator of detection

tricard is an IoD collection and analysis toolset

More info at https://therealunicornsecurity.github.io/Tricard/

How it works

tricard works using the following steps:

  • Compile unique binaries, watermarked in order to track the source of the data collected
  • Send binaries to various platforms and sandboxes
  • Collect data
  • Analyze offline

Installation

Agent and dispatcher

apt get install gcc-mingw-w64 zlib1g-dev

Edit dispatcher.py, and add your own HMAC signing key:

def send_statham(server,json):
    SECRET_KEY = b'YOUR KEY'
    message = json
    hmac_signature = hmac.new(SECRET_KEY, str(message).encode('utf-8'), hashlib.sha256)
    hmac_hex = hmac_signature.hexdigest()
    jsondatam = {
        'message': message,
        'hmac': hmac_hex
    }

Edit srv.py and add the same signing key:

app = Flask(__name__)

# Replace this with your actual secret key
SECRET_KEY = b"YOUR KEY"

Run the dispatcher to compile as many versions of tricard as you wish:

python dispatcher.py -d your_collect_server_domain -l sample1 sample2 sample3 ....

All the sources are in tmpsrc. The tmpbuild folder will then contain:

  • tricard.sample1.exe
  • tricard.sample2.exe
  • tricard.sample3.exe

Note

The dispatcher is meant to run on Linux, but it can be executed on Windows hosts using Python 3. However, it is necessary to:

  • Install Mingw or Cygwin (for sed)
  • Change dispatcher.py to use a Windows based compiler

Server setup

You will need:

  • a VPS with python3
  • a domain pointing to the VPS
  • SSL certificates

Change srv.py to make it use your certificates:

if __name__ == "__main__":
    app.run(
        host="0.0.0.0",
        port=443,
        debug=False,
        ssl_context=(
            "path/to/your/fullchain.pem",
            "path/to/your/privkey.pem",
        ),
    )

Install necessary packages:

pip install flask pandas

Run the server using:

python3 srv.py

Evasion

tricard does not perform AV bypasses. It will get flagged by AVs and EDRs.

Limitations

tricard only targets x64 Windows sandboxes, although it is very easy to adapt it to support x86

Goals

tricard was initially developped in order to help us during red team engagements, but it could also be used by sandboxes editors, in order to improve their setups, and make detection less predictable. Considering the scope of the tool, it is necessary to add that we do not condone, under no circumstances, the use of tricard, and open source security tools in general, outside of the scope of legitimate engagements. These tools are aimed to help security professionals in their jobs.

About

Tricard - Malware Sandbox Fingerprinting

Resources

Readme

License

Unlicense license
Activity

Stars

19 stars

Watchers

1 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages