Malware sandboxes fingerprinting
IoC: Indicator of compromise
IoD: Indicator of detection
tricard is an IoD collection and analysis toolset
More info at https://therealunicornsecurity.github.io/Tricard/
tricard works using the following steps:
- Compile unique binaries, watermarked in order to track the source of the data collected
- Send binaries to various platforms and sandboxes
- Collect data
- Analyze offline
apt get install gcc-mingw-w64 zlib1g-dev
Edit dispatcher.py, and add your own HMAC signing key:
def send_statham(server,json):
SECRET_KEY = b'YOUR KEY'
message = json
hmac_signature = hmac.new(SECRET_KEY, str(message).encode('utf-8'), hashlib.sha256)
hmac_hex = hmac_signature.hexdigest()
jsondatam = {
'message': message,
'hmac': hmac_hex
}
Edit srv.py and add the same signing key:
app = Flask(__name__)
# Replace this with your actual secret key
SECRET_KEY = b"YOUR KEY"
Run the dispatcher to compile as many versions of tricard as you wish:
python dispatcher.py -d your_collect_server_domain -l sample1 sample2 sample3 ....
All the sources are in tmpsrc. The tmpbuild folder will then contain:
- tricard.sample1.exe
- tricard.sample2.exe
- tricard.sample3.exe
Note
The dispatcher is meant to run on Linux, but it can be executed on Windows hosts using Python 3. However, it is necessary to:
- Install Mingw or Cygwin (for sed)
- Change dispatcher.py to use a Windows based compiler
You will need:
- a VPS with python3
- a domain pointing to the VPS
- SSL certificates
Change srv.py to make it use your certificates:
if __name__ == "__main__":
app.run(
host="0.0.0.0",
port=443,
debug=False,
ssl_context=(
"path/to/your/fullchain.pem",
"path/to/your/privkey.pem",
),
)
Install necessary packages:
pip install flask pandas
Run the server using:
python3 srv.py
tricard does not perform AV bypasses. It will get flagged by AVs and EDRs.
tricard only targets x64 Windows sandboxes, although it is very easy to adapt it to support x86
tricard was initially developped in order to help us during red team engagements, but it could also be used by sandboxes editors, in order to improve their setups, and make detection less predictable. Considering the scope of the tool, it is necessary to add that we do not condone, under no circumstances, the use of tricard, and open source security tools in general, outside of the scope of legitimate engagements. These tools are aimed to help security professionals in their jobs.