Advanced Search

Malware Analysis Script

/ Published in: Ruby
Save to your folder(s)
A simple script to analyse malware in ruby

Expand | Embed | Plain Text

Copy this code and paste it in your HTML 
  1. #!/usr/bin/env ruby
  2.  
  3. # Malware_Analysis.rb
  4. # A ruby malware analyser for analysing
  5. # executable files and displaying interesting
  6. # system calls.
  7.  
  8.  
  9. if RUBY_PLATFORM =~ /win/
  10. 	clearCmd = "cls"
  11. else
  12. 	clearCmd = "clear"
  13. end
  14.  
  15. malware = ARGV[0]
  16.  
  17. system(clearCmd)
  18.  
  19. puts "+-----------------------------------+"
  20. puts "| Malware Analysis Ruby Script      |"
  21. puts "| http://affix.me                   |"
  22. puts "| Written by Keiran \"affix\" Smith   |"
  23. puts "+-----------------------------------+"
  24. puts ""
  25.  
  26. def isBinary(fileName)
  27. 	begin
  28. 		analysis = File.new(fileName, "r")
  29. 		type= analysis.read(4)
  30. 		if type =~ /MZ/	
  31. 			return true
  32. 		else
  33. 			if type =~ /EL/
  34. 				return true
  35. 			else
  36. 				return false
  37. 			end
  38. 		end
  39. 	rescue Errno::ENOENT
  40. 		puts "[!] File Error!"
  41. 	end
  42. end
  43.  
  44. def checkSystem(line)
  45. 	systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
  46. 	"KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons", 
  47. 	"advapi32.RegCreate", "advapi32.RegSet", "http://","Socket",  "OutputDebugString",  "FindWindow", "IsDebuggerPresent"]
  48.  
  49. 	systemCalls.each do | call |
  50. 		if line =~ /#{call}/
  51. 			puts "[+] System Call made to : #{call}"
  52. 		end
  53. 	end
  54. end
  55.  
  56. def checkRegistry(line)
  57. 	registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
  58.  
  59. 	registryHives.each do | hive |
  60. 		if line =~ /#{hive}/
  61. 			puts "[+] Registry Access to Hive : #{hive}"
  62. 		end
  63. 	end
  64. end
  65.  
  66. def checkNetwork(line)
  67. 	networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
  68.  
  69. 	networkCalls.each do | call |
  70. 		if line =~ /#{call}/
  71. 			puts "[+] Network Activity Detected : #{call}"
  72. 		end
  73. 	end
  74. end
  75.  
  76. if isBinary(malware)
  77. 	puts "[+] Valid Executable Found beginning Analysis"
  78. 	puts ""
  79. 	analysis = File.new(malware, "r:ASCII-8BIT")
  80. 	analysis.readlines.each do | line |
  81. 		checkSystem(line)
  82. 		checkRegistry(line)
  83. 		checkNetwork(line)
  84. 	end
  85. else
  86. 		puts "[!] Not a valid Executable file"
  87. end

URL: http://affix.me

Report this snippet


Comments

RSS Icon Subscribe to comments

You need to login to post a comment.