Posted By

Affix on 06/06/12


Tagged

malware


Versions (?)

Malware Analysis Script


 / Published in: Ruby
 

URL: http://affix.me

A simple script to analyse malware in ruby

  1. #!/usr/bin/env ruby
  2.  
  3. # Malware_Analysis.rb
  4. # A ruby malware analyser for analysing
  5. # executable files and displaying interesting
  6. # system calls.
  7.  
  8.  
  9. if RUBY_PLATFORM =~ /win/
  10. clearCmd = "cls"
  11. else
  12. clearCmd = "clear"
  13. end
  14.  
  15. malware = ARGV[0]
  16.  
  17. system(clearCmd)
  18.  
  19. puts "+-----------------------------------+"
  20. puts "| Malware Analysis Ruby Script |"
  21. puts "| http://affix.me |"
  22. puts "| Written by Keiran \"affix\" Smith |"
  23. puts "+-----------------------------------+"
  24. puts ""
  25.  
  26. def isBinary(fileName)
  27. begin
  28. analysis = File.new(fileName, "r")
  29. type= analysis.read(4)
  30. if type =~ /MZ/
  31. return true
  32. else
  33. if type =~ /EL/
  34. return true
  35. else
  36. return false
  37. end
  38. end
  39. rescue Errno::ENOENT
  40. puts "[!] File Error!"
  41. end
  42. end
  43.  
  44. def checkSystem(line)
  45. systemCalls = ["CreateMutex", "CopyFile", "CreateFile.*WRITE", "NtasdfCreateFile", "call shell32", "advapi32.RegOpenKey",
  46. "KERNEL32.CreateProcess", "shdocvw", "gethostbyname", "ws2_32.bind", "ws2_32.listen", "ws2_32.htons",
  47. "advapi32.RegCreate", "advapi32.RegSet", "http://","Socket", "OutputDebugString", "FindWindow", "IsDebuggerPresent"]
  48.  
  49. systemCalls.each do | call |
  50. if line =~ /#{call}/
  51. puts "[+] System Call made to : #{call}"
  52. end
  53. end
  54. end
  55.  
  56. def checkRegistry(line)
  57. registryHives = ["HKEY_CURRENT_USER","HKEY_CLASSES_ROOT","HKEY_LOCAL_MACHINE"]
  58.  
  59. registryHives.each do | hive |
  60. if line =~ /#{hive}/
  61. puts "[+] Registry Access to Hive : #{hive}"
  62. end
  63. end
  64. end
  65.  
  66. def checkNetwork(line)
  67. networkCalls = ["IRC","Joined channel","Port","BOT","Login","flood","ddos","NICK","ECHO","PRIVMSG","ADMIN","AWAY","CONNECT","KICK","LIST","MODE","MOTD","PING","PONG","QUIT","SERVLIST","SERVICE","NAMES","JOIN","INVITE","INFO","TRACE","USERHOST","WHO","WHOIS","VERSION"]
  68.  
  69. networkCalls.each do | call |
  70. if line =~ /#{call}/
  71. puts "[+] Network Activity Detected : #{call}"
  72. end
  73. end
  74. end
  75.  
  76. if isBinary(malware)
  77. puts "[+] Valid Executable Found beginning Analysis"
  78. puts ""
  79. analysis = File.new(malware, "r:ASCII-8BIT")
  80. analysis.readlines.each do | line |
  81. checkSystem(line)
  82. checkRegistry(line)
  83. checkNetwork(line)
  84. end
  85. else
  86. puts "[!] Not a valid Executable file"
  87. end

Report this snippet  

You need to login to post a comment.