From 4731402ad9a9d8769015b95754650bac28f6d721 Mon Sep 17 00:00:00 2001 From: Zappus Date: Sat, 26 May 2018 09:34:37 -0400 Subject: [PATCH] added MalwareBunny added MalwareBunny payload --- .../Incident_Response/MalwareBunny/README.md | 36 +++++++++++++++ .../MalwareBunny/install/binwalk.sh | 45 +++++++++++++++++++ .../MalwareBunny/install/capstone.sh | 21 +++++++++ .../MalwareBunny/install/dshell.sh | 29 ++++++++++++ .../MalwareBunny/install/featherduster.sh | 17 +++++++ .../MalwareBunny/install/peepdf.sh | 33 ++++++++++++++ .../MalwareBunny/install/punbup.sh | 15 +++++++ .../MalwareBunny/install/setup.sh | 30 +++++++++++++ .../MalwareBunny/install/ssdeep.sh | 23 ++++++++++ .../MalwareBunny/install/viper.sh | 17 +++++++ .../MalwareBunny/install/wabt.sh | 15 +++++++ .../MalwareBunny/install/yara.sh | 23 ++++++++++ .../MalwareBunny/switch1/payload.txt | 24 ++++++++++ .../MalwareBunny/switch2/payload.txt | 18 ++++++++ 14 files changed, 346 insertions(+) create mode 100644 payloads/library/Incident_Response/MalwareBunny/README.md create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/binwalk.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/capstone.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/dshell.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/featherduster.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/peepdf.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/punbup.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/setup.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/ssdeep.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/viper.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/wabt.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/install/yara.sh create mode 100644 payloads/library/Incident_Response/MalwareBunny/switch1/payload.txt create mode 100644 payloads/library/Incident_Response/MalwareBunny/switch2/payload.txt diff --git a/payloads/library/Incident_Response/MalwareBunny/README.md b/payloads/library/Incident_Response/MalwareBunny/README.md new file mode 100644 index 000000000..316d44b78 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/README.md @@ -0,0 +1,36 @@ +# Malware Bunny +## Overview +This Bash Bunny module is used to install many tools used for reverse engineering and malware analysis. + + +2 Operation Modes +* Web UI for quick access to samples +* SSH access for analysis sessions + + +## Getting Started +1. Get Bunny to access the Internet +2. Install all tools and components +* or - run setup.sh to install everything +* or - manually install every tool from setup scripts +3. Boot Bunny in Arming mode and upload payload files to switch1 and switch2 +4. Boot Bunny in switch1 mode to access web interface +5. Boot Bunny in switch2 mode to access ssh interface + +Web interface is meant long analysis sessions with minimal use, therefore CUCUMBER is enabled. + + +## Software Installed +1. viper v1.2 +2. ssdeep v2.14.1 +3. yara v3.7.0 +4. pyew +6. featherduster +7. capstone +8. binwalk +9. dshell +10. wabt +11. peepdf +12. unzip +13. punbup + diff --git a/payloads/library/Incident_Response/MalwareBunny/install/binwalk.sh b/payloads/library/Incident_Response/MalwareBunny/install/binwalk.sh new file mode 100644 index 000000000..9f3cee085 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/binwalk.sh @@ -0,0 +1,45 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: binwalk install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +apt-get install -y python-lzma python-crypto libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord zlib1g-dev liblzma-dev liblzo2-dev liblzo2-dev python-lzo +pip install cstruct + +cd /tools/ +git clone https://github.com/ReFirmLabs/binwalk +cd binwalk + + +git clone https://github.com/devttys0/sasquatch +cd sasquatch/ +ls +# edit build file to fix lack of sudo error on make install +# vi build.sh +./build.sh + +cd .. +git clone https://github.com/sviehb/jefferson +cd jefferson +python setup.py install + +cd .. +git clone https://github.com/jrspruitt/ubi_reader +cd ubi_reader +python setup.py install + +cd .. +git clone https://github.com/devttys0/yaffshiv +cd yaffshiv +python setup.py install + +cd .. +wget -O - http://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv +cp bin/unstuff /usr/local/bin/ + +python setup.py install diff --git a/payloads/library/Incident_Response/MalwareBunny/install/capstone.sh b/payloads/library/Incident_Response/MalwareBunny/install/capstone.sh new file mode 100644 index 000000000..7e914aece --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/capstone.sh @@ -0,0 +1,21 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: capstone install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + +cd /tmp/ +wget https://github.com/aquynh/capstone/archive/3.0.5-rc2.tar.gz +tar xf 3.0.5-rc2.tar.gz +rm 3.0.5-rc2.tar.gz +mv capstone-3.0.5-rc2/ /tools/capstone + +cd /tools/capstone +make +make install + +cd bindings/python +make install diff --git a/payloads/library/Incident_Response/MalwareBunny/install/dshell.sh b/payloads/library/Incident_Response/MalwareBunny/install/dshell.sh new file mode 100644 index 000000000..65d5c1f0f --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/dshell.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: dshell install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +apt-get install -y python-dpkt python-ipy python-pypcap +pip install pygeoip + +cd /tools/ +git clone https://github.com/USArmyResearchLab/Dshell dshell +cd dshell + +cd share/GeoIP/ +wget http://geolite.macxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz +gunzip -d GeoIP.dat.gz +wget http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz +gunzip -d GeoIPv6.dat.gz +wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz +gunzip -d GeoIPASNum.dat.gz +wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz +gunzip -d GeoIPASNumv6.dat.gz +cd ../../ + +make diff --git a/payloads/library/Incident_Response/MalwareBunny/install/featherduster.sh b/payloads/library/Incident_Response/MalwareBunny/install/featherduster.sh new file mode 100644 index 000000000..051c32c51 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/featherduster.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: featherduster install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + +apt-get install -y libgmp3-dev +apt-get install -y libncurses-dev + +cd /tools +git clone https://github.com/nccgroup/featherduster +cd featherduster + +python setup.py install \ No newline at end of file diff --git a/payloads/library/Incident_Response/MalwareBunny/install/peepdf.sh b/payloads/library/Incident_Response/MalwareBunny/install/peepdf.sh new file mode 100644 index 000000000..b299610fe --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/peepdf.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: peepdf install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +apt-get install -y unzip python-libemu + +cd /tmp/ +wget http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip +unzip peepdf_0.3.zip +mv peepdf_0.3 /tools/peepdf +cd /tools/peepdf + +#mkdir dpt +#cd dpt +#wget https://storage.googleapis.com/chrome-infra/depot_tools.zip +#unzip depot_tools.zip +#cd .. +#mv dpt /tools/depot_tools +#echo 'export PATH=$PATH:$HOME/../tools/depot_tools' >> ~/.bashrc +#gclient +#mkdir /tools/v8 +#cd /tools/v8 +#fetch v8 + + + + diff --git a/payloads/library/Incident_Response/MalwareBunny/install/punbup.sh b/payloads/library/Incident_Response/MalwareBunny/install/punbup.sh new file mode 100644 index 000000000..ed0cbc435 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/punbup.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: punbup install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +cd /tools +git clone https://github.com/herrcore/punbup +cd punbup +python setup.py install + diff --git a/payloads/library/Incident_Response/MalwareBunny/install/setup.sh b/payloads/library/Incident_Response/MalwareBunny/install/setup.sh new file mode 100644 index 000000000..bc3993715 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/setup.sh @@ -0,0 +1,30 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: main install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +# Install System Dependencies +apt-get install -y automake libtool make gcc flex bison libmagic-dev libssl-dev python-dev swig libfuzzy-dev exiftool + +# Install Python Dependencies +pip install SQLAlchemy PrettyTable python-magic + +# Other Tools +apt-get -y install python-scapy pyew unzip + +# Setup Custom Tools +./ssdeep.sh +./yara.sh +./viper.sh +./dshell.sh +./capstone.sh +./binwalk.sh +./featherduster.sh +./wabt.sh +./peepdf.sh + diff --git a/payloads/library/Incident_Response/MalwareBunny/install/ssdeep.sh b/payloads/library/Incident_Response/MalwareBunny/install/ssdeep.sh new file mode 100644 index 000000000..4e617d24f --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/ssdeep.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: ssdeep install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + +cd /tmp + +wget https://github.com/ssdeep-project/ssdeep/archive/release-2.14.1.tar.gz +tar xf release-2.14.1.tar.gz +rm release-2.14.1.tar.gz +mv ssdeep-release-2.14.1/ /tools/ssdeep +cd /tools/ssdeep + +./bootstrap +./configure +make +make install + +pip install pydeep diff --git a/payloads/library/Incident_Response/MalwareBunny/install/viper.sh b/payloads/library/Incident_Response/MalwareBunny/install/viper.sh new file mode 100644 index 000000000..87dab5370 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/viper.sh @@ -0,0 +1,17 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: viper install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + +cd /tmp +wget https://github.com/viper-framework/viper/archive/v1.2.tar.gz +tar xf v1.2.tar.gz +rm v1.2.tar.gz +mv viper-1.2/ /tools/viper + +cd /tools/viper +pip install -r requirements.txt diff --git a/payloads/library/Incident_Response/MalwareBunny/install/wabt.sh b/payloads/library/Incident_Response/MalwareBunny/install/wabt.sh new file mode 100644 index 000000000..a9f3a13b6 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/wabt.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: web assembly binary toolkit install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + +apt-get install cmake clang + +cd /tools/ +git clone --recursive https://github.com/WebAssembly/wabt +cd wabt +make diff --git a/payloads/library/Incident_Response/MalwareBunny/install/yara.sh b/payloads/library/Incident_Response/MalwareBunny/install/yara.sh new file mode 100644 index 000000000..03baf4f80 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/install/yara.sh @@ -0,0 +1,23 @@ +#!/bin/bash +# Title: Malware Bunny +# Description: yara install script +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# Firmware: 1.5 + + +cd /tmp +wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz +tar xf v3.7.0.tar.gz +rm v3.7.0.tar.gz +mv yara-3.7.0/ /tools/yara + +cd /tools/yara +./bootstrap.sh +./configure --enable-magic --enable-dotnet +make +make install + +pip install yara-python diff --git a/payloads/library/Incident_Response/MalwareBunny/switch1/payload.txt b/payloads/library/Incident_Response/MalwareBunny/switch1/payload.txt new file mode 100644 index 000000000..b588d7ae9 --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/switch1/payload.txt @@ -0,0 +1,24 @@ +#!/bin/bash +# Title: MalwareBunny +# Description: Malware Analysis on Bash Bunny +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# +# LED State Descriptions +# Magenta Blinking - setup in progress +# Blue Blinking - ready to use + +LED M SLOW + +ATTACKMODE RNDIS_ETHERNET +sleep 3 + +cd /tools/viper/ +python web.py -H 0.0.0.0 -p 8080 & + +CUCUMBER ENABLE +sleep 3 + +LED B SLOW diff --git a/payloads/library/Incident_Response/MalwareBunny/switch2/payload.txt b/payloads/library/Incident_Response/MalwareBunny/switch2/payload.txt new file mode 100644 index 000000000..064a2242a --- /dev/null +++ b/payloads/library/Incident_Response/MalwareBunny/switch2/payload.txt @@ -0,0 +1,18 @@ +#!/bin/bash +# Title: MalwareBunny +# Description: Malware Analysis on Bash Bunny +# Author: Zappus +# Version: 1.0 +# Category: Incident-Response +# Attackmodes: Ethernet +# +# LED State Descriptions +# Magenta Blinking - setup in progress +# Blue Blinking - ready to use + +LED M SLOW + +ATTACKMODE RNDIS_ETHERNET +sleep 5 + +LED B SLOW