Quick Malware Triage With Inotify Tools
When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It's impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my "Malware Zoo" where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the "dangerous files" in a central location and avoid spreading dangerous stuff everywhere. When you analyze a malware, you'll quickly generate more files: You extract shellcodes, configurations, DLLs, more executables and those files should also be analyzed. To perform a quick triage with basic operations, I rely on the Inotify[1] suite.
This suite of tools allow to you track changes on a file system. Via command line tools, you can get events when a file has been created, deleted, opened. I'm using a simple script on my malware zoo that receives notifcations everytime a file is created (which means I dropped a new sample). Then the script performs simple actions. By default:
- It generates the SHA256 of the file
- It performs a lookup on VT
Of course, the script can perform deeper actions depending on the file type. Extract strings from PE files, disassemble a shell code, the sky is the limit!
Here is my simple script:
#!/bin/bash # # inotify_triage.sh - Automatic triage script based on inotifywait # # Path to monitor MALWAREZOO="/data/my_malware_zoo" inotifywait -m -e create -r --exclude "\.(tmp|sha256sum|vtresults|sw\w+)$" $MALWAREZOO | while read path action file do logger "File $file created in $path" # Generate SHA256 SHA256=`shasum -a 256 $path$file | cut -d " " -f 1` echo $SHA256 >$path$file.sha256sum # Search file on VT vt -s $SHA256 >$path$file.vtresults # PE File if (file $path$file| grep -q PE32) then # Perform PE files triage fi # Uploaded to MWDB mwdb.py -t "autotriage" $pathfile done
Once launched, the script will get notified when a file is create. Very important, you must exclude all files that will be created by the script! This script is running on my REMnux via systemd (to be launched at boot time and kept running in the background.
Warning: the script above is very simple and should perform triage very quickly. If you need to launch time-consuming actions, it's recommended to launch them in the background!
[1] https://en.wikipedia.org/wiki/Inotify
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments