SSMA Usage
SSMA is handy tool for quickly getting an idea if a file is malicious.
Install
sudo apt-get install python3-pip
git clone https://github.com/secrary/SSMA
cd SSMA
sudo pip3 install -r requirements.txt
Usage
To use, just run the command along with your VirusTotal API key and the file to get the results. After each test, it will ask you if you want to continue analysis. In this example I used a version mebroot for testing.
python3 ssma.py -h
python3 /home/twebb/Downloads/SSMA/ssma.py -k VT_API_KEY 00000025.exe
Results
???????????????????? ???? ??????
????????????????????? ????????????? Simple
??????????????????????????????????? Static
??????????????????????????????????? Malware
??????????????????? ??? ?????? ??? Analyzer
??????????????????? ?????? ???
File Details:
File: /home/twebb/malware/2-mar-2010 torpig/00000025.exe
Size: 280960 bytes
Type: application/x-dosexec
MD5: ae26e139311e2cacef53cce6d8da09da
SHA1: b9942fd44e798073821dd4b1d9b21f1814d766ad
Date: Fri Nov 28 00:33:22 2003
PE file entropy: 7.618302492203651
Very high or very low entropy means that file is compressed or encrypted since truly random data is not common.
================================================================================
Continue? [Y/n] y
Number of Sections: 5
Section VirtualAddress VirtualSize SizeofRawData Entropy
.code 0x480 26965 27008 6.511691201650016
.rdata 0x6e00 152 256 2.401459977262458
.data 0x6f00 251148 251264 7.654305920976193
INIT 0x44480 306 384 4.063770965426124
.reloc 0x44600 854 896 1.656681300794013
Very high or very low entropy means that file/section is compressed or encrypted since truly random data is not common.
SUSPICIOUS section names: INIT
================================================================================
Continue? [Y/n] y
Virustotal:
F-Secure - Gen:Rootkit.Heur.ruW@CS!sLed
NOD32 - a variant of Win32/Mebroot.CK
Ikarus - Backdoor.Win32.Sinowal
McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen
Symantec - Suspicious.Insight
BitDefender - Gen:Rootkit.Heur.ruW@CS!sLed
AntiVir - TR/Crypt.ZPACK.Gen
GData - Gen:Rootkit.Heur.ruW@CS!sLed
nProtect - Gen:Rootkit.Heur.ruW@CS!sLed
a-squared - Backdoor.Win32.Sinowal!IK
================================================================================
Continue? [Y/n] y
Scan file using Yara-rules.
With Yara rules you can create a "description" of malware families to detect new samples.
For more information: https://virustotal.github.io/yara/
Downloading Yara-rules...
These Yara rules specialised on the identification of well-known malware.
Result:
QuarianCode - Quarian code features
Quarian - Quarian
================================================================================
Continue? [Y/n] y
These Yara Rules aimed to detect well-known software packages, that can be used by malware to hide itself.
Result:
Visual_Cpp_2003_DLL_Microsoft
================================================================================
Continue? [Y/n] y
These Yara rules aimed to detect the existence of cryptographic algorithms.
Detected cryptographic algorithms:
contentis_base64 - This rule finds for base64 strings
================================================================================
Continue? [Y/n] y
There are lots of tools like this, but this one is worth giving a try due to how quick and easy the install was. What yours favorite static analysis tool?
--
Tom Webb
@twsecblog
Comments