When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It’s impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my “Malware Zoo” where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the “dangerous files” in a central location and avoid spreading dangerous stuff everywhere. When you analyze a malware, you’ll quickly generate more files: You extract shellcodes, configurations, DLLs, more executables and those files should also be analyzed. To perform a quick triage with basic operations, I rely on the Inotify suite.
This suite of tools allow to you track changes on a file system. Via command line tools, you can get events when a file has been created, deleted, opened. I’m using a simple script on my malware zoo that receives notifcations everytime a file is created (which means I dropped a new sample). Then the script performs simple actions. By default:
It generates the SHA256 of the file
It performs a lookup on VT
Of course, the script can perform deeper actions depending on the file type. Extract strings from PE files, disassemble a shell code, the sky is the limit!
Here is my simple script:
# inotify_triage.sh – Automatic triage script based on inotifywait
# Path to monitor
inotifywait -m -e create -r –exclude “.(tmp|sha256sum|vtresults|sww+)$” $MALWAREZOO | while read path action file
logger “File $file created in $path”
# Generate SHA256
SHA256=`shasum -a 256 $path$file | cut -d ” ” -f 1`
echo $SHA256 >$path$file.sha256sum
# Search file on VT
vt -s $SHA256 >$path$file.vtresults
# PE File
if (file $path$file| grep -q PE32) then
# Perform PE files triage
# Uploaded to MWDB
mwdb.py -t “autotriage” $pathfile
Once launched, the script will get notified when a file is create. Very important, you must exclude all files that will be created by the script! This script is running on my REMnux via systemd (to be launched at boot time and kept running in the background.
Warning: the script above is very simple and should perform triage very quickly. If you need to launch time-consuming actions, it’s recommended to launch them in the background!
Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.