adding ReportForm

OpenInternet · Mar 21, 2017 · 082a4db · 082a4db
1 parent e35cff7
commit 082a4db
Show file tree

Hide file tree

Showing 5 changed files with 1,028 additions and 6 deletions.
diff --git a/ReportForm.html b/ReportForm.html
@@ -0,0 +1,136 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="chrome=1">
+
+<script type="text/javascript" src="view.js"></script>
+
+  <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js"></script>
+<script language="JavaScript">
+
+        $("#btnPrint").live("click", function () {
+            var divContents = $("#display").html();
+            var printWindow = window.open('', '', 'height=400,width=800');
+            printWindow.document.write('<html><head><title>Malware Analysis Report</title>');
+            printWindow.document.write('</head><body >');
+            printWindow.document.write(divContents);
+            printWindow.document.write('</body></html>');
+            printWindow.document.close();
+            printWindow.print();
+
+        });
+
+    function showInput() {
+        document.getElementById('display').innerHTML = 
+
+        "<div id=\"malwarereport\" class=\"malwarereport\">" +
+        "<br>Filename: " + document.getElementById("element_1").value + "</br>" +
+        "<br>Sha256: " + document.getElementById("element_2").value + "</br>" +
+        "<br><h3>Summary</h3></br><br>" + document.getElementById("element_3").value + "</br>" +
+        "<br><h3>General Characteristics</h3></br><br>" + document.getElementById("element_4").value + "</br>" +
+        "<br><h3>AntiVirus Detection Results</h3></br><br>" + document.getElementById("element_5").value + "</br>" +
+        "<br><h3>File System IOC</h3></br><br>" + document.getElementById("element_6").value + "</br>" +
+        "<br><h3>Network IOC</h3></br><br>" + document.getElementById("element_7").value + "</br>" +
+        "<br><h3>Registry IOC</h3></br><br>" + document.getElementById("element_8").value + "</br>" +
+        "<br><h3>Behavior & Control Flow</h3></br><br>" + document.getElementById("element_9").value + "</br>" +
+        "<br><h3>Appendix</h3></br><br>" + document.getElementById("element_10").value + "</br>" +
+        "<br><h3>End of Report</h3></br>";
+
+        "</div>"
+    }
+  </script>
+
+
+<link rel="stylesheet" type="text/css" href="view.css" media="all">
+<link rel="stylesheet" href="https://securedorg.github.io//assets/css/style.css?v=5e63b4f7f8d5ec379a428172f4517e17cf6f662e">
+
+</head>
+<body>
+<div >
+
+		<form id="form_21154" class="appnitro"  method="post" action="">
+					<div class="form_description">
+			<h2>Malware Analysis Report</h2>
+			<p>by @malwareunicorn</p>
+			<p>Insert information in this report as you analyze malware. It will generate a text output.</p>
+		</div>						
+			<ul >
+
+					<li id="li_1" >
+		<label class="description" for="element_1">Filename </label>
+		<div>
+			<input id="element_1" name="element_1" class="element text medium" type="text" style="width: 500px;" maxlength="255" value=""/> 
+		</div><p class="guidelines" id="guide_1"><small>Original Filename</small></p> 
+		</li>		<li id="li_2" >
+		<label class="description" for="element_2">Sha256 Hash</label>
+		<div>
+			<input id="element_2" name="element_2" class="element text large" type="text" maxlength="255" value=""/> 
+		</div><p class="guidelines" id="guide_2"><small>Unique Identity</small></p> 
+		</li>		<li id="li_3" >
+		<label class="description" for="element_3">Summary</label>
+		<div>
+			<textarea id="element_3" name="element_3" class="element textarea medium"></textarea> 
+		</div> 
+		</li>		<li id="li_4" >
+		<label class="description" for="element_4">General Characteristics</label>
+		<div>
+			<textarea id="element_4" name="element_4" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_4"><small>File Format,
+Header Analysis,
+Basic PE information,
+Delivery Context</small></p> 
+		</li>		<li id="li_5" >
+		<label class="description" for="element_5">AntiVirus Detection Results</label>
+		<div>
+			<textarea id="element_5" name="element_5" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_5"><small>AV Results
+Yara Analysis Results
+Virustotal Results</small></p> 
+		</li>		<li id="li_6" >
+		<label class="description" for="element_6">File System IOC</label>
+		<div>
+			<textarea id="element_6" name="element_6" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_6"><small>Any changes on the file system made by the malware
+Created/Deleted/Modified Files</small></p> 
+		</li>		<li id="li_7" >
+		<label class="description" for="element_7">Network IOC</label>
+		<div>
+			<textarea id="element_7" name="element_7" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_7"><small>Network Related IOC
+GET/POST Requests
+Domains
+IP address</small></p> 
+		</li>		<li id="li_8" >
+		<label class="description" for="element_8">Registry IOC</label>
+		<div>
+			<textarea id="element_8" name="element_8" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_8"><small>Any changes in the Registry made by the malware</small></p> 
+		</li>		<li id="li_9" >
+		<label class="description" for="element_9">Behavior & Control Flow</label>
+		<div>
+			<textarea id="element_9" name="element_9" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_9"><small>List the order of events, processes, and capabilities.</small></p> 
+		</li>		<li id="li_10" >
+		<label class="description" for="element_10">Appendix</label>
+		<div>
+			<textarea id="element_10" name="element_10" class="element textarea medium"></textarea> 
+		</div><p class="guidelines" id="guide_10"><small>Add any strings, code, interest notes</small></p> 
+
+			</ul>
+		</form>	
+
+
+	</div>
+
+  <p><input type="submit" onclick="showInput();"></p>
+  <p><label>Your Report: </label></p>
+  <hr>
+  <p><span id='display'></span></p>
+  <p><input type="button" value="Print PDF Report" id="btnPrint" /></p>
+
+</script>
+
+</body>
+
+</html>
diff --git a/retools.md b/retools.md
@@ -75,6 +75,7 @@ title: RE Tools
 ## Information Gathering
 
 * [CFF Explorer](http://www.ntcore.com/exsuite.php) - PE header parser (Used in this worksop)
+* [BinText](https://www.mcafee.com/hk/downloads/free-tools/bintext.aspx) - Extract string from a binary
 * [Sysinternals Suite](https://technet.microsoft.com/en-us/sysinternals/bb842062.aspx) (Used in this worksop)
   * procmon
   * procexplorer

diff --git a/triage.md b/triage.md
@@ -7,11 +7,66 @@ title: Triage Analysis
 
 # Section 4: Triage Analysis #
 
-* Simple Search
-* Collect Strings
-* Check AV vendors
-* Get basic PE information
-* Run it in a VM
-* Capture network information
+Depending on your workload, you want to spend the least amount of time trying to determine what the malware is doing and how to get rid of it. Many malware analysts use their own triage analysis, similar to that in the Emergency Room at the hospital.
+
+You will want to quickly narrow down specific information and indicators before moving on to deeper static and dynamic analysis.
+
+This checklist should get you started:
+- [ ] File Context and Delivery
+- [ ] File Information & Header Analysis
+- [ ] Get Basic PE information
+- [ ] Simple Search
+- [ ] Collect Strings
+- [ ] Check AV vendors
+- [ ] Quick VM Detonation
+- [ ] Capture network information
+
+###File Context and Delivery
+
+When you receive the malware binary, it's important to ask how the malware got there in the first place.
+
+Questions to ask:
+* Did it come from an email?
+* Did it come from a browser download?
+* Was it quarantined in an Anti-Virus?
+* Is it an anomalous process running?
+
+###File Information & Header Analysis
+
+* Use a **file** command (sniffer VM) to determine the file type
+* Verify the file header using a hex editor (HxD)
+
+###Get Basic PE information
+
+* Parse the PE header using the tool CFF Explorer
+* Determine what resources, DLL imports, and libraries used
+  * Example: If you see **Ws2_32.dll** it might be setting up a network connection because it's used for setting up sockets
+
+###Simple Search
+
+* Calculate the hash of the file an check the web to see if it's been seen already
+
+###Collect Strings
+
+* using the string command in linux or BinText tool, extract the strings to find any clues
+
+###Check AV vendors
+
+* Run the file against an Anti-Virus or VirusTotal to see if there are any detections
+
+###Quick VM Detonation
+
+* Use open source VM detonation services like hybrid-analysis.com or malwr.com to get the behavior quickly
+
+###Capture network information
+
+* Use the VM detonation service to capture any network connections or packet data.
+* If you can't do this then we will need to dynamically debug the malware.
+
+## Malware Analysis Report
+
+You will want to capture this information throughout your investigation either through notes or report documents.
+You can use the **Malware Analysis Report** template [HERE](https://securedorg.github.io/ReportForm.html)
+
 
 [Section 3 <- Back](https://securedorg.github.io/RE101/section3) | [Next -> Section 5](https://securedorg.github.io/RE101/section5)