Quick Malware Triage With Inotify Tools

Published: 2023-08-21. Last Updated: 2023-08-21 06:32:57 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

When you handle a lot of malicious files, you must have a process and tools in place to speedup the analysis. It's impossible to investigate all files and a key point is to find interesting files that deserve more attention. In my malware analysis lab, I use a repository called my "Malware Zoo" where I put all the files. This repository is shared across different hosts (my computer, REMnux and Windows virtual machines). This helps me to keep all the "dangerous files" in a central location and avoid spreading dangerous stuff everywhere. When you analyze a malware, you'll quickly generate more files: You extract shellcodes, configurations, DLLs, more executables and those files should also be analyzed. To perform a quick triage with basic operations, I rely on the Inotify[1] suite. 

This suite of tools allow to you track changes on a file system. Via command line tools, you can get events when a file has been created, deleted, opened. I'm using a simple script on my malware zoo that receives notifcations everytime a file is created (which means I dropped a new sample). Then the script performs simple actions. By default:

  • It generates the SHA256 of the file
  • It performs a lookup on VT

Of course, the script can perform deeper actions depending on the file type. Extract strings from PE files, disassemble a shell code, the sky is the limit!

Here is my simple script:

#!/bin/bash
#
# inotify_triage.sh - Automatic triage script based on inotifywait
#

# Path to monitor
MALWAREZOO="/data/my_malware_zoo"

inotifywait -m -e create -r --exclude "\.(tmp|sha256sum|vtresults|sw\w+)$" $MALWAREZOO | while read path action file
do
    logger "File $file created in $path"

    # Generate SHA256
    SHA256=`shasum -a 256 $path$file | cut -d " " -f 1`
    echo $SHA256 >$path$file.sha256sum

    # Search file on VT
    vt -s $SHA256 >$path$file.vtresults

    # PE File 
    if (file $path$file| grep -q PE32) then
        # Perform PE files triage
    fi

    # Uploaded to MWDB
    mwdb.py -t "autotriage" $pathfile
done

Once launched, the script will get notified when a file is create. Very important, you must exclude all files that will be created by the script! This script is running on my REMnux via systemd (to be launched at boot time and kept running in the background.

Warning: the script above is very simple and should perform triage very quickly. If you need to launch time-consuming actions, it's recommended to launch them in the background!

[1] https://en.wikipedia.org/wiki/Inotify

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)
ISC Stormcast For Monday, August 21st, 2023 https://isc.sans.edu/podcastdetail/8624

Comments


Diary Archives