Docker恶意软件分析系列III:用viper分析APK和木马信息

标签:
it网络安全 |
0x00 简介
本篇文章主要讲解利用Docker来分析malware样本,主要包括VT(virustotal)分析、APK分析、恶意软件样本分析、木马编译分析例如编译时间、编译语言等、另外我们还可以检测是否是已知的木马等等分析手段。
0x01 安装配置Docker恶意软件分析镜像
1.
docker pull remnux/viper |
2.
mkdir -pv sample && cd sample && chmod a+xwr . |
0x02 docker分析案例
1.
把要分析的APK和木马样本放到sample目录下,准备来进行分析。
2.
docker run -it -v /root/sample:/home/nonroot/workdir remnux/viper |
http://s5/mw690/004gr0JOgy6QVaTuPtO84&690
3.
http://s4/mw690/004gr0JOgy6QVaTwZOPb3&690
解释:
命令: +------------+-----------------------------------------------+ |
命令 +------------+-----------------------------------------------+ |
clear |
close |
delete | exit, quit |
退出
Viper |
export |
find |
help |
info |
notes |
open | projects | sessions |
store |
tags +------------+-----------------------------------------------+ 模块: +--------------+---------------------------------------------------------------+ |
命令 +--------------+---------------------------------------------------------------+ |
apk |
cuckoo | debup | editdistance |
编辑distance |
elf |
email |
exif |
fuzzy |
html |
ida |
idx |
image |
jar |
office |
pdf |
pe |
r2 |
rat |
reports |
shellcode |
strings |
swf | virustotal |
vttool |
xor |
yara +--------------+---------------------------------------------------------------+ |
4.
viper > store -f ./ |
http://s12/mw690/004gr0JOgy6QVaTyWN52b&690
5.
viper > find all |
http://s7/mw690/004gr0JOgy6QVaTAGISd6&690
解释:
a)
b)
6.
a)
viper > open
5d94be747142f683dad9bae3 |
http://s11/mw690/004gr0JOgy6QVaTDLOG3a&690
b)
viper Mobile_Spy.apk > virustotal |
http://s1/mw690/004gr0JOgy6QVaTFTMId0&690
c)
查看yara样本库
viper update.exe > yara rules |
http://s13/mw690/004gr0JOgy6QVaTIb5Wac&690
查看规则库
viper update.exe > yara rules --edit 2 |
http://s4/mw690/004gr0JOgy6QVaTXIVd23&690
Yara匹配扫描
viper update.exe > yara scan –a |
参数解释: 扫描所有的样本匹配的内容 PS: (Yara我们会在以后详细讲解它的使用方式) |
http://s8/mw690/004gr0JOgy6QVaU03Z557&690
d)
viper update.exe > pe compiletime |
http://s5/mw690/004gr0JOgy6QVaU1X7u34&690
e)
viper update.exe > pe language |
http://s14/mw690/004gr0JOgy6QVecRCGx7d&690
f)
viper update.exe > pe peid |
http://s5/mw690/004gr0JOgy6QVaU4XZO44&690
g)
viper update.exe > strings -a |
http://s11/mw690/004gr0JOgy6QVaU7laO3a&690
h)
viper update.exe > rat -a |
http://s13/mw690/004gr0JOgy6QVaU9iLqfc&690
0x03 参考
1.
2.
3.