Signatures & Fingerprints

Malware Fingerprinting

Malware fingerprinting is done by creating a unique identifier for the malware sample. Typically done with a hash (MD5, SHA1, or SHA256).

Fingerprinting is employed for numerous purposes, encompassing:

Identification and tracking of malware samples
Scanning an entire system for the presence of identical malware
Confirmation of previous encounters and analyses of the same malware
Sharing with stakeholders as IoC (Indicators of Compromise) or as part of threat intelligence reports

Linux

$ md5sum Ransomware.wannacry.exe
db349b97c37d22f5ea1d1841e3c89eb4  Ransomware.wannacry.exe

$ sha256sum Ransomware.wannacry.exe
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c  Ransomware.wannacry.exe

Powershell

PS> Get-FileHash -Algorithm MD5 C:\Samples\MalwareAnalysis\Ransomware.wannacry.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
MD5             DB349B97C37D22F5EA1D1841E3C89EB4                                       C:\Samples\MalwareAnalysis\Ra...

PS> Get-FileHash -Algorithm SHA256 C:\Samples\MalwareAnalysis\Ransomware.wannacry.exe

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C       C:\Samples\MalwareAnalysis\Ra...

Verify Fingerprint

We can search the hash in a file analysis tool like VirusTotal to verify the signature.

Import Hashing (IMHASH)

Import hashing is done by converting all windows import DLL's to lowercase and hashing the values. The dll's are fused together alphabetically and a MD5 sum is generated from the string.

import sys
import pefile
import peutils

pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
imphash = pe.get_imphash()

print(imphash)

python3 imphash_calc.py Ransomware.wannacry.exe
9ecee117164e0b870a53dd187cdd7174

Fuzzy Hashing (SSDEEP)

Fuzzy Hashing , also referred to as context-triggered piecewise hashing (CTPH) dissects a file into smaller, fixed-size blocks and calculates a hash for each block. The resulting hash values are then consolidated to generate the final fuzzy hash.

The ssdeep command can be used to calculate the Fuzzy Hash of a PE.

$ ssdeep /home/Ransomware.wannacry.exe
ssdeep,1.1--blocksize:hash:hash,filename
98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gB,"/home/Ransomware.wannacry.exe"

Section Hashing

Section Hashing (hashing PE sections) is a powerful technique that allows analysts to identify sections of a PE that have been modified. A common tactic by attackers it to slightly modify the code, applying section hashing makes it harder to evade.

import sys
import pefile
pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
for section in pe.sections:
    print (section.Name, "MD5 hash:", section.get_hash_md5())
    print (section.Name, "SHA256 hash:", section.get_hash_sha256())

String Analysis

Extracting strings from a binary can also be an effective method of signaturing a sample. Strings include:

Embedded filenames (e.g., dropped files)
IP addresses or domain names
Registry paths or keys
Windows API functions
Command-line arguments
Unique information that might hint at a particular threat actor

Extract strings from a binary:

$ strings -n 15 dharma_sample.exe
!This program cannot be run in DOS mode.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
!"#$%&'()*+,-./0123@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
C:\crysis\Release\PDB\payload.pdb
0123456789ABCDEF

There are many tools to perform this.

PreviousStatic Analysis NextPestudio

Last updated 7 months ago