Signatures & Fingerprints
Malware Fingerprinting
Malware fingerprinting is done by creating a unique identifier for the malware sample. Typically done with a hash (MD5, SHA1, or SHA256).
Fingerprinting is employed for numerous purposes, encompassing:
Identification and tracking of malware samples
Scanning an entire system for the presence of identical malware
Confirmation of previous encounters and analyses of the same malware
Sharing with stakeholders as IoC (Indicators of Compromise) or as part of threat intelligence reports
Linux
$ md5sum Ransomware.wannacry.exe
db349b97c37d22f5ea1d1841e3c89eb4 Ransomware.wannacry.exe$ sha256sum Ransomware.wannacry.exe
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c Ransomware.wannacry.exePowershell
PS> Get-FileHash -Algorithm MD5 C:\Samples\MalwareAnalysis\Ransomware.wannacry.exe
Algorithm Hash Path
--------- ---- ----
MD5 DB349B97C37D22F5EA1D1841E3C89EB4 C:\Samples\MalwareAnalysis\Ra...PS> Get-FileHash -Algorithm SHA256 C:\Samples\MalwareAnalysis\Ransomware.wannacry.exe
Algorithm Hash Path
--------- ---- ----
SHA256 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C C:\Samples\MalwareAnalysis\Ra...Verify Fingerprint
We can search the hash in a file analysis tool like VirusTotal to verify the signature.
Import Hashing (IMHASH)
Import hashing is done by converting all windows import DLL's to lowercase and hashing the values. The dll's are fused together alphabetically and a MD5 sum is generated from the string.
We can use pefile python library to check the imhash of a PE.
import sys
import pefile
import peutils
pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
imphash = pe.get_imphash()
print(imphash)python3 imphash_calc.py Ransomware.wannacry.exe
9ecee117164e0b870a53dd187cdd7174Fuzzy Hashing (SSDEEP)
Fuzzy Hashing , also referred to as context-triggered piecewise hashing (CTPH) dissects a file into smaller, fixed-size blocks and calculates a hash for each block. The resulting hash values are then consolidated to generate the final fuzzy hash.
The ssdeep command can be used to calculate the Fuzzy Hash of a PE.
$ ssdeep /home/Ransomware.wannacry.exe
ssdeep,1.1--blocksize:hash:hash,filename
98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gB,"/home/Ransomware.wannacry.exe"
Section Hashing
Section Hashing (hashing PE sections) is a powerful technique that allows analysts to identify sections of a PE that have been modified. A common tactic by attackers it to slightly modify the code, applying section hashing makes it harder to evade.
Section Hashing using pefile.
import sys
import pefile
pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
for section in pe.sections:
print (section.Name, "MD5 hash:", section.get_hash_md5())
print (section.Name, "SHA256 hash:", section.get_hash_sha256())String Analysis
Extracting strings from a binary can also be an effective method of signaturing a sample. Strings include:
Embedded filenames (e.g., dropped files)
IP addresses or domain names
Registry paths or keys
Windows API functions
Command-line arguments
Unique information that might hint at a particular threat actor
Extract strings from a binary:
$ strings -n 15 dharma_sample.exe
!This program cannot be run in DOS mode.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
!"#$%&'()*+,-./0123@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
WaitForSingleObject
InitializeCriticalSectionAndSpinCount
LeaveCriticalSection
EnterCriticalSection
C:\crysis\Release\PDB\payload.pdb
0123456789ABCDEFThere are many tools to perform this.
Last updated