Merge pull request #345 from Zappus/master

New IR Payload - MalwareBunny

payloads/library/Incident_Response/MalwareBunny/README.md

@@ -0,0 +1,36 @@
+# Malware Bunny 
+## Overview
+This Bash Bunny module is used to install many tools used for reverse engineering and malware analysis. 
+
+
+2 Operation Modes
+* Web UI for quick access to samples
+* SSH access for analysis sessions
+
+
+## Getting Started
+1. Get Bunny to access the Internet
+2. Install all tools and components
+* or - run setup.sh to install everything
+* or - manually install every tool from setup scripts
+3. Boot Bunny in Arming mode and upload payload files to switch1 and switch2
+4. Boot Bunny in switch1 mode to access web interface
+5. Boot Bunny in switch2 mode to access ssh interface
+
+Web interface is meant long analysis sessions with minimal use, therefore CUCUMBER is enabled.
+
+
+## Software Installed
+1. viper v1.2
+2. ssdeep v2.14.1
+3. yara v3.7.0 
+4. pyew
+6. featherduster
+7. capstone
+8. binwalk
+9. dshell
+10. wabt
+11. peepdf
+12. unzip
+13. punbup
+

payloads/library/Incident_Response/MalwareBunny/install/binwalk.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   binwalk install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+apt-get install -y python-lzma python-crypto libqt4-opengl python-opengl python-qt4 python-qt4-gl python-numpy python-scipy python-pip mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsprogs cramfsswap squashfs-tools sleuthkit default-jdk lzop srecord zlib1g-dev liblzma-dev liblzo2-dev liblzo2-dev python-lzo
+pip install cstruct
+
+cd /tools/
+git clone https://github.com/ReFirmLabs/binwalk
+cd binwalk
+
+
+git clone https://github.com/devttys0/sasquatch
+cd sasquatch/
+ls
+# edit build file to fix lack of sudo error on make install
+# vi build.sh
+./build.sh
+
+cd ..
+git clone https://github.com/sviehb/jefferson
+cd jefferson
+python setup.py install
+
+cd ..
+git clone https://github.com/jrspruitt/ubi_reader
+cd ubi_reader
+python setup.py install
+
+cd ..
+git clone https://github.com/devttys0/yaffshiv
+cd yaffshiv
+python setup.py install
+
+cd ..
+wget -O - http://my.smithmicro.com/downloads/files/stuffit520.611linux-i386.tar.gz | tar -zxv
+cp bin/unstuff /usr/local/bin/
+
+python setup.py install

payloads/library/Incident_Response/MalwareBunny/install/capstone.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   capstone install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+cd /tmp/
+wget https://github.com/aquynh/capstone/archive/3.0.5-rc2.tar.gz
+tar xf 3.0.5-rc2.tar.gz
+rm 3.0.5-rc2.tar.gz
+mv capstone-3.0.5-rc2/ /tools/capstone
+
+cd /tools/capstone
+make
+make install
+
+cd bindings/python
+make install

payloads/library/Incident_Response/MalwareBunny/install/dshell.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   dshell install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+apt-get install -y python-dpkt python-ipy python-pypcap
+pip install pygeoip
+
+cd /tools/
+git clone https://github.com/USArmyResearchLab/Dshell dshell
+cd dshell
+
+cd share/GeoIP/
+wget http://geolite.macxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
+gunzip -d GeoIP.dat.gz
+wget http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz
+gunzip -d GeoIPv6.dat.gz
+wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
+gunzip -d GeoIPASNum.dat.gz
+wget http://download.maxmind.com/download/geoip/database/asnum/GeoIPASNumv6.dat.gz
+gunzip -d GeoIPASNumv6.dat.gz
+cd ../../
+
+make

payloads/library/Incident_Response/MalwareBunny/install/featherduster.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   featherduster install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+apt-get install -y libgmp3-dev 
+apt-get install -y libncurses-dev
+
+cd /tools
+git clone https://github.com/nccgroup/featherduster
+cd featherduster
+
+python setup.py install

payloads/library/Incident_Response/MalwareBunny/install/peepdf.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   peepdf install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+apt-get install -y unzip python-libemu
+
+cd /tmp/
+wget http://eternal-todo.com/files/pdf/peepdf/peepdf_0.3.zip
+unzip peepdf_0.3.zip
+mv peepdf_0.3 /tools/peepdf
+cd /tools/peepdf
+
+#mkdir dpt
+#cd dpt
+#wget https://storage.googleapis.com/chrome-infra/depot_tools.zip
+#unzip depot_tools.zip
+#cd ..
+#mv dpt /tools/depot_tools
+#echo 'export PATH=$PATH:$HOME/../tools/depot_tools' >> ~/.bashrc
+#gclient
+#mkdir /tools/v8
+#cd /tools/v8
+#fetch v8
+
+
+
+

payloads/library/Incident_Response/MalwareBunny/install/punbup.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   punbup install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+cd /tools
+git clone https://github.com/herrcore/punbup
+cd punbup
+python setup.py install
+

payloads/library/Incident_Response/MalwareBunny/install/setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   main install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+# Install System Dependencies
+apt-get install -y automake libtool make gcc flex bison libmagic-dev libssl-dev python-dev swig libfuzzy-dev exiftool 
+
+# Install Python Dependencies
+pip install SQLAlchemy PrettyTable python-magic 
+
+# Other Tools
+apt-get -y install python-scapy pyew unzip
+
+# Setup Custom Tools
+./ssdeep.sh
+./yara.sh
+./viper.sh
+./dshell.sh
+./capstone.sh
+./binwalk.sh
+./featherduster.sh
+./wabt.sh
+./peepdf.sh
+

payloads/library/Incident_Response/MalwareBunny/install/ssdeep.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   ssdeep install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+cd /tmp
+
+wget https://github.com/ssdeep-project/ssdeep/archive/release-2.14.1.tar.gz
+tar xf release-2.14.1.tar.gz
+rm release-2.14.1.tar.gz
+mv ssdeep-release-2.14.1/ /tools/ssdeep
+cd /tools/ssdeep
+
+./bootstrap
+./configure
+make
+make install
+
+pip install pydeep

payloads/library/Incident_Response/MalwareBunny/install/viper.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   viper install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+cd /tmp
+wget https://github.com/viper-framework/viper/archive/v1.2.tar.gz
+tar xf v1.2.tar.gz
+rm v1.2.tar.gz
+mv viper-1.2/ /tools/viper
+
+cd /tools/viper
+pip install -r requirements.txt

payloads/library/Incident_Response/MalwareBunny/install/wabt.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   web assembly binary toolkit install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+apt-get install cmake clang
+
+cd /tools/
+git clone --recursive https://github.com/WebAssembly/wabt
+cd wabt
+make

payloads/library/Incident_Response/MalwareBunny/install/yara.sh

@@ -0,0 +1,23 @@
+#!/bin/bash
+# Title:         Malware Bunny
+# Description:   yara install script
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+# Firmware:      1.5
+
+
+cd /tmp
+wget https://github.com/VirusTotal/yara/archive/v3.7.0.tar.gz
+tar xf v3.7.0.tar.gz
+rm v3.7.0.tar.gz
+mv yara-3.7.0/ /tools/yara
+
+cd /tools/yara
+./bootstrap.sh
+./configure --enable-magic --enable-dotnet
+make
+make install
+
+pip install yara-python

payloads/library/Incident_Response/MalwareBunny/switch1/payload.txt

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Title:         MalwareBunny
+# Description:   Malware Analysis on Bash Bunny
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+#
+# LED State Descriptions
+# Magenta Blinking - setup in progress
+# Blue Blinking - ready to use
+
+LED M SLOW
+
+ATTACKMODE RNDIS_ETHERNET
+sleep 3
+
+cd /tools/viper/
+python web.py -H 0.0.0.0 -p 8080 &
+
+CUCUMBER ENABLE
+sleep 3
+
+LED B SLOW

payloads/library/Incident_Response/MalwareBunny/switch2/payload.txt

@@ -0,0 +1,18 @@
+#!/bin/bash
+# Title:         MalwareBunny
+# Description:   Malware Analysis on Bash Bunny
+# Author:        Zappus
+# Version:       1.0
+# Category:      Incident-Response
+# Attackmodes:   Ethernet
+#
+# LED State Descriptions
+# Magenta Blinking - setup in progress
+# Blue Blinking - ready to use
+
+LED M SLOW
+
+ATTACKMODE RNDIS_ETHERNET
+sleep 5
+
+LED B SLOW