Using Team Cymru’s MHR with Volatility

Today we’ll briefly discuss crosschecking Team Cymru’s Malware Hash Registry against files found in memory or hibernation files by Volatility. We’re going to do it by hand at the command line, as a quick exercise in some ways to manipulate both tools and think through command line problems. Please note Team Cymru places restrictions on automated use of their lookup tool, so don’t automate anything like this without speaking to them.

To do this, we’ll obviously need a memory image and a Linux environment with Volatility functioning (I recommend downloading the SIFT kit VM if you don’t have one). Our starting point in this exercise is after memory has been properly retrieved with an imaging tool, we’ve identified an appropriate Volatility profile with imageinfo, and we’ve identified a suspicious process or processes using our standard toolkit of commands like malfind, malsysproc, unloadedmodules, etc…

We shall begin by dumping some files of interest from our memory image using a command like moddump (which extracts kernel drivers) or dlldump. For this example we will simply be dumping dlls. To avoid a mess, we will first make a directory to put the dumped files in.

mkdir dlls

Next, we perform the dump. In practice, we should be focusing on specific suspicious processes using –pid, or the results of a search with –regex. There will be a cap on the number of hashes we can submit using this mechanism, so don’t try to submit the entire raw results of dumpfiles. However, as an example, examining only .exe files output by dumpfiles -n might be interesting. Each command has its purpose. -f [mem]  –profile=[Profile] dlldump –dump-dir=dlls

(As a reminder, that command is: -f [filename of the memory file] –profile=[The profile that imageinfo / kdbgscan identified) dlldump –dump-dir=[the path to our dump directory]  –pid=[suspicious process ID if available])

Now, we ought to have a big folder full of dll files which Volatility found in memory. Let’s head here and make sure everything worked okay.

cd dlls

Team Cymru requires their input be in a specific format with a begin and end marker. So let’s make a new file that starts with that.

echo begin > hashes.txt

We can’t just use the output of md5sum or sha1sum because it contains two columns (hash and then filename) and the MHR service needs line-delimited hashes, only. We have to do something to remove that second column. There are a lot of solutions in Linux. In this example, I chose to pipe the results of md5sum into Gawk, with which I select only column 1. I’ll then stick that output into our hashes.txt file.

md5sum * | awk ‘{ print $1 }’ >> hashes.txt

(Grep is a powerful tool. We could certainly do some file filtering at this point if we failed to do so properly within Volatility – for instance, in our example of dumpfiles -n, this might be where we filter for only .exes, with md5sum * | grep .exe | awk ‘{print $1 }’ >> exehashes.txt)

Now let’s properly close our file as requested.

echo end >> hashes.txt

The bulk command line submission method for Team Cymru is netcat to whois. We shall upload the file we just made, and a new file with their response will be generated as a result.

netcat 43 < hashes.txt > hashescheck.txt

Remember that our syntax for netcat will be [destination server]  [port] < [the file we are sending] > [the returned output’s destination].

Now, we can check the contents of the resulting file. If we sent a larger list of files, we’ll probably want to filter out noise by eliminating any line returned NO_DATA. For verification, there should be a header returned at a minimum.

cat hashescheck.txt | grep -v NO_DATA

# Bulk mode; [2016-x-x x:x:x +0000]

And that’s that!

(Please don’t ask me about submitting files to VirusTotal, because that already exists; all you’ll need is your API key.)

2 thoughts on “Using Team Cymru’s MHR with Volatility

  1. Pingback: Week 43 – 2016 – This Week In 4n6

  2. Pingback: Bookmarks – Luckdancing

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s