2. MantaRay –
Set of Python modules that automate a number of open source
forensic tools
Written and designed by forensic analysts (KISS)
Allows examiner to select multiple tools, set options for each,
click go and walk away
Designed to work with SIFT 3.0
Code is on Github:
→ https://github.com/mantarayforensics
What is MantaRay?
2
3. 1.Creating a Super Timeline
2.Running Bulk_Extractor
3.Extracting Registry Hives & running RegRipper
4.Extracting EXIF Data
5.Carving Unallocated space
6.Scanning for high entropy files
7.Review RAM using Volatility
8.Extract GPS data from JPEGs and create .KML file
9.Extract Jumplist data
10.Extract NTFS system files
11.Process user selected .plist files
12.Perform Static Malware Analysis (SIFT + REMnux)
13.Anti-Virus Scanning (NEW)
Triage Steps Automated by
MantaRay
3
4. Batch processing option
Hard drive images only
Will recurse through a directory and process all disk images
Code updated to run Regripper 2.8
Code updated to run volatility 2.4
Code updated to run Plaso 1.4
Still have ability to use v. 0.65 of Log2Timeline
Google Analytics parsing (thanks to Mari DeGrazia)
Static Malware Analysis module (if SIFT is merged with
REMNUX)
→ https://digital-forensics.sans.org/blog/2015/06/13/how-to-
install-sift-workstation-and-remnux-on-the-same-forensics-
system
Updates since 2013
4
5. The Problem → we have evidence we need to scan for malware
(often times lots of evidence) but our forensic machines are on
stand alone networks
Possible Solutions
Make a copy of evidence and connect it an Internet facing system
Use the AV Scanning software installed on your local system
Buy a stand alone copy of commercial solution
KISS method – use mantaray
New Anti-Virus Plug-in
5
6. Low Cost
Code is free, just pay for the AV licenses
I used home use licenses for demo....for non-home use you would
need to buy licenses
Easily Extensible
AV Scanner information is held in configuration file
If you add a new AV scanner to your SIFT VM just update the
configuration file
Modular
Code can easily be modified
New modules can be written to perform post-processing of AV
Scanner output
Benefits of KISS Solution
6
7. Basic Configuration File
7
#av_scanner_mr.py configuration file
#
#SAMPLE LINE
#AV Scanner Name,command line to run this scanner recursively against a folder, post
processing commands (if none please enter NONE)
#
#
#####ENTER SCANNER INFO HERE#########################
Clamscan, clamscan -r -i, NONE
########################################################
15. Output with Clam AV Results
15
/home/sansforensics/Documents/malware_samples/level2_zipped.zip: Win.Trojan.Zbot-26018 FOUND
/home/sansforensics/Documents/malware_samples/level2/suco.exe_level2_dir.evil: Win.Trojan.Zbot-26018 FOUND
/home/sansforensics/Documents/malware_samples/suco.exe.evil: Win.Trojan.Zbot-26018 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 4421317
Engine version: 0.98.7
Scanned directories: 2
Scanned files: 15
Infected files: 3
Data scanned: 0.75 MB
Data read: 0.93 MB (ratio 0.81:1)
Time: 7.186 sec (0 m 7 s)
l Clamscan recursed through the entire folder structure and found the malware in the root of the
folder, in a subfolder, and inside a zip file in a sub-folder.
16. Adding Another Scanner - Avast
16
l
Download (home edition is for home use only) from: http://avast-
linux-home-edition.en.uptodown.com/ubuntu/download
run sudo dpkg -i agaisnt .deb file downloaded
get license code from
http://www.avast.com/i_kat_207.php?lang=ENG
paste in license code during install when prompted
Update virus signatures → sudo avast-update
Enter the following line: sysctl -w kernel.shmmax=128000000 at
the bottom of /etc/sysctl.conf
Update → sudo avast -update
17. Update Configuration File
17
#av_scanner_mr.py configuration file
#
#SAMPLE LINE
#AV Scanner Name,command line to run this scanner recursively against a folder, post processing
commands (if none please enter NONE)
#
#
##################ENTER SCANNER INFO HERE #############
Clamscan, clamscan -r -i, NONE
Avast, avast -n -c, NONE
#######################################################
19. Tweaking output
19
#av_scanner_mr.py configuration file
#
#SAMPLE LINE
#AV Scanner Name,command line to run this scanner recursively against a folder, post processing
commands (if none please enter NONE)
#
#
##################ENTER SCANNER INFO HERE #############
Clamscan, clamscan -r -i, NONE
Avast, avast -n -c, | grep "infected by"
#######################################################
21. Adding F-Protect
21
Adding F-Protect:
Download (home edition is for home use only) from: http://www.f-
prot.com/download/home_user/download_fplinux.html
Unzip .gzip file to /opt/
run the 'install-f-prot.pl' perl script
22. Update Configuration File
22
#av_scanner_mr.py configuration file
#
#SAMPLE LINE
#AV Scanner Name,command line to run this scanner recursively against a folder, post processing
commands (if none please enter NONE)
#
#
##################ENTER SCANNER INFO HERE #############
Clamscan, clamscan -r -i, NONE
Avast, avast -n -c, | grep "infected by"
F-Protect, fpscan -v 1 -r, | grep "[Found"
#######################################################
27. Update Configuration File
27
#av_scanner_mr.py configuration file
#
#SAMPLE LINE
#AV Scanner Name,command line to run this scanner recursively against a folder, post processing
commands (if none please enter NONE)
#
#
##################ENTER SCANNER INFO HERE #############
Clamscan, clamscan -r -i, NONE
Avast, avast -n -c, | grep "infected by"
F-Protect, fpscan -v 1 -r, | grep "[Found"
BitDefender, bdscan –no-warnings –no-list –action-ignore, NONE
AVG, avgscan -w -P -H –ignerrors, | grep “Trojan horse”
#######################################################
28. Download MantaRay to your SIFT VM from Github
Unzip MantaRay inside VM (I used /usr/share as the root folder)
Command line to run Mantaray →
/usr/share/mantaray/Tools/Python/python3
Manta_Ray_Master_GUI.py
Root Cause Analysis Demo
28
38. Step 1: Review AV Scan Results
38
All 5 Scanners alerted on the following file
Users/CEIC-Hacker/AppData/Roaming/Naym/suco.exe
39. Step 2: Static Malware Analysis
39
Extract suco.exe from evidence
Use MantaRay FileName Search module
Autopsy v4.0
Other tool of choice
Run MantaRay Static Malware Analysis plugin
against folder containing suco.exe (need remnux)
Provides output from the following:
Mastiff
PE Scanner
PE Dump
PE Frame
PESTR
READPE
SIGNSRCH
40. Step 2: Static Malware Analysis
40
Output from PESCANNER:
Meta-data
====================================================================
Size : 127562 bytes
Type : PE32 executable (GUI) Intel 80386, for MS Windows
Architecture : 32 Bits binary
MD5 : 7b95049f8963abf70e2d98857e7178c5
SHA1 : 0b608dccc301df197f9968c383e9b0a6e8bf60d4
ssdeep :
3072:l6PYV6NtBFXqBNKUFv3+oaSqr4NZ5YNpbNy2KChiCWaTQTe:lFsTBdqGUh3+jSU
hy3aIe
imphash : 994868cc529d722b89689c6b1dd44cb9
Date : 0x48B27E26 [Mon Aug 25 09:40:54 2008 UTC]
Language : RUSSIAN
CRC: (Claimed) : 0x2be25, (Actual): 0x2dcc2 [SUSPICIOUS]
Entry Point : 0x4010f7 .data 0/4 [SUSPICIOUS]
41. Step 2: Static Malware Analysis
41
Output from VirusTotal for Hash → 7b95049f8963abf70e2d98857e7178c5:
SHA256: 25ecf8b98eb0cfcf83a02c2b55382c8a62110589d6bf9c00916118d46d439366
File name: suco.exe
Detection ratio: 43 / 47
Analysis date: 2013-05-20 19:22:18 UTC ( 3 years, 1 month ago )
HOUSTON WE HAVE A PROBLEM!!!!
42. Step 3: TimeLine Analysis
42
So we now know we have a malicious file on our evidence
Timeline analysis will give us more information
43. Step 3: TimeLine Analysis
www.mantarayforensics.com 43
Date Type L2T_Function File Name Notes
5/4/2013
07:11.19
macb UserAssist Key Aol.exe Shows user execution.
File is deleted /
overwritten. Probable
dropper
5/4/2013
07:11.19
macb Suco.exe Malicious file from AV
scans
5/4/2013
07:11.20
macb NTUSER Key
HKEY_USE
R/Software/
Microsoft/Wi
ndows/Curre
ntVersion/Ru
n
Suco added as
RunKey
5/4/2013
07:11.20
macb [Microsoft-Windows-
Windows Firewall
With Advanced
Security/Firewall]
Security.evtx Windows Firewall
modified
44. Step 4: Confirm Run Key Mod
44
From MantaRay RegRipper Results:
Last Modified Time: 2013-05-04 11:22:53.560560
Filename: 377-128-1_Partition_1048576_OVERT_CEIC-Hacker_NTUSER.DAT
MD5 SUM: bb462d742bfd0fd9d2793010c3681c27
user_run v.20140115
(NTUSER.DAT) [Autostart] Get autostart key contents from NTUSER.DAT hive
SoftwareMicrosoftWindowsCurrentVersionRun
LastWrite Time Sat May 4 11:11:20 2013 (UTC)
uTorrent: "C:UsersCEIC-HackerAppDataRoaminguTorrentuTorrent.exe" /MINIMIZED
{5ECAABF9-0619-7EAC-19E2-4A73BEBEFF9A}: C:UsersCEIC-
HackerAppDataRoamingNaymsuco.exe
SearchProtect: C:UsersCEIC-HackerAppDataRoamingSearchProtectbincltmng.exe
45. Step 5: Determine how file got on
system
45
Timeline analysis shows no Internet Activity around the time that suco.exe
first appeared on drive
Other likely means of infection…...USB drive?
Check RegRipper results for USB devices → SYSTEM/usb.txt
VID_0E0F&PID_0002 [Fri May 3 23:14:17 2013]
S/N: 6&b25d31b&0&2 [Sat May 4 11:22:21 2013]
Device Parameters LastWrite: [Fri May 3 23:16:39 2013]
LogConf LastWrite : [Fri May 3 23:14:17 2013]
Properties LastWrite : [Fri May 3 23:16:08 2013]
InstallDate : Fri May 3 23:16:09 2013 UTC
FirstInstallDate: Fri May 3 23:16:09 2013 UTC
46. Step 6: Next Steps
46
Search your environment for other instances of suco.exe by hash value
Look for data exfiltration from this system
Send suco.exe to your RE experts to determine exactly what it does
Re-Image this system to remove malware
47. Remove human interaction completely
Have MantaRay watching a folder for evidence to be dropped in
and then start processing using default options
Add analytics into AV-Scanner script
Get count of how many scanners hit on each file
Grab filename from scanner output files
Extract filename from image
Using fls
Scan extracted files using MantaRay Static Malware Analysis plugin
47
On the to do list:
48. My contact info:
l dougkoster@hotmail.com
l https://www.linkedin.com/pub/doug-koster/7/65a/8aa
48
Questions / Contact Info