If you are doing some malware analysis work, you might encounter some “freshly” compiled PE files very often. That is especially true regarding recent ransomware attacks that try to evade AV signatures. In order to do that malware authors are using packers, recompiling their code, etc. that will renew the “compilation” timestamp to the current time.
Detecting freshly compiled binaries
In this article we will focus on detecting those in your network.
I made a simple proof of concept (in Python) that will listen to the network and analyze all HTTP response containing a PE file (in our scenario most likely being dropped by some malicious documents). That is a simple trick, you can have a look at my first post about “IOC-less” detection if you’re interested.
Using pefile and scapy we can :
- detect any PE in an HTTP reply
- parse the PE file to detect a suspicious recent compilation time
Below is the output of my PoC using one sample detected today.
Upon opening the malicious document, it will download the malicious payload located at hXXp://securityupdateserver[.]com/cer.mov (see on VirusTotal)
# python detect_fresh_pe.py eth0
[+] Listening on eth0…
[+] Got a file
[+] Detected a PE file in HTTP response
[+] Possible malware detected! tmp_LAfTh (compiled at 2016–07–19 21:29:46)
[+] Sample saved at /tmp/tmp_LAfTh
In our PoC below we set the detection to occur when the binary have been compiled within the last 3 days, that’s pretty recent and should not trigger many false positive. Here is the detect_fresh_pe.py:
It’s really that simple.
Of course, it’s a dirty PoC and shouldn’t be used for real life monitoring. You should probably rewrite that using the very efficient PE parser Manalyze.
Let me know if you have any feedbacks!
