5 Minutes Demo
With this short demo you can test the Balbuzard tools by yourself in a few minutes using provided samples. Check the Installation page if you have not done it yet. The samples are located in the balbuzard/samples subfolder in the Balbuzard package.
Open a shell or a cmd.exe, go to the directory where you unzipped Balbuzard, in the balbuzard subdirectory where the python tools are located.
Using REMnux: Since May 2014, Balbuzard 0.19 has also been included in the REMnux v5 distribution. The tools are pre-installed and ready to use. You may run this demo simply by going to a writable directory such as the remnux user home (just type "cd"), then run all the tools from /usr/local/balbuzard.
Sample 1 - balbuzard
First, let's try balbuzard:
at 00007040: IPv4 address - '126.96.36.199' at 000034CB: URL (http/https/ftp) - 'http://schemas.openxmlf...g/drawingml/2006/main"' at 0000704C: URL (http/https/ftp) - 'http://www.ccserver.com\x00' at 00007064: e-mail address - 'email@example.com' at 00006C00: EXE MZ followed by PE - "MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00" at 00006C4E: EXE PE DOS message - 'This program cannot be run in DOS mode' at 00006FD8: Executable filename - 'KERNEL32.dll' at 00006FF4: Executable filename - 'USER32.dll' at 00007030: Executable filename - 'ADVAPI32.dll' at 00007057: Executable filename - 'ccserver.com' at 0000706B: Executable filename - 'acme.com' at 00007074: Executable filename - 'payload.dll' at 00006DC0: EXE: section name - '.text' at 00006E10: EXE: section name - '.data' at 00006DE8: EXE: section name - '.rdata' at 00006FBA: EXE: interesting Win32 function names - 'IsDebuggerPresent' at 00007010: EXE: interesting Win32 function names - 'RegSetValue' at 000070F7: Interesting registry keys - 'CurrentVersion\\Run' at 00000000: Possible OLE2 header (e.g. MS Office documents) - '\xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1'
- an IP address: '188.8.131.52'
- a URL: http://www.ccserver.com
- an e-mail address: firstname.lastname@example.org
- an executable filename: payload.dll
- a function to detect a debugger: 'IsDebuggerPresent'
- a function to write a registry value: 'RegSetValue'
- a registry key name used by malware to run at startup: 'CurrentVersion\Run'
All this information may be very useful when analyzing this file further with other tools (sandbox, debugger, disassembler, etc).
Sample 2 - bbcrack
Let's try balbuzard on a second sample:
This time, balbuzard only sees a MS Office document, but nothing else. However, when looking at the file with a hex viewer, there is an area at the end which looks suspicious. Let's use bbcrack to check if a known obfuscation algorithm has been used to hide data:
bbcrack.py -l 1 samples/sample2.doc
STAGE 1: quickly counting simple patterns for all transforms Best score so far: identity, stage 1 score=977315 Best score so far: xor67_rol3, stage 1 score=1420985 Checked 5873 transforms in 11.608649 seconds - 505.915900 transforms/s TOP 20 SCORES stage 1: xor67_rol3: 1420985 identity: 977315 xor20: 867215 xor63_rol3: 500885 [...] HIGHEST SCORES (>0): xor67_rol3: score 633404 saving to file samples/sample2_xor67_rol3.doc identity: score 330686 saving to file samples/sample2_identity.doc rol6_add57: score 18086 saving to file samples/sample2_rol6_add57.doc [...]
bbcrack runs all provided Transforms (XOR, ROL, ADD and many combinations) with all their possible keys. Then a score is computed for each, based on the patterns of interest found in the transformed file. By default, the ten best scores are written to disk.
Here if we check the best score obtained with "xor67_rol3" in a hex viewer or with balbuzard, it turns out to be an executable file that was hidden within the document, obfuscated with a XOR+ROL algorithm:
balbuzard.py samples/sample2_xor67_rol3.doc at 00006F30: IPv4 address - '184.108.40.206' at 00006F3C: URL (http/https/ftp) - 'http://www.ccserver.com\x00' at 00006F54: e-mail address - 'email@example.com' at 00006C00: EXE MZ followed by PE - "MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00" at 00006C4E: EXE PE DOS message - 'This program cannot be run in DOS mode' [...] at 00006EEE: EXE: interesting Win32 function names - 'IsDebuggerPresent'
Sample 3 - bbharvest
Now, let's check the third sample:
balbuzard.py samples/sample3.exe at 00000000: EXE MZ followed by PE - 'MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00' at 0000004E: EXE PE DOS message - 'This program cannot be run in DOS mode'
This is an executable file, but there is no interesting string in clear text. If we run bbcrack, there is no useful result either. However, we know this small file is suspicious, and there seem to be obfuscated strings in it. Let's try bbharvest to look for obfuscated patterns of interest:
bbharvest.py samples/sample3.exe *** WARNING: harvest mode may return a lot of false positives! identity: at 00000000 EXE MZ followed by PE, string='MZ\x90\x00\x03\x00\x00\...\x00\x00\x00PE\x00\x00' identity: at 0000004E EXE PE DOS message, string='This program cannot be run in DOS mode' [...] xor11: at 000002F0 e-mail address, firstname.lastname@example.org' xor88_rol5: at 000002D0 IPv4 address, string='220.127.116.11' rol3_addD6: at 000002E0 IPv4 address, string='18.104.22.168'
- an e-mail address obfuscated with XOR 11
- two IP addresses obfuscated with XOR 88 + ROL 5, and ROL 3 + ADD D6
This kind of strings would not be found by bbcrack due to its design, but bbharvest runs a slower algorithm that can expose even single strings obfuscated with an algorithm/key that is used only once.