Malware Muncher

Malware Muncher is a Python proof-of-concept script that utilizes the Frida framework to enable binary instrumentation and API hooking. It is designed to intercept commonly-used API calls by malware, allowing users to analyze their behavior and identify potential threats. Furthermore, the script can leverage GPT to enhance the analysis output, providing more detailed and accurate insights into the malware's activities and identifying potential Mitre ATT&CK techniques. This tool was demonstrated at the Malware & Reverse Engineering conference in Melbourne.

Note: It's important to keep in mind that Malware Muncher is a proof-of-concept tool and may contain bugs or limitations. Additionaly this script is intended for use in a controlled environment such as a virtual machine. Use at your own risk.

Installation

To ensure proper execution of the script, it is necessary to have the "jsscripts" folder accessible. This folder contains the necessary Frida scripts that are used during the binary instrumentation and API hooking process.

git clone https://github.com/fr0gger/MalwareMuncher.git
pip install -r requirement.txt

Usage

python .\malwaremuncher.py -h
usage: malwaremuncher.py [-h] [-f FILE] [-d] [-g] [-m] [-r] [-i] [-c] [-w] [-a] [-o]

MalwareMuncher version 1.0 by Thomas Roccia

optional arguments:
  -h, --help            show this help message and exit
  -f FILE, --file FILE  File to process
  -d, --dump            Dump file from the memory
  -g, --getproc         Deobfuscate API calls
  -m, --mutex           Extract mutex
  -r, --registry        Shows registry modification
  -i, --internet        Shows remote connection
  -c, --fileactivity    Shows file creation and more
  -w, --wscript         Hook wscript.exe for js script
  -a, --allscripts      Run all hooking functions
  -o, --openai          Request GPT for enrichment

python .\malwaremuncher.py --dump --file beacon2.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: beacon2.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
[+] VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20
           0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
03050000  4d 5a e8 00 00 00 00 5b 89 df 52 45 55 89 e5 81  MZ.....[..REU...
03050010  c3 50 81 00 00 ff d3 68 f0 b5 a2 56 68 04 00 00  .P.....h...Vh...
03050020  00 57 ff d0 00 00 00 00 00 00 00 00 00 00 00 00  .W..............
03050030  00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00  ................
03050040  0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68  ........!..L.!Th
03050050  69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f  is program canno
03050060  74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20  t be run in DOS
03050070  6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00  mode....$.......
03050080  af c6 3b f4 eb a7 55 a7 eb a7 55 a7 eb a7 55 a7  ..;...U...U...U.
03050090  56 e8 c3 a7 ea a7 55 a7 f5 f5 d1 a7 c3 a7 55 a7  V.....U.......U.
030500a0  f5 f5 c0 a7 ff a7 55 a7 f5 f5 d6 a7 69 a7 55 a7  ......U.....i.U.
030500b0  cc 61 2e a7 e0 a7 55 a7 eb a7 54 a7 31 a7 55 a7  .a....U...T.1.U.
030500c0  f5 f5 dc a7 27 a7 55 a7 f5 f5 c7 a7 ea a7 55 a7  ....'.U.......U.
030500d0  f5 f5 c4 a7 ea a7 55 a7 52 69 63 68 eb a7 55 a7  ......U.Rich..U.
030500e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
030500f0  00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00  ........PE..L...
[+] MZ header at address: 0x3050000
[+] Dumped executable: 0x3050000dumped.exe
{'type': 'send', 'payload': {'api_call': 'VirtualProtect called: 0x3050000, size: 208896 and protection: 0x20', 'mz_header': 'MZ', 'dumped_exe': '0x3050000dumped.exe'}}

###########################################################################
python .\malwaremuncher.py --registry --file demo.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: demo.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
{'type': 'send', 'payload': {'hook': 'RegCreateKey', 'regkey': 'HKEY_CURRENT_USER\\Software\\MRE', 'handle': 720}}

###########################################################################
python .\malwaremuncher.py --wscript --file demo.vbs
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: demo.vbs
Microsoft (R) Windows Script Host Version 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

{'type': 'send', 'payload': {'name': 'instr', 'hookdata': {'hook': 'shell', 'nshow': 'SW_HIDE', 'cmd': 'C:\\Users\\rever\\AppData\\Local\\Temp\\rad045FA.tmp\\REIIVDoCWfI.exe', 'params': None}}}

###########################################################################
python .\malwaremuncher.py --mutex --file beacon2.exe
[+] .\malwaremuncher.py v1.0 by @fr0gger_
[+] Running process: beacon2.exe
[!] Hit CTRL+C at the end of the analysis to trigger GPT or terminate the script
{'type': 'send', 'payload': {'hook': 'CreateMutex', 'mutex': 'Local\\SM0:7292:168:WilStaging_02'}}

Acknowledge

• Frida.re
• Frida Wshook
• Hawkeye
• Malware Write up

License

APACHE