Unprotect Project: Classify Malwares Based on Known Evasion Techniques

One of the first steps in learning about a malware is to see if it is evasive in any sense and then proceed accordingly. The Unprotect Project helps you do this easily. It is an open source project in Python that proposes a malware classification techniques based on their evasive capabilities to help understand and analyze them. This project caters Windows PE malwares only.

Unprotect Project

What is Unprotect Project?

The Unprotect Project is an open-source project in python that aims to classify and understand malware’s based on the different evasion techniques implemented. As we all know, malware’s use evasive techniques to avoid and evade security solutions, security configurations as well human detection to perform malicious actions on the systems they infect. You can use this tool as a first line of detection to get a fair idea about what you are dealing with and then pass it along to your favourite tool such as the Cuckoo Sandbox for the heavy lifting.

Features of the Unprotect Project:

  1. Malware PE Summary: Provides information about the analyzed PE. This information includes PE size, entry point, compile timestamp, etc.
  2. VirusTotal Report: Provides information about the VirusTotal report accompanied by a direct link to the hash.
  3. Metadata: Provides additional binary metadata information.
  4. Packer Detection: Provides information about potential packers and entropy using tools such as PEiD.
  5. Anti-Sandboxing: Checks for specific hexadecimal formats for sandbox and anti-sandbox assembly related instructions such as Store Interrupt Descriptor Table Register (SIDT), Store Local Descriptor Table Register (SLDT), CPUID, in addition to Yara triggers such as vmdetect, etc.
  6. Binary Security: Extraction of binary security configurations such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), Safe Exception Handlers (SEH) and Control Flow Guard (CFG)
  7. Anti-Debugging: Provide information about anti-debugging tricks and APIs such as IsDebuggerPresent, GetTickCount, etc.
  8. Anti-Virus Evasion: Detect anti-AV tricks such as authenticode, living-off-the-land-binaries (lolbins), as well embedded certificate, etc.
  9. Anti-Disassembly: Provide information about potential anti-disassembly tricks.
  10. Process Injection: Provide information about process injection tricks/API such as LoadLibraryA, CreateThread, etc.
  11. Obfuscation: Provide information about potential data obfuscation, and algorithms used.
  12. Network information: Provide network information IP and URLs, along with network evasion tricks.
  13. Additional Information: Provide additional information (resources, crypto-currency wallet addresses, user yara-rules, anti-forensic and anti-monitoring capabilities of the malware.

All of this is packaged in a neat standalone tool that can be operated via the CLI or via an upcoming web-based UI. Just do not forget to add the VT API key in the file.

As of now, it is programmed in soon-to-be-EOL Python 2.x and needs the following libraries – capstone, pathlib, plugnplay, enum34, jsonmerge, libmagic, lief, mmh3, numpy, pefile, PTable, pyimpfuzzy, python-geoip, python-geoip-geolite2, urllib3, tabulate, tqdm, ssdeep, viv-utils, yara-python,vivisect,flare-floss. The author also plans to move to Python 3.x soon.

Download Unprotect Project:

Checkout the Unprotect Project from it’s GIT repository here.

Three days ago, an updated version – Sysdig Falco v0.15.1 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support.  This release remediates integration issues with Anchore by updating urllib3 and requests Python library versions in addition to others. Share this post on: witteracebookhatsAppoogle+ufferLinkedin It

You Might Also Like

Leave a Reply