Scans a malware file and lists down the related MBC (Malware Behavior Catalog) details.
$ ./mbcscan.py --help
usage: mbcscan.py [-h] [-i] [-a] file
Scans a file and lists down the related MBC (Malware Behavior Catalog) details.
positional arguments:
file Path of file to scan.
optional arguments:
-h, --help show this help message and exit
-i, --interactive Run program interactively.
-a, --all List all findings in one page.
-v, --verbose Enable verbose print statements
It is recommended to run the program interactively:
$ sha256sum test.bin
f8ad6ecb49e68ac7cf261551f01d8ef3348e347cf4239368a26bb2b3ec372904 test.bin
$ ./mbcscan.py -i -v test.bin
[INFO] Setting up mbc database...
[INFO] Scanning test.bin...
================================================================================
Behaviors list:
================================================================================
(0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
(1) [C0003.002] Communication Micro-objective::Connect Pipe::Interprocess Communication
(2) [C0003.003] Communication Micro-objective::Read Pipe::Interprocess Communication
(3) [C0003.004] Communication Micro-objective::Write Pipe::Interprocess Communication
(4) [C0045] File System Micro-objective::Copy File
(5) [C0047] File System Micro-objective::Delete File
(6) [C0051] File System Micro-objective::Read File
(7) [C0052] File System Micro-objective::Writes File
(8) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
(9) [C0040] Process Micro-objective::Allocate Thread Local Storage
(10) [C0042] Process Micro-objective::Create Mutex
(11) [C0041] Process Micro-objective::Set Thread Local Storage Value
(12) [C0018] Process Micro-objective::Terminate Process
__ ___ ____ ______ _____
/ |/ // __ ) / ____// ___/ _____ ____ _ ____
/ /|_/ // __ |/ / \__ \ / ___// __ `// __ \
/ / / // /_/ // /___ ___/ // /__ / /_/ // / / /
/_/ /_//_____/ \____/ /____/ \___/ \__,_//_/ /_/
Type "?" r "help" to display help.
Type the help command to find out available commands:
(mbcscan) help
Documented commands (type help <topic>):
========================================
a exit help l list q query s select
View the details of a specific entry with the select
command.
(mbcscan) s 3
================================================================================
Name: Write Pipe::Interprocess Communication
================================================================================
MBC_ID: attack-pattern--0947cd27-a2b6-466f-b47c-4d36e4ce06cb
External ID: C0003.004
Objectives: [OC0006] Communication Micro-objective
Parent: [C0003] Interprocess Communication
Related: [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
Create Pipe::Interprocess Communication, [C0003.002] Connect
Pipe::Interprocess Communication, [C0003.003] Read
Pipe::Interprocess Communication
Samples: None
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------
To view details of other entries, use the query
command.
(mbcscan) q x0004
================================================================================
Name: Dark Comet
================================================================================
MBC_ID: malware--19d14868-ff81-4c8c-9a6a-c57baf7e7f52
External ID: X0004
Objectives: None
Parent: None
Related: None
Samples: None
Description: A Remote Access Trojan (RAT) that allows a user to control the
system via a GUI. It has many features which allows a user to use
it as administrative remote help tool; however, DarkComet has
many features which can be used maliciously. DarkComet is
commonly used to spy on the victims by taking screen captures,
key-logging, or password stealing.
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/xample-malware/dark-comet.md
- https://en.wikipedia.org/wiki/DarkComet
--------------------------------------------------------------------------------
If you don't want to run the program interactively and just want to list down all behaviors at a glance:
$ ./mbcscan.py -a -v test.bin[INFO] Setting up mbc database...
[INFO] Scanning test.bin...
================================================================================
Behaviors list:
================================================================================
================================================================================
Name: Argument Obfuscation
================================================================================
MBC_ID: attack-pattern--772c8a08-0dbb-4059-8459-7ac1193840bc
External ID: B0012.001
Objectives: [OB0002] Anti-Static Analysis
Parent: [B0012] Disassembler Evasion
Related: [B0012.002] Conditional Misdirection, [B0012.001] Argument
Obfuscation, [B0012.005] VBA Stomping, [B0012.003] Value
Dependent Jumps, [B0012.004] Variable Recomposition
Samples: None
Description: Simple number or string arguments to API calls are calculated at
runtime, making linear disassembly more difficult.
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/anti-static-analysis/evade-disassembler.md
--------------------------------------------------------------------------------
================================================================================
Name: Connect Pipe::Interprocess Communication
================================================================================
MBC_ID: attack-pattern--c1e8e932-3864-444e-b56b-70292bb7695c
External ID: C0003.002
Objectives: [OC0006] Communication Micro-objective
Parent: [C0003] Interprocess Communication
Related: [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
Create Pipe::Interprocess Communication, [C0003.002] Connect
Pipe::Interprocess Communication, [C0003.003] Read
Pipe::Interprocess Communication
Samples: None
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------
================================================================================
Name: Read Pipe::Interprocess Communication
================================================================================
MBC_ID: attack-pattern--d6e1b096-1595-47e7-8230-223aa9cad622
External ID: C0003.003
Objectives: [OC0006] Communication Micro-objective
Parent: [C0003] Interprocess Communication
Related: [C0003.004] Write Pipe::Interprocess Communication, [C0003.001]
Create Pipe::Interprocess Communication, [C0003.002] Connect
Pipe::Interprocess Communication, [C0003.003] Read
Pipe::Interprocess Communication
Samples: None
External references:
- https://github.com/MBCProject/mbc-markdown/blob/v2.1/micro-behaviors/communication/inter-process.md
--------------------------------------------------------------------------------
...
- Capa - MBCScan uses the related MBR behaviors that Capa detects from the given file
- mbclib - Library for querying STIX data from the the MBC-Stix2 repository
$ git clone https://github.com/accidentalrebel/mbcscan.git
$ cd mbcscan/
$ pip install -r requirements.txt
$ ./mbcscan.py -v
[INFO] Installing mbclib...
[INFO] Installing mbc-stix2...
[INFO] Installing capa-rules...
usage: mbcscan.py [-h] [-i] [-a] file
Feel free to submit a pull request if you want to improve this tool!