peframe: perform static analysis on (portable executable) malware
PEframe is an open source tool to perform static analysis on Portable Executable malware and generic suspicious file. It can help malware researchers to detect packer, xor, digital signature, mutex, anti-debug, anti-virtual machine, suspicious sections and functions, and much more information about the suspicious files.
Install
# pip install https://github.com/guelfoweb/peframe/archive/master.zip
$ git clone https://github.com/guelfoweb/peframe.git
$ cd peframe
# python setup.py install
Note
For Windows environment, you need to follow the instructions here: https://github.com/ahupp/python-magic#dependencies
Usage
PEframe v.5.0.1 – Open Source Project – MIT LICENSE
Author: Gianni ‘guelfoweb’ Amato
Github: https://github.com/guelfoweb/peframeUsage
peframe <filename> Short output analysisOptions
–json Full output analysis JSON format
–strings Strings output
Example
ddos@DESKTOP-NC10UIK:~/peframe/peframe$ python peframe.py YUMI-2.0.5.1.exe
Peframe v. 5.0.1Short information
————————————————————
File type PE32 executable (GUI) Intel 80386, for MS Windows
File name YUMI-2.0.5.1.exe
File size 1838670
Hash MD5 7b9b497f984bfa184430fab7a7d0e3be
Compile time 2009-12-06 05:50:41
Sections 5 (1 suspicious)
Directories import, resource
Detected packer, mutex, antidbg
Import Hash 7fa974366048f9c551ef45714595665ePaker info
————————————————————
Nullsoft PiMP Stub -> SFXResources info
————————————————————
RT_ICON 296
RT_DIALOG 238 *MS Shell DlgP(x P gP( x LPlease w
RT_GROUP_ICON 104 h 00 % ~(FE ~0
RT_VERSION 556 ,4VS_VERSION_INFOStringFileInfoh000
RT_MANIFEST 958 <?xml version=”1.0″ encoding=”UTF-8Sections suspicious
————————————————————
hash_md5 d41d8cd98f00b204e9800998ecf8427e
virtual_address 0x24000
name .ndata
size_raw_data 0
suspicious True
hash_sha1 da39a3ee5e6b4b0d3255bfef95601890afd80709
virtual_size 0x27000Import function
————————————————————
VERSION.dll 3
GDI32.dll 8
SHELL32.dll 6
KERNEL32.dll 59
ADVAPI32.dll 9
ole32.dll 4
USER32.dll 62
COMCTL32.dll 4Antidbg info
————————————————————
FindWindowExA
GetLastErrorMutex info
————————————————————
WaitForSingleObjectApialert info
————————————————————
CloseHandle
CopyFileA
CreateDirectoryA
CreateFileA
CreateProcessA
CreateThread
DeleteFileA
ExitProcess
FindFirstFileA
FindNextFileA
FindWindowExA
GetCommandLineA
GetCurrentProcess
GetFileAttributesA
GetFileSize
GetModuleFileNameA
GetModuleHandleA
GetProcAddress
GetSystemDirectoryA
GetTempFileNameA
GetTempPathA
GetTickCount
GetWindowsDirectoryA
LoadLibraryA
LoadLibraryExA
MessageBoxIndirectA
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegOpenKeyExA
RemoveDirectoryA
SetFilePointer
ShellExecuteA
Sleep
WaitForSingleObject
WriteFile
lstrcmpA
lstrcmpiAFilename found
————————————————————
Temporary ~nsu.tmp
Library ADVAPI32.dll
Library SHELL32.dll
Library KERNEL32.dll
Library USER32.dll
Library VERSION.dll
Library COMCTL32.dll
Library ole32.dll
Library GDI32.dllUrl found
————————————————————
http://nsis.sf.net/NSIS_ErrorIP found
————————————————————
2.0.5.1Meta info
————————————————————
LegalCopyright Copyright \xa92017 Lance Pendrivelinux.com
FileVersion 2.0.5.1
License GPL Version 2
CompanyName pendrivelinux.com
FileDescription YUMI
Translation 0x0000 0x04e4
Source: https://github.com/guelfoweb/
