- Messages
- 39
- Reaction score
- 1
- Points
- 28
View attachment 264900
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis
Working of Limon
Limon performs below steps for analyzing the linux malware samples.
Takes sample as input
Performs static analysis
Starts the Virtual Machine(VM)
Transfers the malware to VM
Runs the monitoring tools ( to monitor process, file system, network activity etc)
Executes the malware for the specified time
Stops the monitoring tools
Suspends the VM
Acquires the memory image
Performs memory analysis using Volatility framework
Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)
Limon relies on various open source tools to perform static, dynamic and memory analysis which means these tools need to installed (some of these tools need to be installed on the host machine and some in the analysis machine and some in both) for Limon to work. Some of these tools come installed with default Linux installations. Below is the list of tools Limon relies on
YARA-python
virustotal
ssdeep
strings
ldd
readelf
inetsim
tcpdump
strace
Sysdig
Volatility memory forensics framework
Supported File Types
Limon can analyze below file types (both with and without parameters) :
ELF Executable(both x86 and x86_64)
Perl Script
Python script
Shell script
Bash script
PHP script
Loadable kernel module(LKM)
Analyzing Linux Malware
General Features of Limon
Option to run in sandbox mode (does not allow to connect to c2)
Option to run in internet mode (connects to c2)
Simulates all services (like dns, http and other protocols) when run in sandbox mode
Option to run malware for specified time (default is 60 seconds)
Captures desktop screenshot
Reports on the malware behaviour
Static Analysis Features
Below are the static analysis capabilities of Limon:
Determines File Type
Determines File Size
Determines md5 hash
Determines fuzzy hash(ssdeep hash)
Comparison of fuzzy hash with previously submitted samples to determine similar variants
Display ELF header Structure
Dumps ASCII and UNICODE strings
Determines packers using YARA rules
Determines malware capability using YARA rules (ability to run custom YARA rules will be added soon)
Perfoms md5 search on VirusTotal(does not submit samples)
Displays dependencies of the malware (shared objects)
Displays program header structures
Displays section header information
Displays symbol table (both static and dynamic symbols)
Dynamic Analysis Features
Limon gives different options for performing dynamic analysis to track activity of the malware(during execution), below are the different options:
Filtered call trace for tracing system calls related to file, process, network activity
Unfiltered call trace – traces all system calls (more noisy)
Filtered system event montioring to track file, process, network activity (less noisy)
Unfiltered system even monitoring to track file, process, network, memory allocations/unallocations, signals etc (more noisy)
Shows DNS summary
Shows TCP conversations
Stores packet captures
Stores event trace dump
Memory Analysis features
Limon performs post-mortem analysis by performing memory analysis using Volatility framework. This feature should help in detecting stealthy rootkits and malwares performing Anti-Forensic tricks. Below are the memory analysis features:
Option to perform verbose memory forensics (slow)
Process Listing (using different methods)
Process tree listing
Process listing with process arguments
Displays thread associated with each process
Dispays Network connections (TCP and UDP)
Displays Interface Information
Displays processes running with RAW sockets
Displays shared libaries associated with the processes (using different methods)
Displays kernel modules
Dislays kernel modules hidden from module list but present in SYSFS
Displays Kernel modules hidden from both module list and SYSFS
Displays files opened within kernel
Displays processes sharing credential structures
Checks for keyboard notifier hooks
Checks for TTY hooks
Checks for system call table modification
Displays BASH history
Checks for modified file operation structures
Checks hooked network operation function structures
Checks netfilter hooks
Check inline kernel hooks
Checks for code or binary injection
Check for PLT/GOT hooks (only in verbose mode)
Checks for userland api hooks (only in verbose mode)
Source && Download
https://n0where.net/analyzing-linux-malware-sandbox-limon/
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware. It allows one to inspect the Linux malware before execution, during execution, and after execution (post-mortem analysis) by performing static, dynamic and memory analysis using open source tools. Limon analyzes the malware in a controlled environment, monitors its activities and its child processes to determine the nature and purpose of the malware. It determines the malware’s process activity, interaction with the file system, network, it also performs memory analysis and stores the analyzed artifacts for later analysis
Working of Limon
Limon performs below steps for analyzing the linux malware samples.
Takes sample as input
Performs static analysis
Starts the Virtual Machine(VM)
Transfers the malware to VM
Runs the monitoring tools ( to monitor process, file system, network activity etc)
Executes the malware for the specified time
Stops the monitoring tools
Suspends the VM
Acquires the memory image
Performs memory analysis using Volatility framework
Stores the results (Final reports, destkop screenshot, pcaps and malicious artifacts for later analysis)
Limon relies on various open source tools to perform static, dynamic and memory analysis which means these tools need to installed (some of these tools need to be installed on the host machine and some in the analysis machine and some in both) for Limon to work. Some of these tools come installed with default Linux installations. Below is the list of tools Limon relies on
YARA-python
virustotal
ssdeep
strings
ldd
readelf
inetsim
tcpdump
strace
Sysdig
Volatility memory forensics framework
Supported File Types
Limon can analyze below file types (both with and without parameters) :
ELF Executable(both x86 and x86_64)
Perl Script
Python script
Shell script
Bash script
PHP script
Loadable kernel module(LKM)
Analyzing Linux Malware
General Features of Limon
Option to run in sandbox mode (does not allow to connect to c2)
Option to run in internet mode (connects to c2)
Simulates all services (like dns, http and other protocols) when run in sandbox mode
Option to run malware for specified time (default is 60 seconds)
Captures desktop screenshot
Reports on the malware behaviour
Static Analysis Features
Below are the static analysis capabilities of Limon:
Determines File Type
Determines File Size
Determines md5 hash
Determines fuzzy hash(ssdeep hash)
Comparison of fuzzy hash with previously submitted samples to determine similar variants
Display ELF header Structure
Dumps ASCII and UNICODE strings
Determines packers using YARA rules
Determines malware capability using YARA rules (ability to run custom YARA rules will be added soon)
Perfoms md5 search on VirusTotal(does not submit samples)
Displays dependencies of the malware (shared objects)
Displays program header structures
Displays section header information
Displays symbol table (both static and dynamic symbols)
Dynamic Analysis Features
Limon gives different options for performing dynamic analysis to track activity of the malware(during execution), below are the different options:
Filtered call trace for tracing system calls related to file, process, network activity
Unfiltered call trace – traces all system calls (more noisy)
Filtered system event montioring to track file, process, network activity (less noisy)
Unfiltered system even monitoring to track file, process, network, memory allocations/unallocations, signals etc (more noisy)
Shows DNS summary
Shows TCP conversations
Stores packet captures
Stores event trace dump
Memory Analysis features
Limon performs post-mortem analysis by performing memory analysis using Volatility framework. This feature should help in detecting stealthy rootkits and malwares performing Anti-Forensic tricks. Below are the memory analysis features:
Option to perform verbose memory forensics (slow)
Process Listing (using different methods)
Process tree listing
Process listing with process arguments
Displays thread associated with each process
Dispays Network connections (TCP and UDP)
Displays Interface Information
Displays processes running with RAW sockets
Displays shared libaries associated with the processes (using different methods)
Displays kernel modules
Dislays kernel modules hidden from module list but present in SYSFS
Displays Kernel modules hidden from both module list and SYSFS
Displays files opened within kernel
Displays processes sharing credential structures
Checks for keyboard notifier hooks
Checks for TTY hooks
Checks for system call table modification
Displays BASH history
Checks for modified file operation structures
Checks hooked network operation function structures
Checks netfilter hooks
Check inline kernel hooks
Checks for code or binary injection
Check for PLT/GOT hooks (only in verbose mode)
Checks for userland api hooks (only in verbose mode)
Source && Download
https://n0where.net/analyzing-linux-malware-sandbox-limon/
