Author Topic: [Python Release] SystemLookup via Command Line  (Read 668 times)

0 Members and 2 Guests are viewing this topic.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
[Python Release] SystemLookup via Command Line
« on: November 07, 2014, 10:05:59 am »
I created a parser for SystemLookup.com, which is a really useful site, especially for malware fighters. It has information about files, drivers, startup entries, etc. of Windows systems and helps you to determine if an entry is malicious or legit.

The tool that I wrote queries SystemLookup.com, so you can use the website on your command line.

Download:

https://github.com/katjahahn/SystemLookup/archive/master.zip

Installation:

Install the package to your system via

Code: [Select]
python setup.py install
Usage:



E.g. search for autostart entry with name "lsass"

Code: [Select]
python systemlookup.py --list O4 -t name "lsass"
Perform a global search in all lists for the same entry:

Code: [Select]
python systemlookup.py -t name "lsass"
Example Output:

This example makes a global search for all items with the filename "explore.exe" (commonly used name by malicious files)

Code: [Select]
> python systemlookup.py -t filename "explore.exe"
ShellExecuteHooks: no results

DPF ActiveX Installs: no results

Firefox Extensions: no results

Drivers: no results

------------------------
|| List: Active Setup ||
------------------------

(no name), X
------------

CLSID: {58MW02OU-BMMR-28DK-874N-UT76IGAYQ03F}
Filename: explore.exe
Description: Infostealer trojan,   see here

(no name), X
------------

CLSID: {PD2P6745-0SUE-8QQ6-PQ1K-1TD4F7S47FGU}
Filename: explore.exe
Description: Infostealer trojan, see here

(no name), X
------------

CLSID: {ATDQTSLC-35HK-VGUU-82PT-0G1S5SD5L854}
Filename: explore.exe
Description: Infostealer trojan, detected by Microsoft as  Backdoor:Win32/Xtrat.A - also see here

(no name), X
------------

CLSID: {MXWW416X-40N0-12B0-D858-5A1E1HS5NCWS}
Filename: explore.exe
Description: Infostealer trojan, detected by Microsoft as Worm:Win32/Rebhip.A - also see here

(no name), X
------------

CLSID: {DABBE4EE-FDE1-AC12-D536-A9CAAEC7DBFB}
Filename: explore.exe
Description: Infostealer trojan, detected by Microsoft as Worm:Win32/Ainslot.A - also see here

(no name), X
------------

CLSID: {T6PB7PQ7-1L7I-K6WM-3YAB-15X4K1JP271L}
Filename: explore.exe
Description: Infostealer trojan, detected by Microsoft as Worm:Win32/Rebhip.A - also see here

(no name), X
------------

CLSID: {08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}
Filename: explore.exe, server.exe, service.exe, svchost.exe,  svhost.exe, jtdll.exe, ieploxe.exe, messenger.exe, adobe.exe, other filenames
Description: Infostealer trojan,  detected as Trojan.Win32.Llac.chs - also see here

BHO, Toolbars, URLSearchHooks, Explorer Bars: no results

Internet Explorer Buttons: no results

-------------------------------------
|| List: Startup / Autorun Entries ||
-------------------------------------

Default, X
----------

Filename: explore.vbs
Description: Added by the  VBS.Allem WORM!

HKCU, X
-------

Filename: explore.exe
Description: Identified by Microsoft as Worm:Win32/Rebhip.A.  Information at Threat Expert Note: Located in %windows%\system32\config

Explorer, X
-----------

Filename: explore.exe
Description: Identified by Microsoft as Worm:Win32/Rebhip.A.  Information at Threat Expert Note: Located in %windows%\system32\config  Note: This entry is loaded through one of the "Policies" startup keys.

HKLM, X
-------

Filename: explore.exe
Description: Identified by Microsoft as Worm:Win32/Rebhip.A.  Information at Threat Expert Note: Located in %windows%\system32\config

HBService, X
------------

Filename: explore.exe
Description: Detected as Trojan-GameThief.Win32.OnLineGames.suaq by Kaspersky.

Windows Workstation Service, X
------------------------------

Filename: explore.exe
Description: Unknown malware.

Window, X
---------

Filename: explore.exe
Description: Added by the GAOBOT.ADW WORM!

Video Services, X
-----------------

Filename: explore.exe
Description: Added by a  W32.Gaobot.GL worm infection

Update Windows, X
-----------------

Filename: EXPLORE.EXE
Description: Added by an unidentified TROJAN! of the Sdbot family.  Note: This worm\trojan is located in C:\Windows\System (Win9x/Me), C:\%WINDIR%\System32 (XP/WinNT/2K)

SystemExplorer, X
-----------------

Filename: explore.exe
Description: Homepage hijacker - file located in the "Services" folder in Common Files

rx, X
-----

Filename: explore.exe
Description: Troj/Zhengtu-A Note: Read the link, steals information

EXPLORER MICROSOFT SYSTEM, X
----------------------------

Filename: explore.exe
Description: Added by a variant of the  WIN32.RBOT WORM!

explore.exe, X
--------------

Filename: Explore.exe
Description: Added by the GRAYBIRD.G VIRUS!

explore manager, X
------------------

Filename: explore.exe
Description: Added by the  DONBOMB.A TROJAN!

Explore, X
----------

Filename: explore.exe
Description: Adult content dialler

explore, X
----------

Filename: explore.exe
Description: Added by the   W32.Hawawi WORM!

yige, X
-------

Filename: explore.exe
Description: Unidentified malware.  Note: Located in \%Windir%\%System%\wbem\

AppInit_DLLs & Winlogon Notify: no results

Extra Protocols: no results

Shared Task Scheduler: no results

ShellServiceObjectDelayLoad: no results

LSPs: no results

--------------------
|| List: Services ||
--------------------

neruo.exe (NeroFilterCheck), X
------------------------------

Filename: Explore.exe
Description: Added by the  SDBOT.DIH WORM!  Note: Read the link, rootkit type stealth involved.

Window (MPRS), X
----------------

Filename: explore.exe
Description: Added by a variant of the  W32/SDBOT WORM!  Note: This worm\trojan is located in  C:\%WINDIR%\System32\ (XP/WinNT/2K)

Windows explorer, X
-------------------

Filename: explore.exe
Description: Added by an unidentified TROJAN! of the Sdbot family.  Note: This worm\trojan is located in C:\%WINDIR%\ folder.

Source:

https://github.com/katjahahn/SystemLookup

Changelog:

* Global search added
* Titles changed
* setup.py added
* LICENSE added
« Last Edit: April 01, 2015, 09:19:39 am by Deque »

Offline Kulverstukas

  • Administrator
  • Zeus
  • *
  • Posts: 6627
  • Cookies: 542
  • Fascist dictator
    • View Profile
    • My blog
Re: [Python Release] SystemLookup via Command Line
« Reply #1 on: November 07, 2014, 11:53:13 am »
Some python from you for a change :D <3

Offline d4rkcat

  • Knight
  • **
  • Posts: 287
  • Cookies: 115
  • He who controls the past controls the future. He who controls the present controls the past.
    • View Profile
    • Scripts
Re: [Python Release] SystemLookup via Command Line
« Reply #2 on: November 07, 2014, 07:58:19 pm »
Cool tool, thanks for the code.
Is this linked to that NIST database of known "good" file hashes?
+1
Jabber (OTR required): thed4rkcat@einfachjabber.de    Email (PGP required): thed4rkcat@yandex.com    PGP Key: here and here     Blog

<sofldan> not asking for anyone to hold my hand uber space shuttle door gunner guy.


Offline kenjoe41

  • Symphorophiliac Programmer
  • Administrator
  • Baron
  • *
  • Posts: 990
  • Cookies: 224
    • View Profile
Re: [Python Release] SystemLookup via Command Line
« Reply #3 on: November 07, 2014, 08:13:39 pm »
Some python from you for a change :D <3
Quite talented you could say. i am still waiting on when she will awaken her C/C++ side. She keeps it domant or doesn't publicise it. It hurts me,rflol.
If you can't explain it to a 6 year old, you don't understand it yourself.
http://upload.alpha.evilzone.org/index.php?page=img&img=GwkGGneGR7Pl222zVGmNTjerkhkYNGtBuiYXkpyNv4ScOAWQu0-Y8[<NgGw/hsq]>EvbQrOrousk[/img]

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Python Release] SystemLookup via Command Line
« Reply #4 on: November 09, 2014, 12:35:10 pm »
Some python from you for a change :D <3

I did publish python sources before, though. :P

Cool tool, thanks for the code.
Is this linked to that NIST database of known "good" file hashes?
+1

Thank you. Systemlookup.com has its own database as far as I can tell.

Quite talented you could say. i am still waiting on when she will awaken her C/C++ side. She keeps it domant or doesn't publicise it. It hurts me,rflol.

 ;D


Will be updating this tool soon.

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Python Release] SystemLookup via Command Line
« Reply #5 on: November 09, 2014, 12:56:48 pm »
Update done. I've got a github repo for it now.

Changelog:

* Global search added
* Titles changed
* setup.py added
* LICENSE added

Offline Deque

  • P.I.N.N.
  • Global Moderator
  • Overlord
  • *
  • Posts: 1203
  • Cookies: 518
  • Programmer, Malware Analyst
    • View Profile
Re: [Python Release] SystemLookup via Command Line
« Reply #6 on: November 10, 2014, 12:31:52 pm »
Systemlookup is now available on pypi.
Installation can be done via:

Code: [Select]
pip install systemlookup
This will install systemlookup as command for your shell.