Skip to main content

Introducing Ragno: IOC Multiplier

Cast a wide net using a single IOC and extract IOC for the entire campaign


TL;DR: Use this Python tool to take one IOC (IP only in this first release) and expand that to all IOC related to it, download the entire list from VT and then block these to neutralise the entire campaign (or get very close to it).
Ragno uses Virustotal API to interact with the popular OSINT platform.
Just like a spider, this tool launches ‘webs’ which are searches based on the the IOC you provide. Each web has a potential of returning multiple results and this is how we end up with an exhaustive list of IOC that can be used to contain an entire malware campaign.
The idea behind Ragno is to rapidly respond to an active Malware campaign by extracting a single IOC (network-based) and then use that to very quickly expand from there and get the network-infrastructure for the entire campaign so that you can block those IOC at your network perimeter and make sure there is no successful execution of the malware inside your network. Most of these malware campaign rely on a connection back to the C2 for the configuration download and in some cases for further downloads of other malicious files. If you can block a majority of these IOC on your network perimeter, the chances of the campaign hitting your network are greatly reduced.
Please note that this tool relies on OSINT available from VT and cannot to relied on for a complete list of IOC for every single malware campaign but should be used as a rapid response tool to get as many IOC within a matter of a few seconds as possible.
You’ll need Python 3 to run Ragno.

Configuring Ragno

This is a very simple step. Just open ‘ragno.conf’ and enter your VT API key.


Launch Ragno

After you have downloaded the code from GitHub, simply run the main file:


Usage

Again, Ragno is a very easy and simple tool when it comes to usage. Simply enter the IP you have (from dynamic analysis, PCAP, sandboxing or even from VT) and follow instructions. I have configured Ragno to cast 10 webs for each search. Each web has a potential of returning results from anywhere between 1 to 100. So you can see how quickly the list can expand once you start casting the webs.


We’ll use an example I took from a recent malware campaign:


Hit Enter and then select an option:


Communication Files:

Files that communicate with the IP address. We will expand this section to 10 levels and then extract all the network infrastructure information we can use to build out our campaign IOC list. Please note that you will not always get all 10 levels, it really depends on how much OSINT is available on your search.


As you can see from the screenshot above, some of our webs have returned with results and we can now start building our list. This happens in the next step.


Ragno creates a text file with all the IOC extracted and reformats it an easy-to-read manner. ‘IOC-list-communicating.txt’ will have all the IOC and the list is ready to use now.
You can also print the entire list to screen by selecting option 1 from the presented menu:


As you can see above, we have been able to extract a long list of IPs associated to our initial search. In this example, the entire network-list is more than 200 IPs, which are all verified as ‘malicious’ on VT and can be blocked based on this OSINT report.
The entire operation tool less than a minute :)

Downloaded Files:

Files downloaded from the IP address. Again, we will try to expand it to 10 levels and get all the file names that have been associated to this IOC. This will help us build out our malicious file name database which can be used to block files on the endpoints or for detection purposes. Again, don’t expect all 10 webs to come back with results in all searches.
Let’s take a look at the same IP from the above example for this purpose:


Now let’s take a look at the re-formated version:


There you have it. The entire list of IPs for the campaign and a comprehensive list of malware and other file names that have been associated with this IP.
You can keep expanding the list more by going after individual IPs from the list and further expanding them but at some point you’ll notice duplication of IOC in you list as infrastructure resources are limited for the actors running the campaign.
This is the first release, I’ll keep adding more features and functions to it.
Please feel free to use it, share it and fork it!
Thanks!

Comments

Popular posts from this blog

Major update: Emotet C2i Apr 2019

Emotet has updated the C2 comms in the latest release, going for URIs instead of IPs (root). Here’s a complete list of the current campaign: Emotet C2i: http://51.255.50.164:8080/window/child/ringin/ http://109.104.79.48:8080/cookies/tlb/ http://92.48.118.27:8080/rtm/pnp/ http://197.248.67.226:8080/enabled/forced/ http://181.170.93.38:8080/teapot/balloon/ http://69.163.33.82:8080/glitch/scripts/arizona/ http://192.155.90.90:7080/prov/odbc/arizona/ http://43.229.62.186:8080/teapot/ http://72.47.248.48:8080/sess/cone/ http://209.159.244.240:443/publish/vermont/tlb/ http://197.248.67.226:8080/codec/between/tlb/ http://176.58.93.123:8080/splash/ http://72.47.248.48:8080/sess/glitch/entries/ http://181.170.93.38:8080/schema/free/ http://69.163.33.82:8080/badge/symbols/results/ http://109.73.52.242:8080/results/prov/ http://68.191.37.107/iplk/vermont/sym/merge/ http://154.120.228.126:8080/xian/enabled/sym/merge/ http://136.49.87.106/usbccid/taskbar/enabled/ http://5.9.128.163:8080/json

Grinju Downloader: Anti-analysis (on steroids) | Part 2

  This malware takes anti-analysis and stealth techniques to a new level We took a look at this malware in the Part 1 of this publication. Now let’s carry on with the analysis and dig deeper into the various anti-analysis and stealth-exec features of this malware in Part2. Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju Secondary Macro Code First of all, here’s the entire code that is dumped in the sheet once all the macro functions have been completed. Take a look at these lines and try to figure out what they are meant to do. Then we’ll take a look at the most important of these briefly before moving on to the next section. =CLOSE(FALSE) =FORMULA(LEN(APP.MAXIMIZE())+-459,Sheet1!R18690C129) =FORMULA(LEN(GET.WINDOW(7))+-131,Sheet1!R18691C129) =FORMULA(LEN(GET.WINDOW(20))+-893,Sheet1!R18692C129) =FORMULA(LEN(GET.WINDOW(23)=3)+433,Sheet1!R18693C129) =FORMULA(LEN(GET.WORKSPACE(31))+864,Sheet1!R18694C129) =FORMULA(LEN(GET.WORKSPACE(13)>770)+707,Sheet1!R18

Grinju Downloader: Anti-analysis (on steroids) | Part 1

  This malware takes anti-analysis and stealth techniques to a new level Malpedia Inventory: https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju I’ve come across some great anti-analysis code in malware over the years. This one takes the top spot. On that note, let’s get into it, this is a long one! Since this malware employs a very complex structure, I’ve decided to divide the analysis into different sections. I’ll try to keep it as simple as possible but having said that, it really is a very complicated project. Hence, publishing in parts. TLDR: This is a very well-thought and equally well-written malware. There’s no VBA that you can analyse. The values and formulas that are used are spread across the worksheets to thousands of rows. The functions, among other things, are used to close the file, corrupt it and also delete the dropped scripts to make analysis extremely hard. In fact, you cannot analyse this malware without altering the code it self. Along the way, you’ll also