Author: Aubrey Thomas
Deject: Malware Reverse Engineering Toolbox
GitHub Repository: https://github.com/WithSecureLabs/deject
The tool we are releasing today – Deject – provides blue teams with a powerful Reverse Engineering capability. Deject is a command-line tool that runs various tools over a file, such as Yara, MalDuck and 1768.py to quickly identify if a file is malicious. Although the original purpose was to speed up memory dump (DMP) analysis, functionality has been added for PE, ELF, Mach-O, DMG, PDF and PCAP files.
Overview
When Reverse Engineering, there are certain tools that are always run against the sample to determine what the sample is and what it does. Deject automates some of these analysis tasks, like highlighting memory regions that might be of further interest, pulling information out of memory dumps (such as Cobalt Strike configuration), or listing libraries to give an overview of what the sample could do. Quick analysis is vital when this could be a live attacker on a network.
Deject is written entirely in Python and utilises modules from various sources to build a one-stop-shop for reverse engineering. Deject's development initally started in 2020, as an internship project to speed up memory dump analysis when triaging hosts.
Benefits
Deject has been used by WithSecure during investigations, especially in those that require confirming whether memory injections are malicious or not. During Red Team engagements, Deject has been used to get the Cobalt Strike configurations of beacons used to better track the Red Team activity. The tool abstracts away multiple tools and incorporates them in one command. This allows for focusing on what is important instead of searching for, or downloading, the tools required, or spending time reading manual pages.
Key Features
Deject provides multiple plugins that allow for triaging PE, ELF, DMG, DMP, Mach-O, PDF and PCAP files. The key plugins are:
- cobaltstrike_check
- c3_check
- poshc2_check
- malwareconfigextract
- inspect_mmaps
- list_libs
There are more plugins that can be included, and you can even write your own!
Usage with file type
Deject will run certain plugins, depending on the file type specified.
poetry run deject run -t pe <filename>
######################### [ EXECUTING DEJECT ] ##########################
╒══════════════════╤══════════════════════════════════════════════════════════════════════╕
│ Deject │ Setting │
╞══════════════════╪══════════════════════════════════════════════════════════════════════╡
│ file │ <filename> │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ file type │ pe │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ quiet mode │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ save dumps │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ excluded plugins │ [] │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ plugin args │ False │
╘══════════════════╧══════════════════════════════════════════════════════════════════════╛
Running the selected plugins: {'pe_sections', 'c3_check', 'malwareconfigextract', 'pe_hashes', 'pe_hashlookup', 'qakbot_check', 'pe_exports', 'pe_imports', 'list_libs', 'poshc2_check', 'agenttesla_behaviour', 'cobaltstrike_check', 'pe_checks'}
Default Plugins
If no file type is specified, a small selection of plugins will be run by default that are known to work for most file types:
poetry run deject run <filename>
######################### [ EXECUTING DEJECT ] ##########################
╒══════════════════╤══════════════════════════════════════════════════════════════════════╕
│ Deject │ Setting │
╞══════════════════╪══════════════════════════════════════════════════════════════════════╡
│ file │ <filename> │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ file type │ │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ quiet mode │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ save dumps │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ excluded plugins │ [] │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ plugin args │ False │
╘══════════════════╧══════════════════════════════════════════════════════════════════════╛
Running the selected plugins: {'list_libs', 'pe_hashlookup', 'pe_exports'}
Include/Exclude a plugin
You can include or exclude a plugin to run, along with the defaults. To include a plugin, use the '--include' switch, as shown below:
poetry run deject run -t pe --include yarascan <filename>
######################### [ EXECUTING DEJECT ] ##########################
╒══════════════════╤══════════════════════════════════════════════════════════════════════╕
│ Deject │ Setting │
╞══════════════════╪══════════════════════════════════════════════════════════════════════╡
│ file │ <filename> │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ file type │ pe │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ quiet mode │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ save dumps │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ excluded plugins │ [] │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ plugin args │ False │
╘══════════════════╧══════════════════════════════════════════════════════════════════════╛
Running the selected plugins: {'pe_sections', 'qakbot_check', 'yarascan', 'list_libs', 'cobaltstrike_check', 'pe_hashlookup', 'pe_hashes', 'malwareconfigextract', 'c3_check', 'pe_exports', 'pe_checks', 'agenttesla_behaviour', 'pe_imports', 'poshc2_check'}
Default plugins can also be excluded, by specifying the '--exclude' switch.
poetry run deject run -t pe --exclude pe_hashlookup <filename>
######################### [ EXECUTING DEJECT ] ##########################
╒══════════════════╤══════════════════════════════════════════════════════════════════════╕
│ Deject │ Setting │
╞══════════════════╪══════════════════════════════════════════════════════════════════════╡
│ file │ <filename> │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ file type │ pe │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ quiet mode │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ save dumps │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ excluded plugins │ ['pe_hashlookup'] │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ plugin args │ False │
╘══════════════════╧══════════════════════════════════════════════════════════════════════╛
Running the selected plugins: {'pe_imports', 'c3_check', 'pe_sections', 'poshc2_check', 'malwareconfigextract', 'qakbot_check', 'pe_checks', 'pe_hashes', 'pe_exports', 'agenttesla_behaviour', 'cobaltstrike_check', 'list_libs'}
Include and Exclude can be used to run a single plugin by including the plugin that is to be run and excluding all other plugins with an asterisk (*), as shown below:
poetry run deject run --include list_libs --exclude \* <filename>
######################### [ EXECUTING DEJECT ] ##########################
╒══════════════════╤══════════════════════════════════════════════════════════════════════╕
│ Deject │ Setting │
╞══════════════════╪══════════════════════════════════════════════════════════════════════╡
│ file │ <filename> │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ file type │ │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ quiet mode │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ save dumps │ False │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ excluded plugins │ ['*'] │
├──────────────────┼──────────────────────────────────────────────────────────────────────┤
│ plugin args │ False │
╘══════════════════╧══════════════════════════════════════════════════════════════════════╛
Running the selected plugins: {'list_libs'}
Help
To get help with a plugin, run the 'help' command:
poetry run deject help pe_hashlookup
Get usage help with running Deject, by using the following:
poetry run deject run --help
You can also list all plugins available to Deject by using the 'plugins' command:
poetry run deject plugins