-
Notifications
You must be signed in to change notification settings - Fork 0
/
Program.cs
113 lines (97 loc) · 4.16 KB
/
Program.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
// Scan a Windows computer for traces of a variant of NetWalker ransomware
// Copyright(C) 2021 David Cachau
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
using System;
using System.IO;
using System.Collections.Generic;
namespace NetWalkerAnalysis
{
class Program
{
/// <summary>
/// The entry point of the analyser
/// </summary>
/// <param name="args">Command line args</param>
static void Main(string[] args)
{
Logger.ResultDir = "C:\\NWA-(" + HostDataCollector.GetHostname() + ")-Result-" + DateTime.Now.ToString("yyyy-MM-dd-HH-mm-ss");
Directory.CreateDirectory(Logger.ResultDir);
Logger.Console("Running on " + (HostDataCollector.GetHostname()));
if (HostDataCollector.IsAdministrator())
{
Logger.Console("Running as Administrator, continue");
}
else
{
Logger.Console("Not running as Administrator, abort !");
Console.ReadLine();
System.Environment.Exit(1);
}
Logger.Console("Mounted drives:");
foreach (string l in FileSystemAnalyser.GetDisks())
{
Logger.Console(" - " + l);
}
Logger.WriteFile("Drives", FileSystemAnalyser.GetDisks());
Logger.Console("Shares:");
foreach (string s in ShareCollector.GetShares())
{
Logger.Console(" - " + s);
}
Logger.WriteFile("Shares", ShareCollector.GetShares());
List<string> files = FileSystemAnalyser.Scan();
List<string> allReadme = FileSystemAnalyser.ListReadme(files);
List<string> sharesReadme = FileSystemAnalyser.ListReadmeOnShares(files);
List<string> notSharesReadme = FileSystemAnalyser.ListReadmeNotOnShares(files);
bool exePresent = FileSystemAnalyser.HasSuspiciousExe(files);
if (allReadme.Count > 0)
{
Logger.Console("!!!!! Readme file detected, this machine is compromised !!!!!");
}
List<string> users = UserAccountCollector.GetUsers();
if (users.Contains("adfs"))
{
Logger.Console("!!!!! adfs account detected, this machine may be compromised !!!!!");
}
Logger.WriteFile("Malicious-Present", exePresent ? "True" : "False");
// don4t remove the ADFS direcotry
//UserAccountCollector.RemoveUser("adfs");
// This is unused by our variant of NetWalker
//RegistryAnalyser.Scan();
Logger.WriteFile("ADFS-Present", UserAccountCollector.HasAdfs() ? "True" : "False");
if (allReadme.Count > 0 || exePresent)
{
ResultDisplayer.Locked();
Logger.Console("Readme found: " + allReadme.Count);
Logger.Console("Readme found on drives: " + notSharesReadme.Count);
Logger.Console("Readme found on shares: " + sharesReadme.Count);
Logger.Console("Malicious EXE present: " + (exePresent ? "Yes" : "No"));
Console.WriteLine();
}
else if (UserAccountCollector.HasAdfs())
{
ResultDisplayer.Unclean();
Logger.Console("ADFS account detected");
Console.WriteLine();
}
else
{
ResultDisplayer.Clean();
}
Console.WriteLine("Press Enter to quit...");
Console.ReadLine();
}
}
}