Ruby and Yara on Debian environment

I am currently working on a yara project in ruby, and i just wanted to do a quick documentation on how to install yara to use with ruby on a debian environment. This post assumes you have a working ruby installation on your system.

Requirements

Repository

• G++ & pcre library
• Build Essentials
• G++
• Libpcre3
• Libpcre3-dev

sudo apt-get install build-essentials g++ libpcre3 libpcre3-dev

Yara

Go to Yara project site and download yara source code, extract and compile it. (currently it is at version 1.6.)

cd yara-source/

./configure && make && sudo make install

Installation

Yara ruby-gem

sudo gem install yara

I then tried to load the library in IRB but ended up with this error 

irb(main):001:0> require 'yara'

LoadError: libyara.so.0: cannot open shared object file: No such file or directory - /var/lib/gems/1.9.1/gems/yara-1.6.0/lib/yara_native.so

from <internal:lib/rubygems/custom_require>:29:in `require'

from <internal:lib/rubygems/custom_require>:29:in `require'

from /var/lib/gems/1.9.1/gems/yara-1.6.0/lib/yara.rb:18:in `<top (required)>'

from <internal:lib/rubygems/custom_require>:33:in `require'

from <internal:lib/rubygems/custom_require>:33:in `rescue in require'

from <internal:lib/rubygems/custom_require>:29:in `require'

from (irb):1

from /usr/bin/irb1.9.1:12:in `<main>'

Library problems

libyara.so.0 is located in /usr/local/lib/libyara.so.0. To fix this added path to /etc/ld.so.conf and ran ldconfig

sudo sh -c "echo '/usr/local/lib' >> /etc/ld.so.conf" && sudo ldconfig

A botnets compromise - Pt 1

Like i have stated in earlier posts, i tried Dionaea Honeypot to receive malware samples during my studies.
I decided to do a live analysis of one sample i received - which i ran on a highly monitored network with a OpenBSD transparent bridge acting as a honeywall to log and control network traffic.
While i analyzed the network traffic i realized the malware infected the machine with several different specimens of malicious software.
In this post i will do both static and dynamic analysis on each of the received specimens to determine what characteristics, how they work together (and how to remove them safely). As these samples are all old when i write this post one could easily use a anti-virus scanner to remove them. C&C represented here are also no longer alive.

The exploit used to compromise the honeypot was MS08-67 a well known vulnerability which was critical to windows systems. It used this vulnerability to download H2.exe and this is the file i ran on the malware-lab environment.
 To extract files from the network dump i used Wireshark, the file-streams are shown below.

 Downloaded files

Static Analysis

I tried out Yara to find out whether the file was packed or not and yara was not able to identify a packer on the files except from Bren.exe. 

As i had done some research on the binary received on my honeypot once before during my studies i knew that this was packed with a unknown packer, but for the rest of the files i did not have a clue but one would assume they were packed as well.
I will only display Virustotal information and Fileinfo / Imports information on each file in this Part of the blog. 

VirusTotal Information

#	Filename	File type
1	H2.exe	PE32 executable (GUI) Intel 80386, for MS Windows
2	Hj3.exe	PE32 executable (GUI) Intel 80386, for MS Windows
3	Iii	PE32 executable (GUI) Intel 80386, for MS Windows
4	69n.exe	PE32 executable (GUI) Intel 80386, for MS Windows
5	Dqs.exe	PE32 executable (GUI) Intel 80386, for MS Windows
6	Usb.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
7	Bren.exe	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
8	Ngusp.exe	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Window

File info & Imports

I played around with Ruby and Metasm to extract imports table and other information from the files, alternatively one could use objdump but it is very verbose. All of the files used alot off imports to either unpack it self or as anti-debugging as one will see in the pictures i took from a CLI using the tool i made in ruby.
I will not comment on all of these pictures, but one can see hints in some of the sections that the files might be packed. Some funky sizes and addresses is one good hint, indeed.

h2.exe

There was quite a huge list of imports this file uses. Up on first glance i would believe some of these functions are used to confuse the analyst and some used to unpack this file.

The section ".cod\x1F\x1F" is suspicious and with strings i can confirm that this file is packed.

As this blog-post it not about unpacking malicious software nor analyse them i will continue this post in a Part2 - where i will perform Static and Dynamic analysis on the unpacked files.

Malare - A malware database.

Since i activated my honeypot i have received a lot of different malware, which I at one point should analyse. But the more malicious software i got the harder it is to have control over what files i had analysed, where they came from, where they connect to and so on.

To help me organize files i decided to make a malware database with the help of Ruby Programming language and Sqlite to create a SQL database - and named the project Malare.

With malare i wanted to store malware-samples with wanted information as well as save the binary in its filesystem. To begin with i added features to add samples, remove samples and search the database for a certain keyword. It will store both the database and samples in ~/Desktop/malare and the information i wanted to store in Malare's malware database is

• Filename
• Source from where you got it from
• Domainname of Command & Control Server (C&C)
• IP address to the C&C (Optional)
• Notes (optional)

Malare's help screen.

With that tool i could easily keep track of malware samples. One could also make malare to add samples directly into malare as they got downloaded by Dionaea honeypot. 

I added two options to display results stored in the database, -l (--list) would list all samples stored in the database, and -s (--search) one could search for samples based on either md5sums, c&c or filename.

Below is a sanitized version of the --list option, as one can see i have added a few samples into Malare.

--list option

Below i demonstrate a search based on a filename.

--search option

I have a few other ideas on how to further develop this project and make analysis more easy, but for now this is works pretty good.  Download the project from https://github.com/eugynon/malare.

Debian & IDA 6.3 Demo

During another blog-post i am currently working on, i wanted to try IDA 6.3 demo version. I was working on Debian Squeeze 64bit OS, so without doing any research i downloaded the file and tried to run idag from console.

I then ran into two errors regarding libraries that it could not find, as it was looking for ia32 libraries.

./idaq: error while loading shared libraries: libstdc++.so.6: cannot open shared object file: No such file or directory

./idaq: error while loading shared libraries: libgthread-2.0.so.0: cannot open shared object file: No such file or directory

To resolve these errors i had to install "ia32-libs" and "ia32-libs-gtk" through debian repository.

Manual Unpack malware

It's been a while since i first activated my honeypot and i have received  a number of binaries which all derived from a few different botnets. I have identified three active botnets and 2 botnets which are either shutdown or removed. One botnet is more active than the others, it changes both the malware, domainname and ports the C&C. All the botnets found was IRC based botnets.

I decided to do some analysis on one random file, to learn more about how to unpack obfuscated malware - and eventually do static analysis on the file to learn more about its behavior.

Analysis

When i used the 'file'-utility i saw that the file was UPX compressed, but when i used an automatic UPX decompresser the file got corrupt and couldnt execute. To learn abit more of the malware sample i used Virustotal to see if it's a known malware. 41 Antivirus companies has marked this file as a virus, as we can see in the picture below.

I opened the sample in Ollydbg v-2.01 beta2 and learned that it will unpack and find me an possible entry point upon loading the file. The entrypoint found is 0x004141F0.
All i had to do was dump full memory with LordPE and rebuild the IAT and fix the OEP with ImpREC.

So i chose the process in LordPE and right-click it to chose Dump Full before we open the process in ImpREC. In ImpRec all we do is change OEP to the wanted value, click IAT Autosearch, get imports and fix dump. Now we have a fully functional unpacked sample. 

When i tried to run strings on the new executable i found that it is packed with a second packer - likely a protector / encrypter. I found the section .text and so on as you will see in the picture below. This is a good sign that it is packed yet again.

When i opened the file in OllyDBG it tried to go through the same procedure as before to try to unpack it but this time it executed the sample instead of stopping at the OEP, thus i just opened the original sample and reversed it from there.

I placed a few breakpoints on some common functions used by heap packers.
VirtualAlloc + VirtualAllocEX and WriteProcessMemory. If one have trouble with unpacking a sample one could also try some other functions.
For instance CreateProcess, OpenProcess, CreateRemoteThread and ... more?

Okay, when done i can execute the malware in order to step through and look for the packed content.
After stepping through the program a couple of times with F9 the program will break at WriteProcessMemory and have the value 00B70000 in ECX. This is where the unpacked sample is located. Then it is really just to right-click in the dump window and save the executable.

I did a quick search on VirusTotal on the unpacked sample.

Now i can continue with static analysis of the unpacked sample, but the goal of this blog-post are reached. As we can see below the sample is unpacked and contain readable strings.

Working on a dump.....

I am doing some analysis on some random malware sample i received a while ago, and upon unpacking it i found a binary deep inside the computer's memory. Since ghex was the slow alternative i decided to look at other possibilities to extract the executable from the memory dump.
As seen below, the memory dump starts at 0x00140000, and the DOS header begins at 164c59.

Since we know the offset to the mz header i used pcalc and tail to clean out the garbage and create a unpacked file.

Alternatively, one could use grep -abno MZ to match the MZ string, but this will sometimes create a huge list like in my case - since the dumped size is quite large.

FakeDNS.rb

This weekend i made a simple "FakeDNS" to use in my malware lab environment. There are already a few scripts out there which does the same - but this didnt stop me building my own as the worst would happen is that i would learn something new.....

I found a great source (along with RFC1035)  at networksorcery.com which pretty much explains the DNS protocol. Using those resources along with Wireshark to see how a response is done made it easy to fake a DNS response...

This is what i ended up with when using dig, and it works pretty well as seen below.

Yet another tool in my toolbox, yay!

Download it here: https://github.com/terjehaarstad/fakedns

Simple Toolbox

While i was doing some malware analysis i had to make my analysis somewhat semi automated. In order to achieve this i made a few programs with the wonderful language Ruby.
Ruby makes it easy and fast to make tools for you analysis toolbox, which was just what i needed. As one might see under the source-code; i am not a well educated programmer, but as long as my dirty-code works and makes it easier for me - i couldnt care less to be honest. It's like my car, it's not classy and it smells like shit  - but it works. ;)
There is nothing spectacular about my programs as some of them have already been developed, and humble as i am they might be better ;)
The reason i made those scripts was because i needed to develop my own programming skills in Ruby, and the best way to do that is to learn by doing.

This is just a version 0.0.1 of the gem and for now it contain the most important features althou i am likely to upgrade this gem with more modules later on.
For now it made my analysis of a malware specimen i got a lot easier especially since i am working from CLI and had to document every findings i made during my school assignment.

Gem Link:

Edit:
Decided to add them to github instead, just for kicks... Find source code here.

Ruby and the honeys

While doing some dionaea honeypot analysis i had to make things simple, thats why i made
"Simple program to extract information from Dionaea's sqlite3 logfile". It is required to input the sqllog.sqlite while creating a new object with this class.
In order to save place on me blog i pasted the source code on pastie.org. This way i will keep this blog looking like an actual blog.

require 'sqlite3'

# Reads Dionaea sqlite3 log file

# Queries are stolen from http://carnivore.it/2009/11/06

module MyTools

    class Dionaea

        def initialize(log)

            @log = log

        end

        # BAM!

        def execute_query(sql_query)

            db = SQLite3::Database.new(@log)

            db.execute(sql_query)

        end

        # Sort by most downloaded files

        def most_downloaded

            query = %q{

            SELECT

                COUNT(download_md5_hash),

                download_md5_hash,

                download_url

            FROM

                downloads

            GROUP BY

                download_md5_hash

            ORDER BY

                COUNT(download_md5_hash)

                DESC

            }

            execute_query(query)

        end

        # Sort by "most used download location"

        def most_used_dl

            query = %q{

            SELECT

                COUNT(*),

                download_url

            FROM

                downloads

            GROUP BY

                download_url

            ORDER BY

                COUNT(*)

                DESC;

            }

            execute_query(query)

        end

        # Sort by most aggressive attackers

        def  aggressive_attackers

            query = %q{

            SELECT

                count(*),

                download_md5_hash,

                remote_host,

                download_url

            FROM

                connections

            NATURAL JOIN

                downloads

            GROUP BY

                download_md5_hash,remote_host

            ORDER BY

                COUNT(*)

                DESC

            }   

            execute_query(query)

        end

        # Shows last 24 hours activity

        def last_24hours

            query = %q{

            SELECT

                ROUND((connection_timestamp%(3600*24))/3600) AS hour,

                count(*)

            FROM

                connections

            WHERE

                connection_parent IS NULL

            GROUP BY

                ROUND((connection_timestamp%(3600*24))/3600);

            }

            execute_query(query)

        end

        # Sort by md5s retrieved

        def get_md5s

            query = %q{

            SELECT

                download_md5_hash,

                download_url,

                remote_host

            FROM

                connections

            NATURAL JOIN

                downloads

            GROUP BY

                download_md5_hash,remote_host

            ORDER BY

                download_url

                DESC

            }

            md5s = []

            execute_query(query).each do |result|

                md5s << result.slice(0)

            end

            return md5s

        end

        # Sort by MD5, download url and attackers IP

        def get_jiggy_with_it

            query = %q{

            SELECT

                count(*),

                download_md5_hash,

                download_url,

                remote_host

            FROM

                connections

            NATURAL JOIN

                downloads

            GROUP BY

                download_md5_hash,remote_host

            ORDER BY

                download_url

                DESC

            }

            execute_query(query)

        end

    end

end

A quick android-sdk install guide for ubuntu (12.04)

Download Oracle Java
 http://www.oracle.com/technetwork/java/javase/downloads

We will extract javaXX.tar.gz into /usr/local/java, so lets create that first.
$ sudo mkdir -p /usr/local/java

Then extract it
$ sudo tar -xzvf  javaXX.tar.gz -C /usr/local/java

Then we add a path to java into either /etc/profile, or your local .bashrc file.

# JAVA PATH
JAVA_HOME=/usr/local/java/jdk1.7.0_04
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
JAVA_HOME=/usr/local/java/jre1.7.0_04
PATH=$PATH:$HOME/bin:$JAVA_HOME/bin
export JAVA_HOME
export PATH
# END JAVA PATH

Then we will give the location to where java is
$ sudo update-alternatives --install "/usr/bin/java" "java" "/usr/local/java/jdk1.7.0_04/bin/java" 1
$ sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/local/java/jdk1.7.0_04/bin/javac" 1


Download and install android SDK
http://developer.android.com/sdk/index.html

Download and install Eclipse => helios (3.6). If you have no clue, Eclipse classic is pretty sexy i guess... 
http://www.eclipse.org/downloads/


Add a path to both android-sdk and eclipse inside .bashrc
$ echo "export PATH=${PATH}:~/.android-sdk/tools:~/.android-sdk/platform-tools:~/.eclipse" >> ~/.bashrc

Open eclipse, add new "repository" to install the ADT plugin
https://dl-ssl.google.com/android/eclipse/

I am obviously using ubuntu, so in order to connect to the phone using adb i had to
create a new udev rule.. ("99-android.rules"-filename might differ on ubuntu versions).

$ sudo nano -w /etc/udev/rules.d/99-android.rules

SUBSYSTEM=="usb", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX", MODE="0666"
SUBSYSTEMS=="usb", ATTRS{idVendor}=="XXXX", ATTRS{idProduct}=="XXXX"
TEST=="/var/run/ConsoleKit/database", \
RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"


$ sudo chmod a+rx /etc/udev/rules.d/99-android.rules

If you wonder what your vendor and product id is, simply use the tool lsusb
$ lsusb 
(OUTPUT blah blah blah)
 Bus 001 Device 005: ID XXX1:XXX2 MOBILE PHONE-THINGY

Where XXX1 is Vendor ID, and XXX2 is Product ID.

----------------------------

Then you should be ready to start develop apps.

This is a pretty nice series of tutorials found on youtube:
http://www.youtube.com/watch?v=CxPh1tgiK2g&feature=relmfu

wich starts with how to install the environment and goes on from there.

MySQL cheatsheet

I made yet another casino-game at the end of this assigment from school. Its pretty boring, yes indeed. Anyways, i had this pretty stupid function that was supposed to save user stats into a MySQL DB. It might be one of many stupid ideas while programming the casino, but its a good way to learn.... i hope.

Since i forget the commands between each time i use mysql i created this cheat-sheet. Hopefully this will help me remembering until next time i work with MySQL. Oh, this article doesnt describe anything about securing MySQL.

Oh yeah, i forgot to be a gentleman and use capital letters on sql commands.. shame on me. Its easier to read and easier to sort out variables from commands etc... bear that in mind.

So, assuming you have a mysql root account:
Login:
$ mysql -h localhost -u root_acc -p
-p prompt for password during login.
-h host to connect, this is optional while using localhost.

Create a new user:
mysql> create user 'casino'@'localhost' identified by 'secretpassword';
NOTE: If you want remote connections, use @'IP/HOSTNAME' from the host you are connecting from


Grant access to db:
mysql> grant all on casino_db.* to 'casino'@'localhost'


So, maybe its time to create the supposed casino_db aswell
create database casino_db;


Create tables into DB:
mysql> use casino_db;
mysql> select database();

mysql> create table player
    -> (
    -> PRIMARY KEY (name),
    -> name VARCHAR(25) NOT NULL,
    -> played INT UNSIGNED NOT NULL
    -> );

Inspect database tables (to see variables etc):

mysql> describe player;

Insert into database table:
mysql> insert into player values("NAME", playedINTEGER);

Show table content:
mysql> select * from player

Delete user:
mysql> drop user 'casino'@'localhost'


Delete table:
mysql> drop table player;

Show users:
mysql> select * from mysql.user;


All of this could be put into a *.sql file and implemented by using command
mysql -u root_acc -p < my_template.sql (-u casino -p should also work if you granted user access to specific database)


my_template.sql:


CREATE DATABASE casino_db;
USE casino_db;
SELECT DATABASE();
CREATE TABLE player
(
  PRIMARY KEY (name),
  name VARCHAR(25) NOT NULL,
  played INT UNSIGNED NOT NULL
); 

Remote connections; open /etc/mysql/my.cnf, replace this with your IP.
bind-address            = 127.0.0.1


And restart mysql service
$ sudo service mysql restart

ssh login + no password = ez-mode

At times i find my self type passwords just too often, that again make me lose focus on the stuff i wanted to do.
At those times it is kinda convenient to not have to type password during a ssh-login. Other reasons might be.... automatically control servers, configuration steps ... etc

At the client, type this in terminal:
$ ssh-keygen -t rsa 

Then copy the .pub file to the remote server
$ ssh-copy-id -i .ssh/id_rsa.pub user@host


NOTE: ssh-copy-id is available on Linux distros, but while doing this on an OpenBSD machine you have to copy the public key into authorized_keys.
$ scp .ssh/id_rsa.pub host:.ssh/authorized_keys

Vortex level0, while still learning C....

I have been playing around with overthewire.org first levels of wargame(s) a few times before. Its a golden opportunity for me now to do them in C.
Althou going over the "C-socket hill" was pretty tough, i finally managed it!

The first one i solved was vortex level0.

I did it a few different ways and ended up with a tidy code (i think):

vortex_level0.c

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>

#define HOST "vortex.labs.overthewire.org"
#define PORT "5842"

int sockfd();
int connect_host();
int handle_uints();
int get_tze_pass();

int main()
{
    int socket;
    socket = sockfd();
    connect_host(socket);
    handle_uints(socket);
    get_tze_pass(socket);
    close(socket);
    return 0;
}

int sockfd()
{
    return socket(AF_INET, SOCK_STREAM, 0);
}
int connect_host(int socket)
{
    struct addrinfo hostname, *p;
    memset(&hostname, 0, sizeof(hostname));
    hostname.ai_family = AF_INET;
    hostname.ai_socktype = SOCK_STREAM;

    getaddrinfo(HOST,PORT, &hostname, &p);
    connect(socket, p->ai_addr, p->ai_addrlen);
   
    return 0;
}
int handle_uints(int socket)
{
    int uints[4], i, sum = 0;
    for (i = 0; i < 4; i++) {
        read(socket, &uints[i], 4);
    }
    for (i = 0; i < 4; i++) {
        sum = sum + uints[i];
    }
    send(socket, &sum, sizeof(sum), 0);
    return 0;
}
int get_tze_pass(int socket)
{
    char login[18];
    recv(socket, &login, sizeof(login), 0);
    printf("%s\n", login);
    recv(socket, &login, sizeof(login), 0);
    printf("%s\n", login);
    return 0;
}

A game of Craps (Ruby and Java)

This week i have been reading lots about c language and "programming logics and design". We are supposed to learn C programming and develop a game in the end of this module assignment.

In one example we are writing a game of craps in c... C is just too much typing, and hard to keep control over all syntax' for a newbie, but still learning! :D
Although we are programming in C, i first wrote the program in ruby wich gave me a much clearer understanding of what to do in C.(except from classes and rest of easy ruby syntaxes)

Even if you don't know much about programming, i guess you should be able to understand what the program does.

class Craps

    def initialize

        puts "A game of craps"

        first_roll

    end

    def first_roll

        roll = roll_dice

        case roll

        when 7,11

            game_won

        when 2,3,12

            game_lost

        else

            puts "Your point is: " + roll.to_s

            @my_points = roll

            keep_rolling

        end

    end

    def roll_dice

        #dice = (1+rand(6)) + (1+rand(6))

        die1 = 1+rand(6)

        die2 = 1+rand(6)

        dice = die1 + die2

        puts "You rolled: #{die1} + #{die2} = #{dice}"

        return dice

    end

    def game_won

        puts "You win"

        exit

    end

    def game_lost

        puts "You lose"

        exit

    end

    def keep_rolling

        roll = roll_dice

        case roll

        when @my_points

            game_won

        when 7

            game_lost

        else

            while roll

                case roll_dice

                when @my_points

                    game_won

                when 7

                    game_lost

                end

            end

        end

    end

end

play = Craps.new

# Output:

# A game of craps

# You rolled: 5

# Your point is: 5

# You rolled: 12

# You rolled: 8

# You rolled: 5

# You win

I will not paste the C program here, since its pretty similar to the example in "C how to program" by Deitel and Deitel. Boooring! >)

A game of craps (Java)

The java version is just the same. The java syntax' are pretty easy to learn after studying C the last couple of weeks. Java is the language to learn if i ever want to make an android app... but... do i? o_O

I seem to love this game... maybe not, but its an easy way to learn, among other well written programs.

import java.util.Random;

class Craps {

private Random randomizeDice = new Random();

int my_point;

int roll = 0;

public void game_won() {

System.out.println("You win!");

System.exit(0);

}

public void game_lost() {

System.out.println("You lose!");

System.exit(0);

}

public void first_roll() {

roll = roll_dice();

switch (roll) {

case 7:

case 11:

game_won();

case 2:

case 3:

case 12:

game_lost();

default:

my_point = roll;

System.out.println("Your point is: " + my_point);

}

}

Low Interaction honeypots

I have the last two weeks been playing around with a few low interaction honeypots. Sure it would be preferable to install a high interaction honeypot, but since im doing this on a virtual machine i didnt dare go that way. I ended up with two different systems running on the same machine, Dionaea and Kippo.

Honeywall
Althou its not necessary to use a honeywall while using low interaction honeypots i wanted to build my own honeywall for this project, wich main purpose was to log everything going in and out from the honeynet. I built my "wall" using OpenBSD-5.0 with snort-2.9.2 installed. In addition to snort, i used tcpdump and pf-logging as DCAP.
Regarding DCON i used pf to block and allow traffic to and from my honeypot. Session limit and snort_inline on outgoing connections would be preferable - but again i didnt feel this was critical for my honeynet, since i was using low interaction honeypots. (snort_inline isnt supported under obsd if i understand correctly)
So far this wall is working properly, but i need to know more about how to use my wall in a honeynet with high interaction honeypots and build a more userfriendly interface to use with snort and loggings.
Snort was a pain in the arse to install on OBSD, but eventually i got it up and running.

Kippo
Its important to change the common signatures hackers can see immediately after connecting to the "kippo".
The first guy who got access to my kippo-honeypot saw the most common signature(uptime 14 days IE), and logged off immediatly afterwards. Uptime is the first thing to change, among other things found in base.py. To make it abit more realistic i could also make a new filesystem, clone of a real file system (after you sanitize it for personal info and... what ever:-)


 Dionaea
I didnt do anything after installing and start this service. So far ive captured a few binaries, and one of those binaries are unique. I find this honeypot pretty cool, but so far i havent had the time to check out all of its futures nor the complete logs. More to come regarding the logs and captured malware, hopefully.