📒
cybersecurity notes
  • Welcome
  • Memory Forensics
    • Resources
    • autovol
    • Memory Forensics - 13cubed
      • Intro to Memory Forensics
      • Windows Memory Analysis
      • Windows Process Genealogy
      • Pulling threads
      • Persistence in Memory
      • Memory Forensics Baselines
      • Extracting Prefetch
      • Shellbag forensics
    • Challenges
      • BTLO
        • Memory Analysis - Ransomware
      • Memlabs
        • Lab 1 - Beginner's Luck
    • Analysis
      • Stuxnet
      • Zeusbot
      • Darkcomet RAT
      • ZeroAccess Rootkit
  • Linux
    • Linux commands
  • Malware Analysis
    • Triaging
    • Malware Analysis - 13cubed
    • gdb
  • Networking
    • CCNA notes
      • Network devices
      • Interfaces and cables
      • OSI model & TCP-IP suite
      • Intro to CLI
      • Ethernet LAN switching (1)
      • Ethernet LAN switching (2)
      • IPv4 addressing (1)
      • IPv4 addressing (2)
      • Switch Interfaces
      • IPv4 Header
      • Static routing
      • Life of a Packet
      • Subnetting (1)
      • Subnetting (2)
      • Subnetting (3)
      • VLAN (1)
      • VLAN (2)
      • VLAN (3)
      • DTP & VTP
      • Spanning Tree Protocol (1)
      • Spanning Tree Protocol (2)
      • RSTP
      • Etherchannel
      • Dynamic routing
      • RIP & EIGRP
      • OSPF (1)
      • Others (gdrive)
Powered by GitBook
On this page
  • Checklist
  • File Context and Delivery
  • File Information & Header Analysis
  • Get Basic PE information
  • Simple Search
  • Collect Strings
  • Check AV vendors
  • Quick VM Detonation
  • Capture network information
  1. Malware Analysis

Triaging

Checklist

  • File Context and Delivery

  • File Information & Header Analysis

  • Get Basic PE information

  • Simple Search

  • Collect Strings

  • Check AV vendors

  • Quick VM Detonation

  • Capture network information

File Context and Delivery

When you receive the malware binary, it's important to ask how the malware got there in the first place.

Questions to ask:

  • Did it come from an email?

  • Did it come from a browser download?

  • Was it quarantined in an Anti-Virus?

  • Is it an anomalous process running?

File Information & Header Analysis

  • Use a file command (sniffer VM) to determine the file type

  • Verify the file header using a hex editor (HxD)

Get Basic PE information

  • Parse the PE header using the tool PE Bear

  • Determine what resources, DLL imports, and libraries used

  • Example: If you see Ws2_32.dll it might be setting up a network connection because it's used for setting up sockets

Simple Search

  • Calculate the hash of the file and check the web to see if it's been seen already

Collect Strings

  • Using the string command in linux or BinText tool, extract the strings to find any clues

Check AV vendors

  • Run the file against an Anti-Virus or VirusTotal to see if there are any detections

Quick VM Detonation

Capture network information

  • Use the VM detonation service to capture any network connections or packet data.

  • If you can't do this then we will need to dynamically debug the malware.

PreviousLinux commandsNextMalware Analysis - 13cubed

Last updated 1 year ago

Use open source VM detonation services like or to get the behavior quickly

hybrid-analysis.com
malwr.com