Triaging

Checklist

  • File Context and Delivery

  • File Information & Header Analysis

  • Get Basic PE information

  • Simple Search

  • Collect Strings

  • Check AV vendors

  • Quick VM Detonation

  • Capture network information

File Context and Delivery

When you receive the malware binary, it's important to ask how the malware got there in the first place.

Questions to ask:

  • Did it come from an email?

  • Did it come from a browser download?

  • Was it quarantined in an Anti-Virus?

  • Is it an anomalous process running?

File Information & Header Analysis

  • Use a file command (sniffer VM) to determine the file type

  • Verify the file header using a hex editor (HxD)

Get Basic PE information

  • Parse the PE header using the tool PE Bear

  • Determine what resources, DLL imports, and libraries used

  • Example: If you see Ws2_32.dll it might be setting up a network connection because it's used for setting up sockets

Simple Search

  • Calculate the hash of the file and check the web to see if it's been seen already

Collect Strings

  • Using the string command in linux or BinText tool, extract the strings to find any clues

Check AV vendors

  • Run the file against an Anti-Virus or VirusTotal to see if there are any detections

Quick VM Detonation

Capture network information

  • Use the VM detonation service to capture any network connections or packet data.

  • If you can't do this then we will need to dynamically debug the malware.

PreviousLinux commandsNextMalware Analysis - 13cubed

Last updated