Triaging
Checklist
File Context and Delivery
File Information & Header Analysis
Get Basic PE information
Simple Search
Collect Strings
Check AV vendors
Quick VM Detonation
Capture network information
File Context and Delivery
When you receive the malware binary, it's important to ask how the malware got there in the first place.
Questions to ask:
Did it come from an email?
Did it come from a browser download?
Was it quarantined in an Anti-Virus?
Is it an anomalous process running?
File Information & Header Analysis
Use a file command (sniffer VM) to determine the file type
Verify the file header using a hex editor (HxD)
Get Basic PE information
Parse the PE header using the tool PE Bear
Determine what resources, DLL imports, and libraries used
Example: If you see Ws2_32.dll it might be setting up a network connection because it's used for setting up sockets
Simple Search
Calculate the hash of the file and check the web to see if it's been seen already
Collect Strings
Using the string command in linux or BinText tool, extract the strings to find any clues
Check AV vendors
Run the file against an Anti-Virus or VirusTotal to see if there are any detections
Quick VM Detonation
Use open source VM detonation services like hybrid-analysis.com or malwr.com to get the behavior quickly
Capture network information
Use the VM detonation service to capture any network connections or packet data.
If you can't do this then we will need to dynamically debug the malware.
Last updated