-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathMalware Analysis
48 lines (27 loc) · 1.02 KB
/
Malware Analysis
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
Malware Analysis: Static Analysis
FLOSS:
Extract obfuscated strings from a malware binary:
$ floss [C:\path\to\File.extension]
Only extract stack and tight strings:
$ floss --only stack tight -- [C:\path\to\File.extension]
Do not extract static strings:
$ floss --no static -- [C:\path\to\File.extension]
Display the help/usage screens:
$ floss -h # show core arguments
$ floss -H # show all supported arguments
CAPA:
Run Capa with double verbose(Remove "v" for less information:
capa [C:\path\to\File.extension] -vv
Malware Analysis: Dynamic Analysis:
Example Indicators:
Host Indicators and Network Indicators
Delete File Calls out to domain
Installs Persistence Downloads a File
Template Static Analysis:
Filename:
File Hash: i.e MD5 and SHA256
File Hash Lookup: i.e. virus Total
Basic String Analysis: i.e. Floss, PeStudio & CAPA
Template Dynamic/Heuristic/Behavioral Analysis:
Wireshark:
Setup Remnux and Wireshark and Kick off the malware and use the strings from the basic analysis to narrow down on indicators.