2022-12-12 20:03:55 +01:00
|
|
|
# Malware
|
|
|
|
|
|
|
|
|
|
## Tools
|
|
|
|
|
|
2023-02-14 21:05:04 +01:00
|
|
|
### Detect is Easy
|
|
|
|
|
|
|
|
|
|
* [Detect is Easy | DIE](https://github.com/horsicq/Detect-It-Easy)
|
|
|
|
|
|
|
|
|
|
* Analyze signatures with [capa](https://github.com/mandiant/capa) via
|
|
|
|
|
```sh
|
|
|
|
|
capa <binary>
|
|
|
|
|
```
|
2022-12-12 20:03:55 +01:00
|
|
|
|
|
|
|
|
* Unpack with `upx`
|
2023-02-14 21:05:04 +01:00
|
|
|
|
2022-12-12 20:03:55 +01:00
|
|
|
* Re-analyze after deleting the cache `del <binary>.viv`
|
2023-02-14 21:05:04 +01:00
|
|
|
|
|
|
|
|
### Strings
|
|
|
|
|
|
|
|
|
|
Tools for String searching and deobfuscations are
|
|
|
|
|
* [Floss](https://github.com/mandiant/flare-floss/)
|
|
|
|
|
|
|
|
|
|
### Lab Setup
|
|
|
|
|
|
|
|
|
|
* [REMnux](https://github.com/REMnux)
|
|
|
|
|
* [FlareVM for Windows](https://github.com/mandiant/flare-vm)
|
|
|
|
|
|
|
|
|
|
### Fuzzy Hashing
|
|
|
|
|
|
|
|
|
|
Splits the file into pieces and generates a hash from that to provide hashes of partial binaries.
|
|
|
|
|
This can be done via [ssdeep](https://ssdeep-project.github.io/ssdeep/index.html), maybe in recursive mode.
|
|
|
|
|
|
|
|
|
|
## Resources
|
|
|
|
|
|
|
|
|
|
* [MalAPI.io](https://malapi.io) provides an overview of functions used by malware
|
|
|
|
|
* [Extracting obfuscated strings](https://www.mandiant.com/resources/blog/automatically-extracting-obfuscated-strings)
|
|
|
|
|
* [Abuse's Bazaar](https://bazaar.abuse.ch)
|
|
|
|
|
* [Malware Behavior Catalog](https://github.com/MBCProject/mbc-markdown)
|
