hacktricks/forensics/malware-analysis.md

67 lines
1.6 KiB
Markdown
Raw Normal View History

# Malware Analysis
## Forensics CheatSheets
[https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#)
## Online Services
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com/)
* [Intezer](https://analyze.intezer.com/)
## Offline antivirus
* Windows Defender
* Avast Antivirus \(or any other antivirus\)
Update the Antivirus, disconnect from internet the PC and scan the file.
### PEpper
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules
### Yara
#### Install
```text
sudo apt-get install -y yara
```
#### Prepare rules
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
```text
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Scan
```text
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
```
### ClamAV
#### Install
```text
sudo apt-get install -y clamav
```
#### Scan
```text
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
```