# Malware Analysis ## Forensics CheatSheets [https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#) ## Online Services * [VirusTotal](https://www.virustotal.com/gui/home/upload) * [HybridAnalysis](https://www.hybrid-analysis.com) * [Koodous](https://koodous.com/) * [Intezer](https://analyze.intezer.com/) ## Offline antivirus ### Yara #### Install ```bash sudo apt-get install -y yara ``` #### Prepare rules Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9) Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware. ```bash wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py mkdir rules python malware_yara_rules.py ``` #### Scan ```bash yara -w malware_rules.yar image #Scan 1 file yara -w malware_rules.yar folder #Scan hole fodler ``` #### YaraGen: Check for malware and Create rules You can use the tool [**YaraGen**](https://github.com/Neo23x0/yarGen) to generate yara rules from a binary. Checkout these tutorials: [**Part 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Part 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Part 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/) ```bash python3 yarGen.py --update python3.exe yarGen.py --excludegood -m ../../mals/ ``` ### ClamAV #### Install ```text sudo apt-get install -y clamav ``` #### Scan ```bash sudo freshclam #Update rules clamscan filepath #Scan 1 file clamscan folderpath #Scan the hole folder ``` ### IOCs IOC means Indicator Of Compromise. An IOC is a set of **conditions that identifies** some potentially unwanted software or a confirmed **malware**. Blue Teams use this kind of definitions to **search for this kind of malicious files** in their **systems** and **networks**. To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster. A tool to create or modify IOCs is ****[**IOC Editor**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.** You can use tools such as ****[**Redline**](https://www.fireeye.com/services/freeware/redline.html) ****to search for IOCs in a device. ### rkhunter Tools like [**rkhunter**](http://rkhunter.sourceforge.net/) can be used to check the filesystem for possible **rootkits** and malware. ```bash sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress] ``` ### PEpper [PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules\). ### Apple Binary Signatures When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.** ```bash #Get signer codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier" #Check if the app’s contents have been modified codesign --verify --verbose /Applications/Safari.app #Check if the signature is valid spctl --assess --verbose /Applications/Safari.app ```