coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ce692f50b0
hacktricks/forensics/basic-forensic-methodology/malware-analysis.md
CPol ce692f50b0
GitBook: [master] 2 pages modified
2021-08-19 16:19:41 +00:00

3.5 KiB
Raw Blame History

Malware Analysis

Forensics CheatSheets

https://www.jaiminton.com/cheatsheet/DFIR/#

Online Services

Offline antivirus

Yara

Install

sudo apt-get install -y yara

Prepare rules

Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Scan

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler

YaraGen: Check for malware and Create rules

You can use the tool YaraGen to generate yara rules from a binary. Checkout these tutorials: Part 1, Part 2, Part 3

 python3 yarGen.py --update
 python3.exe yarGen.py --excludegood -m  ../../mals/

ClamAV

Install

sudo apt-get install -y clamav

Scan

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the hole folder

IOCs

IOC means Indicator Of Compromise. An IOC is a set of conditions that identifies some potentially unwanted software or a confirmed malware. Blue Teams use this kind of definitions to search for this kind of malicious files in their systems and networks.
To share these definitions is very useful as when a malware is identified in a computer and an IOC for that malware is created, other Blue Teams can use it to identify the malware faster.

A tool to create or modify IOCs is ****IOC Editor.
You can use tools such as ****Redline ****to search for defined IOCs in a device.

rkhunter

Tools like rkhunter can be used to check the filesystem for possible rootkits and malware.

sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]

PEpper

PEpper checks some basic stuff inside the executable binary data, entropy, URLs and IPs, some yara rules.

Apple Binary Signatures

When checking some malware sample you should always check the signature of the binary as the developer that signed it may be already related with malware.

#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the apps contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app