2.2 KiB
2.2 KiB
Malware Analysis
Forensics CheatSheets
https://www.jaiminton.com/cheatsheet/DFIR/#
Online Services
Offline antivirus
Yara
Install
sudo apt-get install -y yara
Prepare rules
Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9
Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
Scan
yara -w malware_rules.yar image #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
ClamAV
Install
sudo apt-get install -y clamav
Scan
sudo freshclam #Update rules
clamscan filepath #Scan 1 file
clamscan folderpath #Scan the hole folder
rkhunter
Tools like rkhunter can be used to check the filesystem for possible rootkits and malware.
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
PEpper
PEpper checks some basic stuff inside the executable binary data, entropy, URLs and IPs, some yara rules.
Apple Binary Signatures
When checking some malware sample you should always check the signature of the binary as the developer that signed it may be already related with malware.
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app
#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app