85 lines
2.2 KiB
Markdown
85 lines
2.2 KiB
Markdown
# Malware Analysis
|
||
|
||
## Forensics CheatSheets
|
||
|
||
[https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#)
|
||
|
||
## Online Services
|
||
|
||
* [VirusTotal](https://www.virustotal.com/gui/home/upload)
|
||
* [HybridAnalysis](https://www.hybrid-analysis.com)
|
||
* [Koodous](https://koodous.com/)
|
||
* [Intezer](https://analyze.intezer.com/)
|
||
|
||
## Offline antivirus
|
||
|
||
### Yara
|
||
|
||
#### Install
|
||
|
||
```bash
|
||
sudo apt-get install -y yara
|
||
```
|
||
|
||
#### Prepare rules
|
||
|
||
Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)
|
||
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.
|
||
|
||
```bash
|
||
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
|
||
mkdir rules
|
||
python malware_yara_rules.py
|
||
```
|
||
|
||
#### Scan
|
||
|
||
```bash
|
||
yara -w malware_rules.yar image #Scan 1 file
|
||
yara -w malware_rules.yar folder #Scan hole fodler
|
||
```
|
||
|
||
### ClamAV
|
||
|
||
#### Install
|
||
|
||
```text
|
||
sudo apt-get install -y clamav
|
||
```
|
||
|
||
#### Scan
|
||
|
||
```bash
|
||
sudo freshclam #Update rules
|
||
clamscan filepath #Scan 1 file
|
||
clamscan folderpath #Scan the hole folder
|
||
```
|
||
|
||
### rkhunter
|
||
|
||
Tools like [**rkhunter**](http://rkhunter.sourceforge.net/) can be used to check the filesystem for possible **rootkits** and malware.
|
||
|
||
```bash
|
||
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
|
||
```
|
||
|
||
### PEpper
|
||
|
||
[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules\).
|
||
|
||
### Apple Binary Signatures
|
||
|
||
When checking some **malware sample** you should always **check the signature** of the binary as the **developer** that signed it may be already **related** with **malware.**
|
||
|
||
```bash
|
||
#Get signer
|
||
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"
|
||
|
||
#Check if the app’s contents have been modified
|
||
codesign --verify --verbose /Applications/Safari.app
|
||
|
||
#Check if the signature is valid
|
||
spctl --assess --verbose /Applications/Safari.app
|
||
```
|
||
|