<aside> 📌 Summary

</aside>

Static Analysis

Hashes

<aside> <img src="/icons/vacuum-cleaner_lightgray.svg" alt="/icons/vacuum-cleaner_lightgray.svg" width="40px" /> sha 256

sha256sum.exe malware.malz

Get-filehash --Algorithm SHA256 .\\malware.malz

md5

md5sum.exe malware.malz

imphash

import pefile
pe = pefile.PE('nsis-installer.exe')
pe.get_imphash()

</aside>

String

<aside> ♾️ Chaînes de caractères

FLOSS.EXE malware.malz > strings.txt

• -n minimal size of the string - 8 is good </aside>

Automated Tools

<aside> ♾️ PEview.exe

• IMAGE_NT_HEADER > IMAGE_FILE_HEADER: timestamp can be significant, pay attention to its variations and to its value.
• IMAGE_SECTION_HEADER text: compare the raw data size to the virtual size (in hexa).
• SECTION .rdata > IMPORT Address Table </aside>

<aside> ♾️ PEStudio.exe

• Footprints
• Indicators
• Libraries
• Strings </aside>

Vulnerable APIs and capabilities

MalAPI.io

<aside> ♾️ capa.exe

capa ./malware.exe.malz

• -v verbose
• -vv double verbose </aside>

Signature

<aside> ♾️ SpcSpOpusInfo

from signify.authenticode import SignedPEFile
with open("nsis-installer.exe", "rb") as f:
    pefile = SignedPEFile(f)
    for signed_data in pefile.signed_datas:
        print(signed_data.signer_info.program_name)
        if signed_data.signer_info.countersigner is not None:
            print(signed_data.signer_info.countersigner.signing_time)

</aside>

Dynamic Analysis

Network-Based Indicators

<aside> ♾️ Wireshark

• TODO </aside>

<aside> ♾️ Inetsim

• Disables ports used for weird protocols (e.g. netcat over 443)
• TODO </aside>

<aside> ♾️ netcat

• basics (windows / Linux)
• reverse/bind handling
• SSL option
• TODO </aside>

Host-Based Indicators

<aside> ♾️ TCPView

• TODO </aside>

<aside> ♾️ Procmon

• Parent-child
• File creation / deletion
• TCP connection
• TODO </aside>

Advanced Analysis

Static Analysis

<aside> ♾️ Cutter

• Search bar at the bottom left
• TODO </aside>

Dynamic Analysis

<aside> ♾️ x32dbg / x64dbg

• TODO </aside>