* Static Analysis can be done by checking physical states of file. In our case , we used executable file as static samples and to check the physical states of windows executable file Windows provide Portable Executable Format (PE Format) which describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) files.
* Dynamic Analysis
* Behaviour Analysis is similar to Dynamic Analysis therefore we created sandbox to find the behaviour of our malicious and good samples and these behaviour includes Registry Operations , Files Operations , Api's Calls , Dll loaded , Mutex Information etc
* Code Analysis
* reversing code with debugger tools
* Debugging and Reverse Engineering ,Disassemblers, decompiler
* Memory Analysis
* we dumping whole memory and checking for process and handler.
* we can find Rootkit and Ransomware Encryption key and find hidden process !
### Tools
* Static Analysis
* [pestudio](https://www.winitor.com/download/) - Perform static analysis of Windows executables.
* [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) checking import directory , export directory and section headers for finding packer [packer use for change pe table schema this UPX]
* [X64dbg](https://github.com/x64dbg/) - An open-source x64/x32 debugger for windows.
* [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - multipurpose debugger for the Microsoft Windows computer operating system
* [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open source, self hosted sandbox and automated analysis system.
* [VirusTotal](https://www.virustotal.com/) - Free online analysis of malware samples and URLs
* [Noriben](https://github.com/Rurik/Noriben) - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
* Network
* [Wireshark](https://www.wireshark.org/) - The network traffic analysis tool.
* Android
* [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) – Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
* export procmon to csv and send to procdot for create png of malware behaviour
* almost ransomeware are 32 bit, because they can run on 32 bit and 64 bit architect
* some ransomware work when we have complex network, we use FakeNet tools for create all network service
* with FakeNet tools and vmware host only, we can see all network connection with c2 server, because 127.0.0.1 set for all dns query
* in windows 8 and upper, ther is patchgaurd mechanism that every 30m check critical section and if detedct some app remove linker and DKOM attack happen make bluescrean ! with this role most rootkit lose
* we can use psscan command in volatility for finding rootkit and hidden process
* .pdb file is so important for detection function name and indexing of system dll that use in malware
* in vmware we can suspend vm and copy .vmem for memory analysis. the file size is equal to whole memory size