diff --git a/README.md b/README.md index 1e7d4c6..1b312ae 100644 --- a/README.md +++ b/README.md @@ -88,7 +88,7 @@ A curated list of awesome malware analysis tools and resources ### Tools * Static Analysis * [pestudio](https://www.winitor.com/download/) - Perform static analysis of Windows executables. - * [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) editing. + * [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) checking import directory , export directory and section headers for finding packer [packer use for change pe table schema this UPX] @@ -138,6 +138,20 @@ A curated list of awesome malware analysis tools and resources * [yara](https://github.com/VirusTotal/yara) * [Python 3.8.0](https://www.python.org/downloads/release/python-380/) - for ret-sync & ida module * [yara-python](https://pypi.org/project/yara-python/) - require for ida module +* [intezer analyzer](https://analyze.intezer.com/) - Create MITRE ATT&CK Technique Detection table + +### Tips +* every .exe file can hav some import dll or aeport dll or string +* new malware dos not use import dll and never call dll, and they are hard to hunt! +* use ida->view->subvie->string to see all sting +* ransomware encrpt data with symetric algoritm like sha256 and then send key to c2, they encrypt key with asymetric algoritm like RSA bublic key +* some malware hade digital signature, an attacker stole sign key from valid company +* for obfuscate pe file use packer +* Fuzzy Hashing tools like ssdeep can help hunter to find similarity between two malware with different md5 key +* Winexex in one of export function from kernel32.dll and can be malicious +* we can bypass all static analysis with rewrite import dll, with call function with address in memory +* we can create shellcode with FASM tools in assembly +* the best future of ida is create basic block for application analysis ### Books