From 64579f7da7ac3f2f730838c997383f239cb6f9dd Mon Sep 17 00:00:00 2001
From: kh4sh3i <kh4sh3i@gmail.com>
Date: Sat, 8 Jan 2022 18:21:11 +0330
Subject: [PATCH] Update README.md

---
 README.md | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 1e7d4c6..1b312ae 100644
--- a/README.md
+++ b/README.md
@@ -88,7 +88,7 @@ A curated list of awesome malware analysis tools and resources
 ### Tools
 * Static Analysis
   * [pestudio](https://www.winitor.com/download/) - Perform static analysis of Windows executables.
-  * [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) editing.
+  * [CFF Explorer](http://www.ntcore.com/exsuite.php) - is a suite of tools for portable executable (PE) checking import directory , export directory and section headers for finding packer [packer use for change pe table schema this UPX]
 
 
 
@@ -138,6 +138,20 @@ A curated list of awesome malware analysis tools and resources
 * [yara](https://github.com/VirusTotal/yara)
 * [Python 3.8.0](https://www.python.org/downloads/release/python-380/) - for ret-sync & ida module
 * [yara-python](https://pypi.org/project/yara-python/) - require for ida module 
+* [intezer analyzer](https://analyze.intezer.com/) - Create MITRE ATT&CK Technique Detection table
+
+### Tips
+* every .exe file can hav some import dll or aeport dll or string
+* new malware dos not use import dll and never call dll, and they are hard to hunt!
+* use ida->view->subvie->string to see all sting
+* ransomware encrpt data with symetric algoritm like sha256 and then send key to c2, they encrypt key with asymetric algoritm like RSA bublic key
+* some malware hade digital signature, an attacker stole sign key from valid company
+* for obfuscate pe file use packer
+* Fuzzy Hashing tools like ssdeep can help hunter to find similarity between two malware with different md5 key
+* Winexex in one of export function from kernel32.dll and can be malicious
+* we can bypass all static analysis with rewrite import dll, with call function with address in memory
+* we can create shellcode with FASM tools in assembly
+* the best future of ida is create basic block for application analysis
 
 
 ### Books