mirror of https://github.com/kh4sh3i/Malware-Analysis.git synced 2024-12-18 10:26:08 +00:00

Malware analysis resources

Go to file

Malware Analysis

A curated list of awesome malware analysis tools and resources

Type	What It Does	Real-World Example
Ransomware	disables victim's access to data until ransom is paid	RYUK
Fileless Malware	makes changes to files that are native to the OS	Astaroth
Spyware	collects user activity data without their knowledge	DarkHotel
Adware	serves unwanted advertisements	Fireball
Trojans	disguises itself as desirable code	Emotet
Worms	spreads through a network by replicating itself	Stuxnet
Rootkits	gives hackers remote control of a victim's device	Zacinlo
Keyloggers	monitors users' keystrokes	Olympic Vision
Bots	launches a broad flood of attacks	Echobot
Mobile Malware	infects mobile devices	Triada

Static Analysis
- Static Analysis can be done by checking physical states of file. In our case , we used executable file as static samples and to check the physical states of windows executable file Windows provide Portable Executable Format (PE Format) which describes the structure of executable (image) files and object files under the Windows family of operating systems. These files are referred to as Portable Executable (PE) files.
Dynamic Analysis
- Behaviour Analysis is similar to Dynamic Analysis therefore we created sandbox to find the behaviour of our malicious and good samples and these behaviour includes Registry Operations , Files Operations , Api's Calls , Dll loaded , Mutex Information etc
Code Analysis
- reversing code with debugger tools
- Debugging and Reverse Engineering ,Disassemblers, decompiler
Memory Analysis
- we dumping whole memory and checking for process and handler.
- we can find Rootkit and Ransomware Encryption key and find hidden process !

Static Analysis
- pestudio - Perform static analysis of Windows executables.
- CFF Explorer - is a suite of tools for portable executable (PE) checking import directory , export directory and section headers for finding packer [packer use for change pe table schema this UPX]
Dynamic Analysis
- Process Hacker - Tool that monitors system resources.
- Process Monitor - Advanced monitoring tool for Windows programs.
- RegShot - Registry compare utility that compares snapshots.
Code Analysis
- Disassembler
  - IDA
- Decompiler
  - IDA Pro
- debuggers
  - X64dbg - An open-source x64/x32 debugger for windows.
  - WinDbg - multipurpose debugger for the Microsoft Windows computer operating system
Memory Forensics
- Volatility - Advanced memory forensics framework.
Online Scanners and Sandboxes
- Cuckoo Sandbox - Open source, self hosted sandbox and automated analysis system.
- VirusTotal - Free online analysis of malware samples and URLs
- Noriben - Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
Network
- Wireshark - The network traffic analysis tool.
Android
- MobSF – Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.

every .exe file can hav some import dll or aeport dll or string
new malware dos not use import dll and never call dll, and they are hard to hunt!
use ida->view->subvie->string to see all sting
ransomware encrpt data with symetric algoritm like sha256 and then send key to c2, they encrypt key with asymetric algoritm like RSA bublic key
some malware hade digital signature, an attacker stole sign key from valid company
for obfuscate pe file use packer
Fuzzy Hashing tools like ssdeep can help hunter to find similarity between two malware with different md5 key
Winexex in one of export function from kernel32.dll and can be malicious
we can bypass all static analysis with rewrite import dll, with call function with address in memory
we can create shellcode with FASM tools in assembly
the best future of ida is create basic block for application analysis

Taha Tavakoli My Dear master in Malware Analysis Course