Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Few questions regarding malware analysis lab - how to do it properly?
Message
<blockquote data-quote="struppigel" data-source="post: 975299" data-attributes="member: 86910"><p>1. Using one VM for everything, static and dynamic analysis, is just fine and probably the most convenient option in your case. For dynamic analysis of Windows malware, you need Windows. So I recommend you use a Windows VM for everything, if your focus is on Windows malware. Malware analysts often separate the static analysis stuff because they work on machines that need access to internal systems on their company's network. But as a hobby analyst, you don't have this issue.</p><p></p><p>2. I made an entire video about that (summary starts at 30:00). But tl;dr is: Extract strings, use Detect it Easy or file type identifiers, and skim through the file in a hex editor first. Simultaneously submit it to an automatic analysis system just to get a superficial overview of the behaviour. Then you decide based on your findings what tools are appropriate to go forward. E.g. if it is a SFX, you extract it first. If it is .NET you check in DnSpy. If it is UPX packed, you unpack it first, ...</p><p>So you always go from the superficial and meta data information to the details like actual code. Not the other way around, otherwise you end up disassembling code of, e.g., the Python runtime environment because you did not realize it is a PyInstaller file that you got. Reading the code and debugging is the last thing to do.</p><p></p><p>[MEDIA=youtube]deG_-5opR30[/MEDIA]</p><p></p><p>3. See what upnorth posted.</p></blockquote><p></p>
[QUOTE="struppigel, post: 975299, member: 86910"] 1. Using one VM for everything, static and dynamic analysis, is just fine and probably the most convenient option in your case. For dynamic analysis of Windows malware, you need Windows. So I recommend you use a Windows VM for everything, if your focus is on Windows malware. Malware analysts often separate the static analysis stuff because they work on machines that need access to internal systems on their company's network. But as a hobby analyst, you don't have this issue. 2. I made an entire video about that (summary starts at 30:00). But tl;dr is: Extract strings, use Detect it Easy or file type identifiers, and skim through the file in a hex editor first. Simultaneously submit it to an automatic analysis system just to get a superficial overview of the behaviour. Then you decide based on your findings what tools are appropriate to go forward. E.g. if it is a SFX, you extract it first. If it is .NET you check in DnSpy. If it is UPX packed, you unpack it first, ... So you always go from the superficial and meta data information to the details like actual code. Not the other way around, otherwise you end up disassembling code of, e.g., the Python runtime environment because you did not realize it is a PyInstaller file that you got. Reading the code and debugging is the last thing to do. [MEDIA=youtube]deG_-5opR30[/MEDIA] 3. See what upnorth posted. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
