Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
lifecycle of malware analysis reports
Message
<blockquote data-quote="struppigel" data-source="post: 945185" data-attributes="member: 86910"><p>Take an example from other reports and emulate them. You probably have seen some before.</p><p></p><p>The most important part is to have a proper list of hashes at one place. That's because reports without them are pretty much useless.</p><p>Commonly it is placed at the very end, and usually you provide hashes as SHA256.</p><p>If there are many hashes, sort them alphabethically.</p><p>Make sure that the hashes can be copied, they should not be an image in a PDF or similar, but actual text.</p><p></p><p>If you include malware code, do <strong>not</strong> put that as text, but as image. You don't want an antivirus product to think there is actual malware code in your document.</p><p></p><p>You can have an introduction to state the purpose of the report. Depends what it is for.</p><p></p><p>Make sure that at each point of your report it is clear which samples you are currently analysing. E.g., I do that by using references that point to your hash listing at the end of the report.</p><p></p><p>Be short, to the point and technically precise. That's more important than language that sounds nice. Remove words and sentences that are only fillers or don't tell anything important.</p><p></p><p>If you make assumptions instead of stating facts, make it clear that these are only assumptions. E.g. you might see Russian text in a malware and say something like "The developer is Russian". That's an assumption, not a fact. It might just be a person who used Google translate or speaks Russian as second language. Prefer to stay with facts and if you want to state assumptions, make it clear that they aren't facts.</p><p></p><p>Verify your statements by providing resources, links or any other kind of proof.</p><p></p><p>If anyone helped you with parts of your work, state that.</p><p></p><p>Do not mock the threat actors. It's tempting and I am guilty of this myself, but it doesn't do any good, nor is it professional.</p></blockquote><p></p>
[QUOTE="struppigel, post: 945185, member: 86910"] Take an example from other reports and emulate them. You probably have seen some before. The most important part is to have a proper list of hashes at one place. That's because reports without them are pretty much useless. Commonly it is placed at the very end, and usually you provide hashes as SHA256. If there are many hashes, sort them alphabethically. Make sure that the hashes can be copied, they should not be an image in a PDF or similar, but actual text. If you include malware code, do [B]not[/B] put that as text, but as image. You don't want an antivirus product to think there is actual malware code in your document. You can have an introduction to state the purpose of the report. Depends what it is for. Make sure that at each point of your report it is clear which samples you are currently analysing. E.g., I do that by using references that point to your hash listing at the end of the report. Be short, to the point and technically precise. That's more important than language that sounds nice. Remove words and sentences that are only fillers or don't tell anything important. If you make assumptions instead of stating facts, make it clear that these are only assumptions. E.g. you might see Russian text in a malware and say something like "The developer is Russian". That's an assumption, not a fact. It might just be a person who used Google translate or speaks Russian as second language. Prefer to stay with facts and if you want to state assumptions, make it clear that they aren't facts. Verify your statements by providing resources, links or any other kind of proof. If anyone helped you with parts of your work, state that. Do not mock the threat actors. It's tempting and I am guilty of this myself, but it doesn't do any good, nor is it professional. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
