Mal Analysis & RE - Mahesh3535/MYrep GitHub Wiki

Dynamic Analysis : We run malware sample in sandbox/isolated lab too test malware and use below to observe gather behaviour and what malware is doing in system

Process explorer : is part of sysinternal tool, provides all running process in system.(more than task manager) Process hacker L bit more simplistic than process explorer. And another one is Autoruns : is also part of sysinternal. Process monitor : Advanced Regshot : is allows us to take snap shot before and after any malware execution event and compare with each other to collect what changes happened. also CaptureBat tool Olydbg-debugger ?: allows us to run specific program, monitors what operation what they do. Other OS snapshot tool

Static tools : Dont run any sample in lab, we use advance tool to disassemble and decompile sample PESTUDIO : tells us almost everything about malware dnSpy: decompiler mean reverse the complied program in to human readable format (we should familiar with high level programming languages like java, .net) Ghidra : IDApro is competitor with Ghidra, IDApro is paid software. is disassembler

Stages of malware analysis :

Fully-automated analysis : Sandboxing, and automatic system (ThratGrid,Coockko)

static properties analysis : No need to infect any lab environment, identify indicators of compromise like hash,IPs,strings,API calls, Packers. Sysinternal tool: Strings tools ,if malware is not encrypted, we can see lot of data PE studio tool: interactive behaviour analysis : execute malware in isolated env and use the process mon ,fakeDNS ,http server, snapshot tools, pcap tools to analyse the behaviour of malware

Manual code reversing : Disassembler : IDA pro Debugger : Ollydbg