hacktricks/forensics/malware-analysis.md

# Malware Analysis

## Forensics CheatSheets

[https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#)

## Online Services

* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com/)
* [Intezer](https://analyze.intezer.com/)

## Offline antivirus

* Windows Defender
* Avast Antivirus \(or any other antivirus\)

Update the Antivirus, disconnect from internet the PC and scan the file.

### PEpper

[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules

### Yara

#### Install

```text
sudo apt-get install -y yara
```

#### Prepare rules

Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)  
Create the _**rules**_ directory and execute it. This will create a file called _**malware\_rules.yar**_ which contains all the yara rules for malware.

```text
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```

#### Scan

```text
yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler
```

### ClamAV

#### Install

```text
sudo apt-get install -y clamav
```

#### Scan

```text
sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the hole folder
```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Malware Analysis`

			`## Forensics CheatSheets`

			`[https://www.jaiminton.com/cheatsheet/DFIR/\#](https://www.jaiminton.com/cheatsheet/DFIR/#)`

			`## Online Services`

			`* [VirusTotal](https://www.virustotal.com/gui/home/upload)`
			`* [HybridAnalysis](https://www.hybrid-analysis.com)`
			`* [Koodous](https://koodous.com/)`
			`* [Intezer](https://analyze.intezer.com/)`

			`## Offline antivirus`

			`* Windows Defender`
			`* Avast Antivirus \(or any other antivirus\)`

			`Update the Antivirus, disconnect from internet the PC and scan the file.`

			`### PEpper`

			`[PEpper ](https://github.com/Th3Hurrican3/PEpper)checks some basic stuff inside the executable \(binary data, entropy, URLs and IPs, some yara rules`

			`### Yara`

			`#### Install`

			```text
			`sudo apt-get install -y yara`
			```

			`#### Prepare rules`

			`Use this script to download and merge all the yara malware rules from github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)`
			`Create the _rules_ directory and execute it. This will create a file called _malware\_rules.yar_ which contains all the yara rules for malware.`

			```text
			`wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py`
			`mkdir rules`
			`python malware_yara_rules.py`
			```

			`#### Scan`

			```text
			`yara -w malware_rules.yar image #Scan 1 file`
			`yara -w malware_rules.yar folder #Scan hole fodler`
			```

			`### ClamAV`

			`#### Install`

			```text
			`sudo apt-get install -y clamav`
			```

			`#### Scan`

			```text
			`sudo freshclam #Update rules`
			`clamscan filepath #Scan 1 file`
			`clamscan folderpath #Scan the hole folder`
			```