hacktricks/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md

# Uchambuzi wa Programu Hasidi

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

## Vipeperushi vya Uchunguzi wa Kielektroniki

[https://www.jaiminton.com/cheatsheet/DFIR/#](https://www.jaiminton.com/cheatsheet/DFIR/)

## Huduma za Mtandaoni

* [VirusTotal](https://www.virustotal.com/gui/home/upload)
* [HybridAnalysis](https://www.hybrid-analysis.com)
* [Koodous](https://koodous.com)
* [Intezer](https://analyze.intezer.com)
* [Any.Run](https://any.run/)

## Zana za Kupambana na Virus na Uchunguzi Nje ya Mtandao

### Yara

#### Sakinisha
```bash
sudo apt-get install -y yara
```
#### Andaa sheria

Tumia script hii kupakua na kuchanganya sheria zote za yara za zisizo za kawaida kutoka github: [https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9](https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9)\
Unda directory ya _**sheria**_ na kuitekeleza. Hii itaunda faili inayoitwa _**malware\_rules.yar**_ ambayo ina sheria zote za yara kwa ajili ya zisizo za kawaida.
```bash
wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py
```
#### Kuchunguza
```bash
yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan the whole folder
```
#### YaraGen: Angalia kwa zisizo na programu hasidi na Unda sheria

Unaweza kutumia zana [**YaraGen**](https://github.com/Neo23x0/yarGen) kuzalisha sheria za yara kutoka kwa faili ya binary. Angalia mafunzo haya: [**Sehemu 1**](https://www.nextron-systems.com/2015/02/16/write-simple-sound-yara-rules/), [**Sehemu 2**](https://www.nextron-systems.com/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/), [**Sehemu 3**](https://www.nextron-systems.com/2016/04/15/how-to-write-simple-but-sound-yara-rules-part-3/)
```bash
python3 yarGen.py --update
python3.exe yarGen.py --excludegood -m  ../../mals/
```
### ClamAV

#### Sakinisha
```
sudo apt-get install -y clamav
```
#### Kuchunguza
```bash
sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the whole folder
```
### [Capa](https://github.com/mandiant/capa)

**Capa** inagundua uwezo wa uwezekano wa kwa faili za kutekelezwa: PE, ELF, .NET. Kwa hivyo, itapata vitu kama mbinu za Att\&ck, au uwezo wa shaka kama vile:

- angalia kosa la OutputDebugString
- tekeleza kama huduma
- unda mchakato

Pakua kutoka kwenye [**repo ya Github**](https://github.com/mandiant/capa).

### IOCs

IOC inamaanisha Ishara ya Kukiuka. IOC ni seti ya **mazingira yanayotambua** programu fulani inayoweza kutokuwa ya kawaida au **malware** iliyothibitishwa. Timu za Bluu hutumia aina hii ya ufafanuzi kutafuta faili za aina hii ya uovu kwenye **mifumo** yao na **mitandao**.\
Kushiriki ufafanuzi huu ni muhimu sana kwani wakati malware inagunduliwa kwenye kompyuta na IOC kwa malware hiyo inaundwa, Timu za Bluu zingine zinaweza kutumia hiyo kuitambua malware haraka zaidi.

Zana ya kuunda au kuhariri IOCs ni [**Mhariri wa IOC**](https://www.fireeye.com/services/freeware/ioc-editor.html)**.**\
Unaweza kutumia zana kama [**Redline**](https://www.fireeye.com/services/freeware/redline.html) kutafuta IOCs zilizofafanuliwa kwenye kifaa. 

### Loki

[**Loki**](https://github.com/Neo23x0/Loki) ni skana ya Viashiria Rahisi vya Kukiuka.\
Ugunduzi unategemea njia nne za ugunduzi:
```
1. File Name IOC
Regex match on full file path/name

2. Yara Rule Check
Yara signature matches on file data and process memory

3. Hash Check
Compares known malicious hashes (MD5, SHA1, SHA256) with scanned files

4. C2 Back Connect Check
Compares process connection endpoints with C2 IOCs (new since version v.10)
```
### Uchunguzi wa Malware wa Linux

[**Linux Malware Detect (LMD)**](https://www.rfxn.com/projects/linux-malware-detect/) ni programu ya kutambua malware kwa mifumo ya Linux iliyotolewa chini ya leseni ya GNU GPLv2, ambayo imeundwa kuzingatia vitisho vinavyokabiliwa katika mazingira ya kuhudumia pamoja. Inatumia data ya vitisho kutoka kwa mifumo ya uchunguzi wa kuingilia kwenye mtandao ili kuchambua malware inayotumiwa kwa shambulio na kuzalisha saini za kutambua. Aidha, data ya vitisho pia hutokana na michango ya watumiaji na rasilimali za jamii ya malware kupitia kipengele cha ukaguzi wa LMD.

### rkhunter

Zana kama [**rkhunter**](http://rkhunter.sourceforge.net) inaweza kutumika kuchunguza mfumo wa faili kwa **rootkits** na malware.
```bash
sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]
```
### FLOSS

[**FLOSS**](https://github.com/mandiant/flare-floss) ni chombo ambacho kitajaribu kutafuta strings zilizofichwa ndani ya faili za kutekelezwa kwa kutumia njia tofauti.

### PEpper

[PEpper](https://github.com/Th3Hurrican3/PEpper) huchunguza vitu vya msingi ndani ya faili ya kutekelezwa (data ya binary, entropy, URLs na IPs, baadhi ya sheria za yara).

### PEstudio

[PEstudio](https://www.winitor.com/download) ni chombo kinachoruhusu kupata taarifa za faili za kutekelezwa za Windows kama vile uingizaji, utoaji, vichwa, lakini pia itachunguza virus total na kupata mbinu za uwezekano wa shambulio (Att\&ck techniques).

### Detect It Easy(DiE)

[**DiE**](https://github.com/horsicq/Detect-It-Easy/) ni chombo cha kugundua ikiwa faili ime **fichwa** na pia kupata **packers**.

### NeoPI

[**NeoPI**](https://github.com/CiscoCXSecurity/NeoPI) ni skripti ya Python inayotumia aina mbalimbali za **njia za takwimu** kugundua maudhui yaliyofichwa na yaliyofichwa ndani ya faili za maandishi/skripti. Lengo la NeoPI ni kusaidia katika **ugunduzi wa nambari iliyofichwa ya web shell**.

### **php-malware-finder**

[**PHP-malware-finder**](https://github.com/nbs-system/php-malware-finder) inafanya bidii yake kutambua **nambari iliyofichwa**/**nambari ya shaka** pamoja na faili zinazotumia **PHP** kazi mara nyingi hutumiwa katika **malwares**/webshells.

### Saini za Binary za Apple

Unapochunguza sampuli fulani za **malware** unapaswa daima **kuchunguza saini** ya binary kwani **mwendelezaji** aliyetia saini inaweza tayari kuwa **husiana** na **malware.**
```bash
#Get signer
codesign -vv -d /bin/ls 2>&1 | grep -E "Authority|TeamIdentifier"

#Check if the app’s contents have been modified
codesign --verify --verbose /Applications/Safari.app

#Check if the signature is valid
spctl --assess --verbose /Applications/Safari.app
```
## Mbinu za Kugundua

### Kufunga Faili

Ikiwa unajua kwamba folda fulani inayohifadhi **faili** za seva ya wavuti ilisasishwa mwisho **tarehe fulani**. **Angalia** tarehe ambayo **faili zote** kwenye **seva ya wavuti ziliumbwa na kuhaririwa** na ikiwa tarehe yoyote ni **ya shaka**, hakiki faili hiyo.

### Vipimo vya Msingi

Ikiwa faili za folda **hazipaswi kuhaririwa**, unaweza kuhesabu **hash** ya **faili za asili** za folda na **kuzilinganisha** na **za sasa**. Kitu chochote kilichohaririwa kitakuwa **cha shaka**.

### Uchambuzi wa Takwimu

Wakati habari inahifadhiwa kwenye magogo unaweza **kagua takwimu kama mara ngapi kila faili ya seva ya wavuti ilipatikana kwani kabati la wavuti inaweza kuwa mojawapo ya**.

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks_live**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>