Sample Submission Of Suspicious Malware
Malware Analysis and RE
Here’s a set of useful tools for malware analysis and reverse engineering.
Debuggers / Disassemblers
– Ollydbg [v1.10 or v2.0.] – OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft® Windows®.
– StrongOD (OllyDbg plugin) – This plug-in provides three kinds of ways to initiate the process.
– Ollydbg with 10 plugins – StrongOD v0.4.8.892; PhantOm Plugin v1.85; OllyStepNSearch v0.6.2; OllyDump v3.00.110; EasyController v184.108.40.206; Analyze This v0.1; Labless v220.127.116.11
– OllyDRX – A modified version of Ollydgb with useful plugins.
– Immunity Debugger – It’s a powerful new way to write exploits, analyze malware, and reverse engineer binary files.
– WINDBG – Microsoft Windows Debugger (WinDbg) is a powerful Windows-based debugger that is capable of both user-mode and kernel-mode debugging (my favourite tool).
– x64dbg – An open-source x64/x32 debugger for Windows. Please, see all the available plugins here.
IDA PRO – IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger that offers so many features it is hard to describe them all.
IDA PRO Plugins:
– IDAGolangHelper – Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary.
– ScyllaHide – ScyllaHide is an advanced open-source x64/x86 usermode Anti-Anti-Debug library. It can be used both in Ollydbg and X64dbg. Enjoy it.
– flare-ida – This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.
– GHIDRA – A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.
– Hopper – The macOS and Linux Disassembler.
plasma – PLASMA is an interactive disassembler. It can generate a more readable assembly (pseudo code) with colored syntax.
– Ilspy – ILSpy is the open-source .NET assembly browser and decompiler.
– DotPeek – dotPeek is a free-of-charge standalone tool based on ReSharper’s bundled decompiler. It can reliably decompile any .NET assembly into equivalent C# or IL code.
– VB Decompiler Lite 11 (p-code, VB6) Best code recovery solution for Visual Basic 5.0/6.0 applications and fast disassembler for Visual Studio .NET compiled apps.
– WKTVBDebugger– A debugger for Visual Basic P-Code compiled apps.
– Semi-vd-decompiler– Partial decompiler for Visual Basic.
– P32Dasm – VB5/VB6 Pcode decompiler.
– DeDe – DeDe is a very fast program that can analyze executables compiled with Delphi.
– AutoIt3 Decompiler – This application can be used to decompile AutoIt scripts.
– fakenet – This tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment. This is my favorite tool to fake DNS responses.
– ApateDNS – ApateDNS™ is a tool for controlling DNS responses through an easy-to-use GUI.
Detection and Classification
– PEstudio – This tool is used by Computer Emergency Response Teams (CERT) and Labs worldwide in order to perform Malware Initial Assessment. It’s very useful to perform an initial analysis.
– PEView – PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.
– FileAnalyzer – FileAlyzer brings more to offer than PEview as far as features, being able to provide basic PE information as well as offer some new functionality, such as automated unpacking for files packed with UPX and PECompact.
– CFF Explorer – A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. My favorite tool to analyze the structure of a PE file, its imports, sections, etc.
– PEiD – PEiD detects most common packers, cryptors and compilers for PE files (KANAL crypto detector plugin).
– Exeinfo PE – It is a packer and compiler detector and also a bin data detector.
– Detect IT Easy – Detect It Easy, or abbreviated DIE” is a program for determining types of files.
RDG Packer Detector – RDG Packer Detector is a detector packers, cryptors, Compilers, Packers Scrambler, Joiners, Installers. Its very important when a malware is protected with a crypter. This tool can provide some information about that.
– Loki – Host based scanner for IOCs.
ClamAV Open source antivirus engine.
– FastIR Collector – This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
– exiftool – ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.
– yara – Creating Yara Signatures for Malware Detection.
– yarGen – It is a generator for YARA rules.
– pev – pev is a full-featured, open source, multiplatform command line toolkit to work with PE (Portable Executables) binaries.
– binwalk – Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
– peframe– PEframe is a open source tool to perform static analysis on Portable Executable malware and generic suspicious file.
– PortexAnalyser PortEx is a Java library for static malware analysis of Portable Executable files.
– TrID – Binary identification.
– PEBear – PE-bear is a freeware reversing tool for PE files. Its objective was to deliver fast and flexible “first view” tool for malware analysts, stable and capable to handle malformed PE files.
– de4dot – .NET deobfuscator and unpacker.
– FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
– XORBruteForcer A Python script for brute forcing single-byte XOR keys.
– CyberChef – The Cyber Swiss Army Knife.
Debugging and Reverse Engineering
– Process Monitor– Advanced monitoring tool for Windows programs.
– Process Explorer – Advanced task manager for Windows.
– Process Hacker Tool that monitors system resources.
– RegShot– Registry compare utility that compares snapshots.
– LordPE – LordPE is an advanced application that facilitates tools for manipulating various parts of PE files. It features a PE editor, a breaking and entering function, PE rebuilder, unsplitter, and dumper server.
– upx – UPX homepage: the Ultimate Packer for eXecutables.
– Import Reconstructor (ImpRec) – This tool is designed to rebuild imports for protected/packed Win32 executables. It reconstructs a new Image Import Descriptor (IID), Import Array Table (IAT) and all ASCII module and function names.
– Wireshark– Wireshark is the worlds foremost and widely-used network protocol analyzer.
– AnalogX TextScan - It searches any binary file for a minimum and maximum string length, and then returns all occurrences in sorted order.
– An advanced memory forensics framework.
findevilproc (label possible new candidates)
– EVTXtract recovery – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
–helix3 – (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd)
– FTK Imager – The FTK Imager tool is capable of both acquiring and analyzing computer forensic evidence.
– AccessData FTK Imager Mount disks.
– Autopsy – Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your cameras memory card.
dumpit – Windows live acquisition memory (a standalone app).
– Processdump – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis.
– CheatEngine – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte) for the Windows operating system.
– PE-Sieve – Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
peepdf – PDF analyzer.
– oletools – Suite to analyze OLE and MS Office files.
Structured Storage Viewer (SSV) – This tool allows to completely manage any MS OLE Structured Storage based file.
– BiffView++ – BiffView is a tool for viewing the BIFF structure of a binary Excel sheet.
Unicorn – It is a lightweight multi-platform, multi-architecture CPU emulator framework.
– munpack – Used to extract attachments from incoming emails.
– REMNUX – Reverse engineering virtual machine.
– WinAFL – Fuzzing Windows binaries.
– CyberChef – The Cyber Swiss Army Knife.
– Hybrid Analysis
Free Automated Malware Analysis Service – powered by Falcon Sandbox
Jottis malware scan
Scan your website urlscan.io
– AMAaaS (Android files)
– Any.run (Community Edition)
Binary Guard True Bare Metal
– Intezer Analyze (Community Edition)
– Comodo Valkyrie
– Detux Sandbox (Linux binaries)
– Joe Sandbox Cloud (Community Edition)
– Malwr (down at the moment)
– SecondWrite (free version)