tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
89 lines
2.9 KiB
Plaintext
89 lines
2.9 KiB
Plaintext
============================================================
|
|
Static Properties Analysis
|
|
============================================================
|
|
|
|
Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents.
|
|
|
|
Related FOR610 Labs: 1.1, 2.1, 4.1
|
|
|
|
────────────────────────────────────────────────────────────
|
|
|
|
Step 1: File Identification & Hashing
|
|
Tools: file, trid, exiftool, sha256sum
|
|
Determine file type using magic bytes. Compute hashes
|
|
(MD5, SHA256) for lookup and documentation. Record
|
|
file size and timestamps.
|
|
|
|
$ file specimen.exe
|
|
$ trid document.doc
|
|
$ exiftool document.pdf
|
|
|
|
Step 2: Reputation Check
|
|
Tools: malwoverview, virustotal-search
|
|
Look up hash on VirusTotal/MalwareBazaar. If known
|
|
malware, note family name and detection rate. If clean
|
|
or unknown, continue analysis.
|
|
|
|
$ malwoverview -v <hash>
|
|
|
|
Step 3: Packing & Entropy Check
|
|
Tools: diec, peframe
|
|
Check for packing indicators and high entropy
|
|
sections. Look for: unusual section names, small
|
|
import table, high entropy (>7.0). If packed, consider
|
|
the Unpacking Workflow.
|
|
|
|
$ diec specimen.exe
|
|
$ peframe specimen.exe
|
|
|
|
Step 4: String Extraction
|
|
Tools: strings, floss, pestr
|
|
Extract readable strings. Use FLOSS for
|
|
obfuscated/stack strings. Look for: URLs, IPs,
|
|
domains, registry keys, file paths, error messages,
|
|
API names.
|
|
|
|
$ strings binary.exe
|
|
$ floss specimen.exe
|
|
$ pestr specimen.exe
|
|
|
|
Step 5: Capability Detection
|
|
Tools: capa, yara
|
|
Identify capabilities mapped to MITRE ATT&CK. Scan
|
|
with YARA rules for known malware families. Look for:
|
|
persistence, C2, evasion, lateral movement
|
|
capabilities.
|
|
|
|
$ capa specimen.exe
|
|
$ yara-rules specimen.bin
|
|
|
|
Step 6: Import & Export Analysis
|
|
Tools: peframe, capa
|
|
Examine imported DLLs and functions. Map imports to
|
|
behavior categories: networking (ws2_32), crypto
|
|
(advapi32), process manipulation (kernel32). Check
|
|
exports for DLL functionality.
|
|
|
|
$ peframe specimen.exe
|
|
$ capa specimen.exe
|
|
|
|
Step 7: Disassembly (if needed)
|
|
Tools: ghidra, cutter, radare2
|
|
Load into disassembler for code-level analysis. Start
|
|
at entry point, trace key functions. Use decompiler
|
|
for C-like view.
|
|
|
|
$ ghidra
|
|
$ cutter specimen.exe
|
|
$ r2 specimen.exe
|
|
|
|
Step 8: Document Findings
|
|
Record IOCs: hashes, IPs, domains, file paths,
|
|
registry keys, mutexes. Classify: malware family,
|
|
capabilities, confidence level. Decide: continue to
|
|
behavioral analysis?
|
|
|
|
────────────────────────────────────────────────────────────
|
|
Tip: 'fhelp cheat <tool>' for full examples
|
|
'Ctrl+G' for interactive cheatsheet browser
|