Malware Analysis Practical Flashcards
How to trick malware so it perceives the sandbox as a regular user computer?
- make the VM look as real as possible
- install common end-user software
- open multiple files and documents
- don’t install VM guest tools
- trick the malware into thinking it is online
- malware typically tries to do a DNS resolution of common websites
How should be the malware analysis VM set up?
host-only networking mode and segmented from the internet
What steps should you go through when creating a VM for malware analysis?
- install OS and patches
- install and run the analysis tools
- set up a host-only networking
- do additional maintenance tasks to make the system ready
- create a snapshot
What questions should you answer during a static analysis?
- What kind of file is it?
- Is any information already known about it?
- What do the embedded strings tell about it?
- Is there anything unusual in the PE header?
- Is it packed? If so, what packer?
Which three tools are used for file type identification?
- file
- Exeinfo PE
- TrID
What does TrID analyze in order to determine the actual file format?
the actual data within the file to determine its format
How is TrID useful in malware analysis?
analyze unknown or suspicious files
On which platform is TrID primarily used?
Windows
How to use TrID?
How are cryptographic hashes used in malware analysis?
- organize and indentify specific samples instead of using names
- find additional information online
What is the name of a an app that can calculate several different cryptographic hashes for a file?
Compute Hash
What is the tool from Microsoft used to analyze strings?
Strings
Does Strings extract both ASCII and Unicode strings at the same time?
yes
What is the minimum strings length by default in Strings?
3
