[SANS ISC] Simple Tips For Triage Of MALWARE Bazaar’s Daily Malware Batches, (Sun, Aug 15th)

I was asked for tips to triage MALWARE Bazaar’s daily malware batches.

On Linux / macOS, you can unzip a malware batch and triage it with the file command.

There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it’s a Python tool that uses Python module python-magic-bin).

On Windows, I don’t like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.

What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:

The internal format I use is JSON, hence the -j and –jsoninput options.

Remark that this will not be fast: on yesterday’s malware batch (170 MB), it took almost 10 minutes. It’s more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ThreatPost] REvil Affiliates Arrested; DOJ Seizes $6.1M in Ransom

All posts, ThreatPost

The U.S. is seeking the extradition of a Ukrainian man, Yaroslav Vasinskyi, whom they suspect is behind the Kaseya supply-chain attacks and other REvil attacks. Source: Read More (Threatpost)

Read More

[SecurityWeek] Android App Developers Required by Google to Share More Info on Data Handling

All posts

Google this week announced that it is introducing a new policy for the Google Play app store, requiring all developers to provide information on their data collection practices. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[BleepingComputer] Registry Explorer is the registry editor every Windows user needs

Last week, a new open-source Registry Editor was released that puts Windows Regedit software to shame by supporting a host of advanced features, making editing the Registry easier than ever. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.