Malware Analysis Tools:

https://img-c.udemycdn.com/redactor/raw/article_lecture/2021-08-28_07-03-52-2e6ef0329b31136183f6bd994bc5b5d7.png

Checkout resource link to access that tools

There are a number of tools that can help security analysts reverse engineer malware samples. The good news is that all the malware analysis tools I use are completely free and open source. In this article, I cover malware analysis tools (in no particular order) and what they are used for:

PeStudio

https://img-c.udemycdn.com/redactor/raw/article_lecture/2021-08-28_05-12-19-9af32ae84b45b0549495eb784c99b023.png

PeStudio is always my first port of call when evaluating a Windows executable. This is a great tool for performing an initial triage on a malware sample and swiftly removing any questionable artefacts.

Once a binary has been loaded, it will offer the user the hashes of the virus as well as any VirusTotal detections. A list of strings is also pulled, although if the sample is packed, this may not return any strong IOCs; nevertheless, unpacking the sample and then analysing the strings can often yield useful information such as malicious websites and IP addresses.

This aids in determining whether or not the malware is packaged. When a sample is packed, it means the malware author has effectively wrapped the virus in a layer of code to obscure its true capabilities and hinder investigation.

PeStudio displays the file's entropy level to aid in the detection of packed malware. Entropy is graded on a scale of 0 to 8, with 8 being the most entropic. The higher the entropy, the more malware is likely to be packed.

The ‘Imports' tab is also useful; it contains functionality that is imported into the malware so that it can do specific tasks. DLLs (dynamic link libraries) are a type of library found in Windows. Each library has its own set of Windows APIs, which are utilised by lawful programmes to execute various tasks.

===============================================================================

Process Hacker

https://img-c.udemycdn.com/redactor/raw/article_lecture/2021-08-28_05-19-32-df435ba4629412fcb71d4f0dfe419864.png

Process Hacker allows a malware analyst to see what processes are running on a device. This can be useful when detonating a piece of malware to see what new processes are created by the malware and where these are being run from on disk. Malware will often try to hide by copying itself to a new location and then renaming itself, Process Hacker will display this activity occurring making it easy to identify how the malware is attempting to hide.

This tool is also useful for pulling information from the memory of a process. This means that if a piece of malware is detonated then Process Hacker can be used to inspect the memory for strings, the strings found in memory will often return useful information such as IP addresses, domains, and user agents that are being used by the malware.

===============================================================================

Process Monitor (ProcMon)

https://img-c.udemycdn.com/redactor/raw/article_lecture/2021-08-28_05-21-26-97a609bc382eb42ebd3da70cfa6b36af.png

ProcMon is a powerful tool from Microsoft which records live filesystem activity such as process creations and registry changes. This is really handy when used in tandem with Process Hacker as a new process may be created and then quickly killed, this process can then be reviewed in the ProcMon capture. Using the prebuilt filters or process tree an analyst can quickly identify what processes were created, where the executable was run from, and the parent/child dependencies.