File/Binary Analysis
What is this? I didn't put this file here...
File Analysis Methodology
Static Analysis Tasklist
Anatomy
Time Date Stamp
Discrepancy between Raw and Virtual Size
Hashes
Check Hashes against https://s0cm0nkey.github.io/EasyThreatFile.html
Strings
Too many meaningless strings (Possible obfuscation)
Internal/external messages
Referenced (invoked) functions
Sections used by the PE
IPs and/or Domains
Error messages or exceptions
Names or keywords
Libraries
Low number of libraries?
Cryptography Libraries - Why does this need a crypto library?
Imports/VirtualAlloc
Dynamic Analysis Task List
Run file through available/allowed Sandboxing utilties
Process Hacker
Observe active processes and pay attention to their colors
Extract strings and data in memory of the active suspicious process
Investigate Handles, including Mutex name
Process Monitor
Record local system interactions
ProcDOT
Organize and clean Process Monitor data
Wireshark
Record network activity
Give the malware what it wants and redirect its request to a local web server in your lab. You can use IPTABLES on linux (your lab's gateway) to intercept and redirect all internal traffic and reinfect your victim machine
Use FAKEDNS in REMnux
What happens if you let malware connect to your web server?
File Analysis Tools
Exif/Metadata viewers
Often the metadata surrounding a file can yield a trove of useful information. The below tools can be used to pull handy exif data from images or metadata from other files.
CLI Tools
exiftool - ExifTool meta information reader/writer
FOCA - Tool to find metadata and hidden information in the documents.
Foremost: Foremost is a console program to recover files based on their headers, footers, and internal data structures.
exifprobe - xifprobe reads image files produced by digital cameras (including several so-called “raw” file formats) and reports the structure of the files and the auxiliary data and metadata contained within them.
exiv2 - Exiv2 is a C++ library and a command line utility to manage image metadata. It provides fast and easy read and write access to the Exif, IPTC and XMP metadata of images in various formats
metacam - Extract EXIF information from digital camera files
A package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.
Tools for analyzing objects within an OLE file:
Pre-2oleid - analyses OLE files to detect specific characteristics usually found in malicious files.
olevba - extracts and analyses VBA Macro source code from MS Office documents (OLE and OpenXML).
mraptor - detects malicious VBA Macros.
msodde - detects and extracts DDE/DDEAUTO links from MS Office documents, RTF and CSV.
pyxswf - detects, extracts and analyses Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.
oleobj - extracts embedded objects from OLE files.
rtfobj - extracts embedded objects from RTF files.
Tools to analyse the structure of OLE files:
olebrowse - is a simple GUI to browse OLE files (e.g., MS Word, Excel, PowerPoint documents), view and extract individual data streams.
olemeta - extracts all standard properties (metadata) from OLE files.
oletimes - extracts creation and modification timestamps of all streams and storages.
oledir - displays all the directory entries of an OLE file, including free and orphaned entries.
olemap - displays a map of all the sectors in an OLE file.
Binary Analysis Tools
binwalk - Binwalk is a tool for searching a given binary image for embedded files and executable code.
de4dot - de4dot is a .NET deobfuscator and unpacker.
pev - pev is a tool to get information of PE32/PE32+ executables (EXE, DLL, OCX etc) like headers, sections, resources and more.
ropper - This package contains scripts that display info about files in different formats and find gadgets to build ROPs chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC). For disassembly ropper uses the Capstone Framework.
https://malcat.fr/index.html - Malcat is a feature-rich hexadecimal editor / disassembler for Windows and Linux targeted to IT-security professionals. Inspect dozens of binary file formats, dissassemble and decompile different CPU architectures, extract embedded files and scan for Yara signatures or anomalies in a fast and easy-to-use graphical interface.
Email Analysis Tools
https://www.phishtool.com/products/community - PhishTool automatically retrieves all of the relevant metadata from a phishing email, providing you with the most comprehensive technical view of a phishing email possible. This combined with thier OSINT and heuristic detection. It performs strings analysis as well as attachments and embedded hyperlinks.
Doc Analysis Tools
Peepdf - A Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.
pdf-parser - This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.
pdfid - Scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. PDFiD will also handle name obfuscation.
ViperMonkey - A VBA Emulation engine written in Python, designed to analyze and de-obfuscate malicious VBA Macros contained in Microsoft Office files.
Parse and interpret VBA macros
Faster output
Less verbose output
File Unpacker
cabextract - A program which unpacks cabinet (.cab) files, which are a form of archive Microsoft uses to distribute their software and things like Windows Font Packs.
File Encrypt/Decrypt/Crack
Pem File Cracking - Cracks SSL PEM files that hold encrypted private keys. Brute forces or dictionary cracks.
PKZip File Cracking - Breaking Pkzip encryption. This package implements an algorithm that was developed by Eli Biham and Paul Kocher and that is described in this paper (Postscript, 80k).
The attack is a known plaintext attack, which means you have to know part of the encrypted data in order to break the cipher.
bruteforce-salted-openssl - Try to find the passphrase or password of a file that was encrypted with the openssl command.
ccrypt - ccrypt is a utility for encrypting and decrypting files and streams.
fcrackzip - fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask’ed images.
nasty - Nasty is a program that helps you to recover the passphrase of your PGP or GPG-key in case you forget or lost it.
pdfcrack - PDFCrack is a simple tool for recovering passwords from pdf-documents.
rarcrack This program uses a brute force algorithm to guess your encrypted compressed file’s password. This program can crack zip,7z and rar file passwords.
File Conversion Tools
exe2hexbat - A Python script to convert a Windows PE executable file to a batch file and vice versa.
File Artifact Reference
https://filesec.io/ - Resource for seeing which file extensions are used in different types of malware
Strontic xCyclopedia - Huge encyclopedia of executables, dll files, scripts, even the file paths they are supposed to be under. Contains tons of metadata, file hashes, reputation scores, handles, and so much more!
Winbindex - Index of windows binaries with file hash, size, what update it was created with, and many more. Perfect for understanding more on a file.
https://github.com/ForensicArtifacts/artifacts/ - A free, community-sourced, machine-readable knowledge base of digital forensic artifacts that the world can use both as an information source and within other tools.
Get an object of forensic artifacts
Now that it is stored within a format we can use the below will give us information at a glance.
Query object for relevant registry keys:
Query object for relevant file paths:
File Signatures
Binary Analysis Training
Last updated