Malware Resources

Download before it disappears

520px-Biohazard_symbol_(red).svg.png

Content:

Videos
Reading
Practice
Setting Up Your Lab
Cheat Sheets

Videos

Malware Hunting with Mark Russinovich and the Sysinternals Tools
https://channel9.msdn.com/events/teched/northamerica/2014/dcim-b368#fbid=
Introduction to Malware Analysis
https://vimeo.com/9474345
https://zeltser.com/malware-analysis-webcast/
Wireshark Tutorial for Beginners 2015
https://www.youtube.com/watch?v=TkCSr30UojM
Reverse Engineering 1
https://www.youtube.com/watch?v=cATBah30jk0
Basic Static Malware Analysis
https://www.youtube.com/watch?v=HMgqRp6r3xU
Basic Dynamic Malware Analysis
https://www.youtube.com/watch?v=2YQ2KqZ4gbo
https://www.youtube.com/watch?v=3TdeYSi6UDQ
Introduction to Memory Forensics
https://www.youtube.com/watch?v=1PAGcPJFwbE
How to Quick Analyze Malware with PEStudio, Wireshark, and VirusTotal
https://www.youtube.com/watch?v=KWAmlfmdWwo
SecTor 2014 - Unmasking Careto through Memory Analysis - Andrew Case
https://player.vimeo.com/video/110388398
The Need for Pro active Defense and Threat Hunting Within Organizations Andrew Case
https://www.youtube.com/watch?v=751bkSD2Nn8&t=1m48s
Effective, Scalable Threat Detection & Response
https://player.vimeo.com/video/188841308
An In-Depth Analysis of Disassembly on Full-Scale x86/x64 Binaries
https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/andriesse
Unpacking Malware
https://vimeo.com/203252505
Train Like You Fight – Threat Hunting Summit 2016
https://www.youtube.com/watch?v=lxuWlZ0Us_Y
Intrusion Hunting for the Masses: A Practical Guide
https://www.youtube.com/watch?v=YLgycMCPo4c
Easily Extracting Malware from an Office Macro
https://www.youtube.com/watch?v=A49S5xCnWsI
Worms, Viruses, and Other Programmed Pests
https://www.youtube.com/watch?v=4Jy5hRU5des
Using Malware Analysis to Explore the Potential of Malware Vaccination
https://www.sans.org/webcasts/malware-analysis-explore-potential-malware-vaccination-103747


Reading

What is Malware?
https://zeltser.com/what-is-malware/
Malware Analysis for the Incident Responder
https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder
Windows Events Log For IR/Forensics Part I
https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/
Forensic Images: For Your Viewing Pleasure
https://www.sans.org/reading-room/whitepapers/forensics/forensic-images-viewing-pleasure-35447
Enterprise Detection and Response
http://detect-respond.blogspot.com/
SANS Incident Response Summit Slides
https://digital-forensics.sans.org/community/summits
https://www.endgame.com/our-blog | Hunt
Know Your Network
http://blog.4n6ir.com/2016/10/know-your-network.html
A Soft-ish Introduction to Malware Analysis for Incident Responders
http://www.redblue.team/2016/02/a-soft-introduction-to-malware-analysis.html?m=1
REMNUX V6 FOR MALWARE ANALYSIS (PART 2): STATIC FILE ANALAYIS
https://malwology.com/2016/02/09/remnux-v6-for-malware-analysis-part-2-static-file-analysis/
Robust Static Analysis of Portable Executable Malware
https://github.com/katjahahn/PortEx/tree/master/masterthesis
PEStudio
https://web.archive.org/web/20160910094217/https://aubsec.github.io/dfir/2016/09/01/pe-studio/
SIFT Workstation & REMnux
https://digital-forensics.sans.org/media/Poster_SIFT_REMnux_2016_FINAL.pdf
Malware Attribute Enumeration and Characterization    
http://maec.mitre.org/index.html
https://github.com/MAECProject/
Practical Malware Analysis – Sam Bowne
https://samsclass.info/126/126_S16.shtml
CA7038 Malware Analysis
http://class.malware.re/
Some notes on malware - Part 1
https://web.archive.org/web/20170312002807/https://securityblog.gr/4261/some-notes-on-malware-part-1/
Nearly 70% of Packed Windows System files are labeled as Malware
http://sarvamblog.blogspot.com/2013/05/nearly-70-of-packed-windows-system.html
Names…Names Everywhere! The Problem, and Non-Problem, of Name Pollution
http://www.activeresponse.org/names-names-everywhere-the-problem-and-non-problem-of-name-pollution/
PE Section Names
http://www.hexacorn.com/blog/2016/12/15/pe-section-names-re-visited/
Determined Adversaries and Targeted Attacks
https://www.microsoft.com/en-us/download/details.aspx?id=34793
Tools For Unpacking Malware, Part 1. Dumping executables from RWE memory
https://www.vallejo.cc/2017/08/tools-for-unpacking-malware-part-1.html

Threat Hunting

DFIR and Threat Hunting by Jack Crook
https://findingbad.blogspot.com/
Approaches to Threat Hunting
http://good-hunting.infocyte.com/2016/10/03/approaches-to-threat-hunting/
The Who, What, Where, When, Why and How of Effective Threat Hunting
https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
Generating Hypotheses for Successful Threat Hunting
https://www.sans.org/reading-room/whitepapers/threats/generating-hypotheses-successful-threat-hunting-37172
Cyber Threat Hunting
https://cyber-ir.com/2016/01/21/cyber-threat-hunting-1-intro/
https://cyber-ir.com/2016/02/05/cyber-threat-hunting-2-getting-ready/
https://cyber-ir.com/2016/03/01/cyber-threat-hunting-3-hunting-in-the-perimeter/
Building Threat Hunting Strategies with the Diamond Model
http://www.activeresponse.org/building-threat-hunting-strategy-with-the-diamond-model/
A Simple Hunting Maturity Model    
http://detect-respond.blogspot.com.es/2015/10/a-simple-hunting-maturity-model.html

Dynamic Analysis

Malware Monday: Regshot
https://medium.com/@mbromileyDFIR/malware-monday-regshot-6826ae22ba29
WinDGB The Easy Way
http://www.debuginfo.com/articles/easywindbg.html
How Breakpoints are Set
http://majantali.net/2016/10/how-breakpoints-are-set/

Memory Forensics

Practical Memory Forensics
https://eforensicsmag.com/memory-forensics/
Detecting Rootkits in Memory Dumps
https://www.terena.org/activities/tf-csirt/meeting27/oesterberg-rootkits.pdf
Incorporating Disk Forensics with Memory Forensics – Bulk Extractor
http://volatility-labs.blogspot.com/2015/01/incorporating-disk-forensics-with.html
Automating Detection of Known Malware through Memory Forensics
http://volatility-labs.blogspot.com.au/2016/08/automating-detection-of-known-malware.html
Advances in Modern Malware and Memory Analysis
http://www.eurecom.fr/en/publication/4686/download/sec-publi-4686.pdf
An Introduction to Mac Memory Forensics
https://isc.sans.edu/diary/An+Introduction+to+Mac+memory+forensics/20989
Creating a Baseline of Process Activity for Memory Forensics
https://www.sans.org/reading-room/whitepapers/forensics/creating-baseline-process-activity-memory-forensics-35387
Volatility User Guide
https://onedrive.live.com/?authkey=%21ALuI5I-2bKSNOoU&cid=96AD7F96113F0C47&id=96AD7F96113F0C47%211686&parId=root&o=OneUp
Automating Detection of Known Malware through Memory Forensics
https://volatility-labs.blogspot.com/2016/08/automating-detection-of-known-malware.html
Volatility, my own cheatsheet
https://andreafortuna.org/volatility-my-own-cheatsheet-part-6-windows-registry-ddbea0e15ff5
Stuxnet’s Footprint in Memory with Volatility 2.0
http://mnin.blogspot.com/2011/06/examining-stuxnets-footprint-in-memory.html
Triaging a System Infected with Poweliks
https://journeyintoir.blogspot.com/2015/01/triaging-system-infected-with-poweliks.html
Next Generation Memory Forensics
http://www.basistech.com/wp-content/uploads/OSDFCon2014/Volatility-OSDFC2014.pdf
Memory Forensics for IR – Leveraging Volatility to Hunt Advanced Actors
http://www.slideshare.net/jared703/vol-ir-jgss114
Mo’ Memory No’ Problem
http://www.tekdefense.com/news/2014/5/29/memory-forensics-presentation-frombsidesnola.html
Mr. Silverlight Drive-by Meet Volatility Timelines: 
http://journeyintoir.blogspot.com/2014/05/mr-silverlight-drive-by-meetvolatility.html
Tutorial – Volatility Plugins and Malware Analysis
http://tomchop.me/2016/11/21/tutorial-volatility-plugins-malware-analysis/

Reverse Engineering

Reverse Engineering Resources
https://pewpewthespells.com/re.html
Reverse Engineering for Beginners free book
https://beginners.re/
RE Guide for Beginners: Methodology and Tools
https://0x00sec.org/t/re-guide-for-beginners-methodology-and-tools/2242
Learning: Reversing Malware
https://whitehatcheryl.wordpress.com/2017/07/02/learning-reversing-malware/
Reverse Engineering Resources
https://pewpewthespells.com/re.html
Reverse Engineering for Beginners free book
https://beginners.re/
Radare2 Book
https://www.gitbook.com/book/radare/radare2book/details
Reverse Engineering Reading List
https://github.com/onethawt/reverseengineering-reading-list

Signatures

Malware Cookbook:
https://code.google.com/p/malwarecookbook/source/browse/trunk/3/5/capabilities.yara
AlienVault Labs:
https://github.com/jaimeblasco/AlienvaultLabs
Yara Exchange Group:
http://www.deependresearch.org/2013/02/yara-resources.html
Packer signatures from PEiD:
https://code.google.com/p/malwarecookbook/source/browse/trunk/3/4/packer.yara

Malicious Documents

Office Macros – file extensions, file format (content), and a few handling stereotypes…
http://www.hexacorn.com/blog/2016/11/05/office-macros-file-extensions-file-format-content-and-a-few-handling-stereotypes/
Party like it’s 1999: Comeback of VBA Malware Downloaders [Part 1]
https://www.lastline.com/labsblog/party-like-its-1999-comeback-of-vba-malware-downloaders-part-1/
Malicious Document Analysis – Macro to Shellcode
https://bittherapy.net/malicious-document-analysis-macro-to-shellcode/
Laughing_Mantis-NextGen-Office-Malware-Hushcon-2016.pptx
https://github.com/glinares/OfficeMalware/blob/master/Laughing_Mantis-NextGen-Office-Malware-Hushcon-2016.pptx
MALICIOUS DOCUMENTS – PDF ANALYSIS IN 5 STEPS
https://countuponsecurity.com/2014/09/22/malicious-documents-pdf-analysis-in-5-steps/
Quick and dirty malicious PDF analysis
https://www.securityforrealpeople.com/2017/02/quick-and-dirty-malicious-pdf-analysis.html
Getting Owned By Malicious PDF - Analysis
https://www.sans.org/reading-room/whitepapers/malicious/owned-malicious-pdf-analysis-33443
Analyzing Documents
https://windowsir.blogspot.com/2017/06/analyzing-documents.html
New PowerPoint Mouseover Based Downloader – Analysis Results
https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/
Malicious Documents: The Matryoshka Edition
https://blog.didierstevens.com/2017/04/20/malicious-documents-the-matryoshka-edition/

Linux and Android

https://github.com/michalmalik/linux-re-101
https://linux-audit.com/monitor-for-file-system-changes-on-linux/
http://www.genetic-programming.org/hc2011/05-Farooq/Farooq-Paper.pdf

https://github.com/iBotPeaches/Apktool
https://android.fallible.co
https://www.evilsocket.net/2017/04/27/Android-Applications-Reversing-101/
Android malware analysis with Radare: Dissecting the Triada Trojan
https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/
Advance Android Malware Analysis Tool: apkr
https://n0where.net/advance-android-malware-analysis-tool-apkr/
Beginners Guide to Reverse Engineering Android Apps
https://www.rsaconference.com/writable/presentations/file_upload/stu-w02b-beginners-guide-to-reverse-engineering-android-apps.pdf

Reporting

Report Template for Threat Intelligence and Incident Response
https://zeltser.com/cyber-threat-intel-and-ir-report-template/



Setting Up Your Lab

Creating a Simple Free Malware Analysis Environment
https://www.malwaretech.com/2017/11/creating-a-simple-free-malware-analysis-environment.html
Set up your own malware analysis lab with VirtualBox, INetSim and Burp
https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
Malware Analysis: First Steps - Creating Your Lab
https://medium.com/@xNymia/malware-analysis-first-steps-creating-your-lab-21b769fb2a64
Using Free Windows XP Mode as a VMware Virtual Machine
https://zeltser.com/windows-xp-mode-for-vmware-virtualization/
How to Get a Windows XP Mode Virtual Machine on Windows 8.1
https://zeltser.com/how-to-get-a-windows-xp-mode-virtual-machine-on-windows/
Using VMware for Malware Analysis
https://zeltser.com/vmware-malware-analysis/
Virtualized Network Isolation for a Malware Analysis Lab
https://zeltser.com/vmware-network-isolation-for-malware-analysis/
Building a malware analysis lab
http://www.windowsecurity.com/articles-tutorials/viruses_trojans_malware/Building-Malware-Analysis-Lab.html
Creating a Malware Sandbox in Seconds with Noriben
http://linkis.com/ghettoforensics.com/LamYX
Noriben - Portable, Simple, Malware Analysis Sandbox
https://www.kitploit.com/2016/12/noriben-portable-simple-malware.html
Hackers Find Code Execution Flaw in VMware Workstation
http://www.securityweek.com/hackers-find-code-execution-flaw-vmware-workstation
VMware Workstation and Fusion updates address out-of-bounds memory access vulnerability
https://www.vmware.com/security/advisories/VMSA-2017-0005.html
Sandbox Evasion Techniques
https://www.vmray.com/blog/sandbox-evasion-techniques-part-1/
https://www.vmray.com/blog/sandbox-evasion-techniques-part-2/
https://www.vmray.com/blog/sandbox-evasion-techniques-part-3/
DEFEATING SANDBOX EVASION: HOW TO INCREASE THE SUCCESSFUL EMULATION RATE IN YOUR VIRTUAL ENVIRONMENT
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Chailytko-Skuratovich.pdf
Introducing Malboxes: a Tool to Build Malware Analysis Virtual Machines
https://gosecure.net/2017/02/16/introducing-malboxes-a-tool-to-build-malware-analysis-virtual-machines/
VMware on the Command-line
https://medium.com/@KentGruber/vmware-on-the-command-line-b9a28a5aa16c
Malware Analysis Toolkit
https://zeltser.com/build-malware-analysis-toolkit/
Malware Analysis Automation
https://zeltser.com/malware-analysis-tool-frameworks/
Malware Field Guide Tools
http://malwarefieldguide.com/Chapter_6.html
FAME – FRIENDLY MALWARE EVALUATION FRAMEWORK
https://www.virusbulletin.com/uploads/pdf/magazine/2017/201710-FAME.pdf
Digital Forensics, Part 8: Live Analysis with sysinternals
https://www.hackers-arise.com/single-post/2016/11/29/Digital-Forensics-Part-7-Live-Analysis-with-sysinternals
ProcMon vs. ProcMonX
http://blogs.microsoft.co.il/pavely/2018/01/17/procmon-vs-procmonx/

Environments

Cuckoo
https://cuckoosandbox.org/
anlyz Sandbox
https://sandbox.anlyz.io/
Norman Sandbox
https://www.bluecoat.com/products-and-solutions/malware-analysis
GFI Sandbox
http://www.threattracksecurity.com/enterprise-security/malware-analysis-sandbox-tools.aspx
Anubis
https://anubis.iseclab.org/
Joe Sandbox
http://www.joesecurity.org/
Threat Expert
http://www.threatexpert.com/
BitBlaze
http://bitblaze.cs.berkeley.edu/
Limon Sandbox (Linux malware)
http://malware-unplugged.blogspot.nl/
https://cysinfo.com/10th-meetup-linux-malware-analysis/
https://www.sans.org/reading-room/whitepapers/malicious/introduction-linux-based-malware-36097
Awesome Malware Analysis
https://github.com/rshipp/awesome-malware-analysis
REMnux
http://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system
http://danielleeveir.com/2015/12/06/danielle-eves-guide-to-malware-reverse-engineering-day-2/
https://zeltser.com/remnux-malware-analysis-tips/
Free VMs from Microsoft
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
https://developer.microsoft.com/en-us/windows/downloads/virtual-machines