Malware Analysis

Forensics CheatSheets

https://www.jaiminton.com/cheatsheet/DFIR/#

Online Services

Offline antivirus

Yara

Install

sudo apt-get install -y yara

Prepare rules

Use this script to download and merge all the yara malware rules from github: https://gist.github.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9 Create the rules directory and execute it. This will create a file called malware_rules.yar which contains all the yara rules for malware.

wget https://gist.githubusercontent.com/andreafortuna/29c6ea48adf3d45a979a78763cdc7ce9/raw/4ec711d37f1b428b63bed1f786b26a0654aa2f31/malware_yara_rules.py
mkdir rules
python malware_yara_rules.py

Scan

yara -w malware_rules.yar image  #Scan 1 file
yara -w malware_rules.yar folder #Scan hole fodler

ClamAV

Install

sudo apt-get install -y clamav

Scan

sudo freshclam      #Update rules
clamscan filepath   #Scan 1 file
clamscan folderpath #Scan the hole folder

rkhunter

Tools like rkhunter can be used to check the filesystem for possible rootkits and malware.

sudo ./rkhunter --check -r / -l /tmp/rkhunter.log [--report-warnings-only] [--skip-keypress]

PEpper

PEpper checks some basic stuff inside the executable (binary data, entropy, URLs and IPs, some yara rules).

PreviousLinux Forensics NextMemory dump analysis

Last updated 4 years ago

hashtagForensics CheatSheets

hashtagOnline Services

hashtagOffline antivirus

hashtagYara

hashtagInstall

hashtagPrepare rules

hashtagScan

hashtagClamAV

hashtagInstall

hashtagScan

hashtagrkhunter

hashtagPEpper

Forensics CheatSheets

Online Services

Offline antivirus

Yara

Install

Prepare rules

Scan

ClamAV

Install

Scan

rkhunter

PEpper