![]() ![]() ![]() Remember PE file header always starts with MZ. This file format used by Windows executables, DLLS,and objects. PE file format is a data structure used by Microsoft which contains information for the Windows OS loader to manage the executable code. Protocols and port numbers(DNS, SMTP,HTTP)īefore we move on to getting our hands dirty let’s identify some terminologies and important words used in malware world.Domains and Ip addresses (malware communicate with C2 servers).These are the malware communication trails on your network Any other changes on the system: new process, mutexes.What changes it does to the system: change of reg keys, files it created, processes it created, directory changes.Binary characteristics: PDB paths, Strings.Information about the file: Size, file name, hash value.These artefacts are unique to each malware in most cases. Host based indicators means what are the artefacts or trails that a malware left behind on your host. Let’s talk about important indicators of compromise (IOC) or what are the things you need to identify without running tools blindly. How to identify it (Indication of compromise) I will limit this document only to Static analysis to make it short.Ģ. What these files does to your network/host and find out the legitimacy of the file and take appropriate steps to safeguard your environment. It is your job to gain an understanding what are the characteristics or indicators of these unknown files/malicious software. As an analyst or IR you will come across many unknown files for analysis which are not present in AV databases, also many incidents pertaining to malware in your day to day work. ![]()
0 Comments
Leave a Reply. |