DE
DE EN
DE
DE EN
Kontakt
Anmeldung
Themen
Finanzen & Versicherung
Handel
Industrie
IT & Beratung
Tourismus
Transport
Recht
Öffentlich

Malware-Analyse 2023

0
Teilen:

Malware-Analyse: Untersuchung der Funktionalität von bösartiger Software.

Die Methode, mit der die Malware-Analyse durchgeführt wird, lässt sich in der Regel in zwei Kategorien einteilen:

Statische Malware-Analyse: Die statische oder Code-Analyse wird in der Regel durchgeführt, indem die verschiedenen Ressourcen der Binärdatei zerlegt werden, ohne sie auszuführen und jede Komponente zu untersuchen. Die Binärdatei kann auch mit Hilfe eines Disassemblers wie IDA disassembliert (oder zurückentwickelt) werden.

Der Maschinencode kann manchmal in Assembler-Code übersetzt werden, der von Menschen gelesen und verstanden werden kann: Der Malware-Analyst kann dann die Assembler-Anweisungen verstehen und hat eine Vorstellung davon, was das Programm ausführen soll. Einige moderne Schadprogramme werden mit Hilfe von Umgehungstechniken erstellt, um diese Art der Analyse zu umgehen, z. B. durch Einbettung von syntaktischen Codefehlern, die Disassembler verwirren, aber bei der tatsächlichen Ausführung noch funktionieren.

Dynamische Malware-Analyse: Bei der dynamischen oder verhaltensbasierten Analyse wird das Verhalten der Malware beobachtet, während sie tatsächlich auf einem Host-System ausgeführt wird. Diese Form der Analyse wird häufig in einer Sandbox-Umgebung durchgeführt, um zu verhindern, dass die Malware tatsächlich Produktionssysteme infiziert. Viele solcher Sandboxen sind virtuelle Systeme, die nach Abschluss der Analyse leicht wieder in einen sauberen Zustand zurückversetzt werden können.

Die Malware kann auch während der Ausführung mit einem Debugger wie GDB oder WinDbg debuggt werden, um das Verhalten und die Auswirkungen der Malware auf das Host-System Schritt für Schritt zu beobachten, während ihre Anweisungen verarbeitet werden. Moderne Malware kann eine Vielzahl von Umgehungstechniken aufweisen, die darauf abzielen, die dynamische Analyse zu umgehen. Dazu gehören das Testen auf virtuelle Umgebungen oder aktive Debugger, die Verzögerung der Ausführung bösartiger Nutzdaten oder das Erfordernis einer interaktiven Benutzereingabe in irgendeiner Form.

Stufen der Malware-Analyse

Die Untersuchung bösartiger Software umfasst mehrere Schritte, darunter auch die folgenden, aber nicht nur:

  1. Manuelle Codeumkehrung
  2. Interaktive Verhaltensanalyse
  3. Analyse statischer Eigenschaften
  4. Vollständig automatisierte Analyse

Werkzeuge für die binäre Analyse

  • pestudio
  • peid
  • exeinfope
  • PEView
  • Resource hacker : kostenloses Dienstprogramm zur Ressourcenextraktion und Ressourcencompiler für Windows von Angus Johnson
  • HxD : Hex-Editor für Windows von Mael Horz

Disassemblierer

  • IDA Pro: Disassembler von Hex-Rays
  • Radare2 : Disassembler von pancake
  • BinaryNinja : Disassembler von Vector 35

Debugger

  • GNU Debugger: Debugger von GNU
  • WinDbg: Debugger von Microsoft
  • OllyDbg: Debugger von OllyDbg
  • x64Dbg: Debugger von x64Dbg

Malware-Analyse-Tools:

Bedrohungsdaten und IOC-Ressourcen.

Siehe auch: Malwoverview- Eine Suite zur Sichtung von Malware-Mustern und URLs

Malware-Analyse, Erkennung und Klassifizierung

Antivirus und andere Tools zur Erkennung von Malware

  • Analysieren SiePE - Wrapper für eine Vielzahl von Tools zur Auswertung von Windows PE-Dateien.
  • Montagelinie - Ein skalierbarer Rahmen für die Analyse verteilter Dateien.
  • BinaryAlert - Eine quelloffene, serverlose AWS-Pipeline, die hochgeladene Dateien auf der Grundlage einer Reihe von YARA-Regeln scannt und Warnmeldungen ausgibt.
  • chkrootkit - Lokale Linux-Rootkit-Erkennung.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives.

Malware Analysis Online Scanners and Sandboxes

Web-based multi-AV scanners, and malware sandboxes for automated analysis.

    • anlyz.io – Online sandbox.
    • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
    • AVCaesar – Malware.lu online scanner and malware repository.
    • Cryptam – Analyze suspicious office documents.
    • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
    • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
    • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
    • DeepViz – Multi-format file analyzer with machine-learning classification.
    • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
    • DRAKVUF – Dynamic malware analysis system.
    • firmware.re – Unpacks, scans and analyzes almost any firmware package.
    • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
    • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
    • Intezer – Detect, analyze, and categorize malware by identifying code reuse and code similarities.
    • IRMA – An asynchronous and customizable analysis platform for suspicious files.
    • Joe Sandbox – Deep malware analysis with Joe Sandbox.
    • Jotti – Free online multi-AV scanner.
    • Limon – Sandbox for Analyzing Linux Malware.
    • Malheur – Automatic sandboxed analysis of malware behavior.
    • malsub – A Python RESTful API framework for online malware and URL analysis services.
    • Malware config – Extract, decode and display online the configuration settings from common malwares.
    • Malwr – Free analysis with an online Cuckoo Sandbox instance.
    • Metadefender – Scan a file, hash or IP address for malware (free).
    • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
    • PacketTotal – PacketTotal is an online engine for analyzing .pcap files, and visualizing the network traffic within.
    • PDF Examiner – Analyse suspicious PDF files.
    • ProcDot – A graphical malware analysis tool kit.
    • Recomposer – A helper script for safely uploading binaries to sandbox sites.
    • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
    • SEKOIA Dropper Analysis – Online dropper analysis (Js, VBScript, Microsoft Office, PDF).
    • VirusTotal – Free online analysis of malware samples and URLs
    • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
    • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Domain Analysis

Inspect domains and IP addresses.

  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.

Browser Malware

Analyze malicious URLs. See also the domain analysis und documents and shellcode sections.

  • Firebug – Firefox extension for web development.
  • Java Decompiler – Decompile and inspect Java apps.
  • Java IDX Parser – Parses Java IDX cache files.
  • JSDetox – JavaScript malware analysis tool.
  • jsunpack-n – A javascript unpacker that emulates browser functionality.
  • Krakatau – Java decompiler, assembler, and disassembler.
  • Malzilla – Analyze malicious web pages.
  • RABCDAsm – A “Robust ActionScript Bytecode Disassembler.”
  • swftools – Tools for working with Adobe Flash files.
  • xxxswf – A Python script for analyzing Flash files.

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

File Carving

For extracting files from inside disk and memory images.

  • bulk_extractor – Fast file carving tool.
  • EVTXtract – Carve Windows Event Log files from raw binary data.
  • Foremost – File carving tool designed by the US Air Force.
  • hachoir3 – Hachoir is a Python library to view and edit a binary stream field by field.
  • Scalpel – Another data carving tool.
  • SFlock – Nested archive extraction/unpacking (used in Cuckoo Sandbox).

Deobfuscation

Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.

Memory Forensics

Malware analysis tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.

Online DisAssembler

ODA stands for Online DisAssembler. ODA is a general purpose machine code disassembler that supports a myriad of machine architectures.

Built on the shoulders of libbfd and libopcodes (part of binutils), ODA allows you to explore an executable by dissecting its sections, strings, symbols, raw hex, and machine level instructions.

ODA is an online Web Based Disassembler for when you don’t have time or space for a thick client. ODA is a BETA release that is limited by the resource constraints of the server on which it is hosted and the spare time of its creators.

Features:

  • Malware analysis
  • Vulnerability research
  • Visualizing the control flow of a group of instructions
  • Disassembling a few bytes of an exception handler that is going off into the weeds
  • Umkehrung der ersten paar Bytes eines Master Boot Record (MBR), der möglicherweise beschädigt ist
  • Fehlersuche in einem Gerätetreiber für eingebettete Systeme.

https://hackersonlineclub.com/malware-analysis/

https://hackersonlineclub.com/malware-analysis/

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
6:05 am, März 14, 2025
Wetter-Symbol 0°C
L: -2° | H: 1°
wenige Wolken
Luftfeuchtigkeit: 91 %
Druck: 1009 mb
Wind: 3 mph N
Windböe: 4 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 12%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 6:16 am
Sonnenuntergang: 6:02 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
-2° | 1°°C 0.86 mm 86% 7 mph 88 % 1017 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
1° | 8°°C 0.2 mm 20% 12 mph 93 % 1025 mb 0 mm/h
So. März 16 9:00 pm
Wetter-Symbol
1° | 8°°C 0 mm 0% 9 mph 90 % 1027 mb 0 mm/h
Mo. März 17 9:00 pm
Wetter-Symbol
4° | 7°°C 0 mm 0% 13 mph 92 % 1028 mb 0 mm/h
Di. März 18 9:00 pm
Wetter-Symbol
3° | 9°°C 0 mm 0% 12 mph 78 % 1027 mb 0 mm/h
Today 9:00 am
Wetter-Symbol
1° | 4°°C 0 mm 0% 5 mph 88 % 1009 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
4° | 5°°C 0 mm 0% 6 mph 77 % 1011 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
6° | 6°°C 0.69 mm 69% 7 mph 71 % 1013 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
6° | 6°°C 0.86 mm 86% 5 mph 71 % 1014 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 5 mph 77 % 1017 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 4 mph 80 % 1019 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 5 mph 87 % 1020 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
1° | 1°°C 0 mm 0% 6 mph 93 % 1021 mb 0 mm/h
Wetter von OpenWeatherMap
Name Preis24H (%)
Bitcoin(BTC)
€75,694.51
-1.20%
Ethereum(ETH)
€1,745.97
1.42%
Fesseln(USDT)
€0.92
-0.01%
XRP(XRP)
€2.12
2.91%
Solana(SOL)
€115.29
1.28%
USDC(USDC)
€0.92
0.00%
Dogecoin(DOGE)
€0.155742
0.69%
Shiba Inu(SHIB)
€0.000011
1.87%
Pepe(PEPE)
€0.000006
0.43%
Risikomonitor
Erkennen und überwachen Sie IT-Schwachstellen mit nur einem Klick, bevor es zu spät ist.

Verbindung zum Dienstprogramm

Nützlicher Link

Newsletter

Folgen Sie uns

Facebook Twitter Youtube Linkedin

© 2025 risikomonitor.com gmbh

Nach oben scrollen