This post will outline the various tools commonly utilized for analyzing malware samples.
List of tools discussed below:
For Static analysis
For Dynamic analysis
For Network analysis
CFF Explorer
- Serves as a hex editor.
- Enables editing of resource sections, adding imports, and signature scanning.
- Allows for binary rebuilding.
- Includes UPX utility for packing/unpacking executables.
- Features an inbuilt Dependency Walker.
Detect It Easy
- Identifies the compiler, packer, and linker used, along with signatures.
- Provides information on the entry point, base address, headers, sections, imports, and resources.
Office MalScanner
- A free command-line tool for detecting malicious code in Microsoft Office documents.
- Capable of locating shellcode, embedded PE files, and OLE streams in Excel, Word, and PowerPoint files.
- Can decompress newer Microsoft Office document formats.
PEiD
- Utilized for detecting packers and compilers.
- Its most valuable plugin, Krypto ANALyzer, identifies common cryptographic algorithms in PE files and allows for exporting this information to IDA Pro.
PEView
- A tool for examining PE file structures, including the PE header, individual sections, and import/export tables.
Resource Hacker
- A utility for viewing, renaming, modifying, adding, deleting, and extracting resources in PE-formatted binaries.
- Particularly useful for extracting shellcode, malware, DLLs, or drivers from the resource section at runtime, allowing for analysis without executing the malware.
API Monitor
- Enables monitoring and control of API calls made by applications and services.
Autoruns
- Searches various locations (registry, startup folders, etc.) for persistence and reports findings through a GUI.
IDA Pro and Hex Ray Decompiler
- IDA Pro is the leading disassembler for malware analysis.
- Hex-Rays Decompiler converts assembly code into human-readable, C-like pseudocode.
WinDBG
- Used for debugging user-mode, kernel-mode, x86, and x64 malware.
OllyDBG
- A user-mode x86 debugger with a GUI.
- Features numerous plugins to enhance functionality.
- Originally developed by Immunity Security Company and rebranded as Immunity Debugger (ImmDBG).
Process Hacker
- A powerful task manager that provides insights into currently running processes.
- Capable of scanning for strings and regular expressions in memory, injecting or unloading DLLs, loading drivers, and starting services.
- Similar tools include Process Explorer and Process Monitor, but with fewer features.
Regshot
- Allows for taking and comparing two registry snapshots before and after running malware.
Wireshark
- Captures network traffic generated by malware for protocol analysis.
Tor
- Recommended for safe network connections during malware analysis, such as checking IP addresses or searching for information.
TCPView
- Provides a detailed graphical listing of all TCP and UDP endpoints on the system, showing which process owns each endpoint.
ApateDNS
- Acts as a fake DNS server, spoofing DNS responses to a user-specified IP address by listening on UDP port 53 on the localhost.