Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches

I was asked for tips to triage MALWARE Bazaar's daily malware batches.

On Linux / macOS, you can unzip a malware batch and triage it with the file command.

There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it's a Python tool that uses Python module python-magic-bin).

On Windows, I don't like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.

What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:

The internal format I use is JSON, hence the -j and --jsoninput options.

Remark that this will not be fast: on yesterday's malware batch (170 MB), it took almost 10 minutes. It's more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

DidierStevens

573 Posts
ISC Handler
Aug 15th 2021

Sign Up for Free or Log In to start participating in the conversation!