-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathplan_of_action
More file actions
131 lines (68 loc) · 3.36 KB
/
plan_of_action
File metadata and controls
131 lines (68 loc) · 3.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
Plan of Action: Malware Analysis Project
1. Project Overview
Objective: Analyze a piece of malware to understand its behavior, functionality, and potential impact.
Goal: Document the malware analysis process, provide actionable insights, and build a portfolio-worthy project showcasing your cybersecurity skills.
2. Preparation
2.1. Set Up Your Environment
Create a dedicated malware analysis lab to prevent accidental infection:
Use a virtualized environment (e.g., VirtualBox, VMware).
Set up a virtual machine with Kali Linux and a Windows instance (e.g., Windows 10).
Isolate the lab from your network (use NAT or a host-only network).
Install required tools:
Static Analysis Tools: Strings, Ghidra, IDA Free, PEiD, VirusTotal.
Dynamic Analysis Tools: Procmon, Wireshark, Process Hacker, Sysinternals Suite.
Disassembly/Decompilation Tools: Radare2, Ghidra, Binary Ninja.
Sandbox for Analysis: Cuckoo Sandbox or Hybrid Analysis.
2.2. Choose Malware Sample
Obtain a sample from a trusted source for researchers (e.g., MalwareBazaar, ANY.RUN, VirusShare).
Validate the sample using a hashing algorithm (e.g., MD5, SHA256).
2.3. Documentation Setup
Create a GitHub repository for your project.
Structure your repository:
|-- README.md
|-- Analysis_Report.md
|-- Tools_Used.md
|-- Scripts/
|-- Screenshots/
Use Markdown files to document each step clearly.
3. Malware Analysis Workflow
3.1. Static Analysis
Perform initial inspection without executing the malware:
Identify the file type (e.g., .exe, .dll, .pdf).
Analyze metadata (e.g., using PEiD or ExifTool).
Extract strings (e.g., using the strings command or BinText).
Check for suspicious API calls or functions.
Compare the hash on VirusTotal for known signatures.
3.2. Dynamic Analysis
Execute the malware in the isolated lab and monitor behavior:
Use tools like Procmon and Wireshark to observe runtime behavior.
Monitor system changes (file creation, registry edits, network connections).
Capture screenshots and logs for documentation.
Pay attention to indicators of compromise (IoCs):
Network activity (IP addresses, domains, protocols).
Changes in system files or processes.
3.3. Reverse Engineering (Optional)
Disassemble or decompile the malware:
Use Ghidra or IDA Free for in-depth code analysis.
Focus on functions of interest (e.g., encryption routines, payload delivery mechanisms).
Document the malware’s control flow and logic.
4. Documentation and Reporting
4.1. Analysis Report
Include the following sections:
Introduction: Brief overview of the malware.
Environment Setup: Details of the lab and tools used.
Static Analysis Findings: Summarize key observations.
Dynamic Analysis Findings: Highlight behavior and IoCs.
Reverse Engineering Findings (if applicable): Explain key functionality.
Conclusion: Summarize insights and recommendations.
4.2. README File
Provide an overview of the project, purpose, and how to navigate the repository.
Include instructions to replicate the analysis (optional).
5. Validation and Final Touches
Review your findings and ensure accuracy.
Add comments and explanations to any scripts written during analysis.
Proofread your documentation for clarity.
Push the project to GitHub and share it on platforms like LinkedIn to showcase your work.
6. Learning and Reflection
Note challenges faced and how you overcame them.
Plan improvements for your next analysis project.