?????????????? ???????????????? ????????

• Identify malware author's developer environment intensively.
• Identify for the details section of the malware stub via property information. This may contain misleading data too.
• Check for leak information about the third-party libraries installed paths. Cross-validate/check this information on public references to find sites/forums/blogs that mention about it. It can lead to country/group information for the ATP.
• Identify micro and mini activities of Powershell scripts.
• Identify how and from where malware stubs are being downloaded.
• Identify how many infections are being downloaded to infect victim's machine. (Attackers try to brute-force their infections on victim's machine in case if one doesn't work, another will work).
• Identify which malware delivery mechanism is used.
• Identify the naming convention of all the files being downloaded by the malware stub and link it with any historical ATPs.
• Identify sites that are compromised to host the malware on them. Identify CMS, version, country and other properties of the website. This helps determine whether ATP groups have found any zero-day in any particular CMS to compromise the server and host malware stubs on it.
• Identify for language ID when a version resource is compiled to a library. This may contain OS artefacts taken directly from the Visual Studio.
• Identify for leaked assert path and external blog references. Some libraries used the "assert()" mechanism to help the developers debug unexpected conditions.
• Identify the C&C server used, IPs, Servers.
• Identify searching patterns and extension lists when malware is searching juicy information before the exfiltration process starts.
• Identify malware code samples with previously used malware in the past. Try to determine ATP campaign.
• Identify malware compilation time and date.
• Check registry entry for 'run' file.
• Inspect traffic using Wireshark, especially for all HTTP/HTTPS outgoing traffic.
• Inspect all DNS queries to identify possible exfiltration activities.
• Identify the main characteristics of malware sample including size, type, compiler, cryptographic hash.
• Identify malware attributes such as functionalities, inner workings, strings, API calls, and other metadata.
• Perform malware execution in the safe environment and perform runtime monitoring to collect artefacts such as processes it interacts with, file systems, registry activities, and network activities.

Image Reference: https://shehackske.medium.com/setting-up-malware-analysis-labs-ea2a7dc65a8c