Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches
Last Updated: 2021-08-15 21:35:25 UTC
by Didier Stevens (Version: 1)
I was asked for tips to triage MALWARE Bazaar's daily malware batches.
On Linux / macOS, you can unzip a malware batch and triage it with the file command.
There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it's a Python tool that uses Python module python-magic-bin).
On Windows, I don't like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.
What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:
The internal format I use is JSON, hence the -j and --jsoninput options.
Remark that this will not be fast: on yesterday's malware batch (170 MB), it took almost 10 minutes. It's more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.