After you have downloaded the executable payload, whether its shellcode, java, flash, you now have to find more information about it online. Usually if the kind of file is very new, you will not find anything.  However, there might be the occasional blog post or two, so remember to search the files online. Before you jump into searching, there is a specific routine that you must follow..

Use specific searching queries.

  • File Names
  • Hashes (MD5, SHA1, SHA256)
  • Related Websites (Domains, IPs)

If you did not find anything, be the first to analyze it! Check out our list of tools.

From there you have to use the information you found, and the information you researched, to make a summary of the malicious file(s) and what they do. If there are multiple files that act similarly, you should use the keyword variant. For example, MeDoS is planned to use 2 different methods and 5 different obfuscation algorithms. You would classify each as follows..

  • MeDoS[M1-O1]
  • MeDoS[M1-O2]
  • MeDoS[M1-O3]
  • MeDoS[M1-O4]
  • MeDoS[M1-O5]
  • MeDoS[M2-O1]
  • MeDoS[M2-O2]
  • MeDoS[M2-O3]
  • MeDoS[M2-O4]
  • MeDoS[M2-O5]

Once you are finished, report your findings ASAP. Many antiviruses do not detect malware until it is already out and someone is infected.

~!Donovan

Advertisements