Hi there, I'm thinking of using YARA (
http://code.google.com/p/yara-project/) as a first-action when provided with a whole folder of samples.
My concept is to use the ability of YARA's rules to search binary or ascii strings in files in order to determine what anti-malware capability it has, i.e. anti-debugging, anti-VM, or even NET USE or reverse shell so that it would help to speed up the analysis process.
So far i have rules from HBGary's Fingerprint tool as well as those from the Malware Analyst's Cookbook, as well as others that I have researched that will come in handy in finding for embedded files in pdfs.
Such strings include simple ones like "/EmbeddedFiles", "/OpenAction", etc for PDF files or "SetWindowsHookEx" and "GetAsyncKeyState" for keylogging detection.
Are there any suggestions on other strings i could look for in files that are assumed to be already deobfuscated?
Or are there better tools out there to recommend?
Thanks alot guys! =D
Topic: Tell-tale signs of Malware capabilities (Read 3260 times)