1) Change the sample's name to some other extensions which cannot be executed by OS. For example:
#mv ./test.exe ./test.ex_
2) Use ClamAV and YARA to scan the test.ex_ file.
3) Check the hash of the test.ex_ file by using the command below:
#whois -h hash.cymru.com `md5sum ./test.ex_`
4) Utilize the strings command to see if there is any suspicious string sitting in the test.ex_ file as shown below:
strings ./test.ex_
5) Leverage the peid application to check if there is any packer with the test.ex_ file.
6) Check those imported APIs within the test.ex_ file by using the Dependency Walker(http://www.dependencywalker.com/).
No comments:
Post a Comment