Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches, (Sun, Aug 15th)

This post was originally published on this site

I was asked for tips to triage MALWARE Bazaar's daily malware batches.

On Linux / macOS, you can unzip a malware batch and triage it with the file command.

There is no file command on Windows, but there are Windows versions you can install, and you can also use my file-magic tool (it's a Python tool that uses Python module python-magic-bin).

On Windows, I don't like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.

What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:

The internal format I use is JSON, hence the -j and –jsoninput options.

Remark that this will not be fast: on yesterday's malware batch (170 MB), it took almost 10 minutes. It's more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.