Malware, File & IOC Analysis

Analyzing Indicators of Compromise!

At some point the c-Champions will need to provide technical resources to the network engineers and stakeholder managers. This section of the Toolkit provides a listing of various cyber threat hunting tools for the technical analysts within stakeholder organizations. Below are a series of hotlinks and short descriptions for resources for analyzing files, malware and other indicators of compromise (IOCs).

https://totalhash.cymru.com/– This site provides a static and dynamic analysis of malware samples that are inputted. (Cymru, T. (2016). IP TO ASN MAPPING. Retrieved December 26, 2016, from http://www.team-cymru.org/)

http://research.domaintools.com/buy/domain-typo-finder/– This tool analyses a given domain, and checks it for any typos that could lead to a malicious site instead. (DomainTools. (2016). Retrieved December 26, 2016, from http://www.domaintools.com)

https://incloak.com/ports/-Port Scanner is a tool that allows you to check you or someone else’s ports, and see if they are open, and what they are accountable for. (Free Web Proxy. (n.d.). Retrieved December 26, 2016, from https://incloak.com/)

https://www.hybrid-analysis.com/-is a malware analysis tool, and can take files that are either directly on your computer or online. This service uses a “Hybrid Analysis” technology to identify threats. (Payload Security. (n.d.). Retrieved December 26, 2016, from https://www.hybrid-analysis.com/)

http://malwareblacklist.com/-This site holds a large repository of malicious URL’s that are available to be searched. WARNING: The links on this site are still active, and following them without the proper security can result in breaches. (Powered by: ParetoLogic Inc. (n.d.). Retrieved December 26, 2016, from http://malwareblacklist.com/)

http://malware.dontneedcoffee.com/-is a blog covering various malicious and phishing attacks, and tools that can be used to research such attacks. (Malware don’t need Coffee. (n.d.). Retrieved December 26, 2016, from http://malware.dontneedcoffee.com/)

http://mxtoolbox.com/SuperTool.aspx-is a tool used for searching IP, Domain, or Hostnames, and gives a wide variety of general information. The site also contains Lookup tools for many other types of information. (Network Tools: DNS,IP,Email. (n.d.). Retrieved December 26, 2016, from http://mxtoolbox.com/SuperTool.aspx)

https://ransomwaretracker.abuse.ch/tracker/-is a searchable database used for finding more information regarding ransom ware. This database stores a lot of very useful information including data that can be used to track ransom ware. (Ransomware Tracker. (n.d.). Retrieved December 26, 2016, from https://ransomwaretracker.abuse.ch/)

http://threatstop.com/sinkhole-is a site that will scan a log file that you can upload, and will tell you if your network is infected with malware or a DNS changer. (ThreatStop. (n.d.). Retrieved December 26, 2016, from http://threatstop.com/)

https://www.virustotal.com/en/-is a highly regarded site that analyzes suspicious files or URL’s, and is able to detect and threats that they may contain. (VirusTotal – Free Online Virus, Malware and URL Scanner. (n.d.). Retrieved December 26, 2016, from https://www.virustotal.com/en/)

http://zulu.zscaler.com/-is a simple tool used for inspecting suspicious URL’s. (Zulu URL Risk Analyzer. (n.d.). Retrieved December 26, 2016, from http://zulu.zscaler.com/)

http://network-tools.com/-is a tool used for finding information on IP addresses. The tool can search whois, ping, dns records, and network lookups. (Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS, Email Verification Tools. (n.d.). Retrieved December 26, 2016, from http://network-tools.com/)

https://sandbox.deepviz.com/-“Deepviz is a cloud based, self-learning threat intelligence platform powered by Deepviz Malware Analysis Engine.” You can submit a file to search for IOC’s. (Deepviz – Analyze. (n.d.). Retrieved December 26, 2016, from https://sandbox.deepviz.com/)

https://canar.io/-“Canario is a service that allows you to search for potentially leaked data that has been exposed on the Internet. Passwords, e-mail addresses, hostnames, and other data have been indexed to allow for easy searching.” (Canario – Welcome. (n.d.). Retrieved December 26, 2016, from https://canar.io/)

https://www.exploit-db.com/search/-” The Exploit Database has two repositories hosted on GitHub. The main exploit database repository is updated daily and contains all of our exploit & shellcode entries sorted by platform, and the exploit database bin-sploits repository holds binary exploits and proofs of concept. ” (Search the Exploit Database. (n.d.). Retrieved December 26, 2016, from https://www.exploit-db.com/search/)


Third-party data enhancements!

You must be logged in to post a comment Login