Skip to content
CEH Practical Guide

👾 Malware Threats

Malware is a malicious software designed to disrupt, damage, or gain unauthorized access to computer systems.

It can take many forms, including viruses, worms, trojan horses, ransomware, spyware, adware, and more.

Trojans

Section titled “Trojans”

Trojans are a type of malware that disguise themselves as legitimate software to trick users into installing them.

SwayzCryptor is a tool that cna be used to hide a trojan in a file and make it undetectable by antivirus software.

Theef RAT Trojan can be used to control a victim’s computer remotely.

njRAT njRAT is a remote access trojan (RAT) that allows an attacker to control a victim's computer remotely.

Viruses

Section titled “Viruses”

A virus is a type of malware that attaches itself to a legitimate program or file and spreads to other programs and files when the infected program is executed.

JPS Virus Maker Tool is a tool that can be used to create viruses.

Static Malware Analysis

Section titled “Static Malware Analysis”

Static malware analysis is the process of analyzing malware without executing it.

It involves examining the code, structure, and behavior of the malware to understand its functionality and potential impact.

Online tools

Section titled “Online tools”

There are several online tools that can be used for static malware analysis.

These tools can help you analyze a malware sample by uploading it to their platform or by giving a hash of the file.

VirusTotal
Hybrid Analysis
Valkyrie
Jotti
IObit Cloud
Section titled “String search”

String search is a technique used in static malware analysis to find specific strings or patterns in the code of a malware sample.

Terminal window
# Get all the printable characters in a file
strings file
BinText BinText is a tool that can be used to extract text strings from binary files.
Flare Floss Flare Floss is a tool that can be used to extract strings from malware samples.
Free EXE DLL Resource Extractor Free EXE DLL Resource Extractor is a tool that can be used to extract resources from executable files.
FileSeek FileSeek is a tool that can be used to search inside files for specific strings or patterns.

Disassemblers and debuggers

Section titled “Disassemblers and debuggers”

Disassemblers are tools that convert machine code into assembly language, allowing you to analyze the code of a malware sample.

Disassemblers can help you understand the functionality of the malware and identify any malicious behavior.

Ghidra
IDA Pro
OllyDbg
Radare2
PE Studio
WinDbg

Extract information from executables

Section titled “Extract information from executables”
Terminal window
# Print dependencies of an executable
ldd sample


# Print information about a given file
file sample
PE iDentifier PE iDentifier is a tool that can be used to obtain information about the structure of a PE file.
Detect It Easy Detect It Easy is a tool that can be used to identify the type of file and its structure.
PE Explorer PE Explorer is a tool that can be used to analyze the structure of PE files.
Dependency Walker Dependency Walker is a tool that can be used to analyze the dependencies of executable files.
CFF Explorer CFF Explorer is a tool that can be used to analyze the structure of PE files.

Packers

Section titled “Packers”

Packers are tools that compress or encrypt executable files to make them smaller and harder to analyze.

macro_pack
UPX
PECompact PECompact is a tool that can be used to compress and encrypt executable files.

Dynamic Malware Analysis

Section titled “Dynamic Malware Analysis”

Dynamic malware analysis is the process of analyzing malware by executing it in a controlled environment.

Monitoring tools are used to track changes to the system that may be caused by malware.

CurrPorts CurrPorts is a tool that can be used to monitor network connections and see which processes are using them.
Reg Organizer Reg Organizer is a tool that can be used to perform registry analysis and cleanup.
SrvMan SrvMan is a tool that can be used to manage Windows services.
WinPatrol WinPatrol is a tool that can be used to monitor and manage startup programs.
Mirekusoft Install Monitor Mirekusoft Install Monitor is a tool that can be used to monitor the installation of software.
PA File Sight PA File Sight is a tool that can be used to monitor file access and changes.
DriverView DriverView is a tool that can be used to check the drivers installed on the system.
Driver Reviver Driver Reviver is another tool that can be used to check the drivers installed on the system.
DNSQuerySniffer DNSQuerySniffer is a tool that can be used to monitor DNS queries and responses.

Sysinternals for dynamic analysis

Section titled “Sysinternals for dynamic analysis”

Sysinternals is a suite of tools that can be used for system monitoring and analysis.

Sysinternals tools can be used to monitor processes, network connections, file system activity, and more.

Sysinternals
Autoruns Autoruns is a tool that can be used to see which programs are configured to run at startup.
TCPView TCPView is a tool that can be used to monitor network connections and see which processes are using them.
ProcDump ProcDump is a tool that can be used to monitor and capture process dumps.
ProcMon ProcMon is a tool that can be used to monitor file system, registry, and process/thread activity.