Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/.
Types
From ChatGPT
- File infectors: These viruses infect executable files and are spread when the infected file is executed. When an infected file is run, the virus code is activated and can spread to other files on the system. Examples include the Cascade virus and the Jerusalem virus.
- Boot sector viruses: These viruses infect the boot sector of a disk, usually a floppy disk, and are activated when the computer is booted from the infected disk. The virus then spreads to other disks that are accessed by the infected system. Examples include the Stoned virus and the Michelangelo virus.
- Macro viruses: These viruses infect documents that contain macro code, such as Microsoft Word or Excel documents. When the infected document is opened, the virus code is executed and can infect other documents on the system. Examples include the Melissa virus and the ILOVEYOU virus.
- Stealth viruses: These viruses are designed to hide their presence from antivirus software and other detection methods. They do this by intercepting system calls and modifying the results, or by hooking into the operating system and altering its behavior. Examples include the Whale virus and the Meve virus.
- Multipartite viruses: These viruses infect both files and boot sectors, making them harder to detect and remove. They typically spread through infected files and then infect the boot sector of the system, allowing them to survive a system reboot. Examples include the Flip virus and the Invader virus.
- Polymorphic viruses: These viruses use encryption or other techniques to change their code each time they infect a new system, making them difficult to detect and remove. Examples include the W95/CIH virus and the Satanbug virus
- Worms: While not technically viruses, worms are self-replicating malware that spread through networks or the internet. They typically exploit vulnerabilities in software or operating systems to spread, and can cause significant damage to systems and networks. Examples include the Morris worm and the WannaCry worm.
PE
Import tables and how this works, how to do it.
macOS
Are there packers for macOS? Is there are process for restoring import table there?
https://medium.com/hackernoon/writing-an-keylogger-for-macos-in-python-24adfa22722
https://stackoverflow.com/questions/61077760/python3-keylogger-for-macos-script-not-working
Windows
https://2018.offzone.moscow/report/secrets-windows-dpapi/ https://2018.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/ youtube.com/watch?v=NqCqfBCV_18 https://www.apriorit.com/dev-blog/727-win-guide-to-hooking-windows-apis-with-python
General
Malware Unicorn - https://malwareunicorn.org/#/. Labs to check out. The Art of Mac Malware - read and try samples on the OneEye or something. Incident response stuff - https://www.youtube.com/c/TaggartTech
Check out Blue Jupyter tool. Could be very useful for IR as well.
Samples Repos
- theZoo:Β https://github.com/ytisf/theZoo
- VXUnderground GitHub repo:Β https://github.com/vxunderground/MalwareSourceCode
- Zeltser Resources:Β https://zeltser.com/malware-sample-sources/
Go Merlin - https://github.com/Ne0nd0g/merlin
Info
π₯ https://unprotect.it/techniques/ - attack techniques, code samples and detection rules. π₯ https://malapi.io - common Windows API invoked by the malware.
https://glances.readthedocs.io/en/latest/ https://www.hybrid-analysis.com/sample/9fe55c51af6230c8640e140104645b32ba83ac868bf0f1571733f14761701247 https://www.f-secure.com/v-descs/trojan-spy_w32_finspy_a.shtml https://malshare.com/
Malicious websites: https://zeltser.com/lookup-malicious-websites/
https://mail.google.com/mail/u/0/#inbox
My own is maintained in Notion for now. Planning to turn this into a SQL DB + CLI.
Network
https://malware-traffic-analysis.net https://packettotal.com/malware-archive.html
Walkthroughs
GoLang Malware Palo Altro Research Programming Language Recognition & Analyzing a Go Service Backdoor video
Delphi
macOS - In a report on a recent Lazarus APT Group macOS implant, I noted that the groupβs capabilities continue to evolve, as evidenced in βa new sample with the ability to remotely download and execute payloads directly from memory,β thus thwarting various file-based security tools.β13 In βFinFisher Filleted,β yet another write-up on a piece of sophisticated macOS malware, I discussed the use of a kernel-level rootkit component. I noted that the rootkit βcontains the logic to remove the target process of interest, by unlinking it from the (process) list. Once removed, the process is now hidden.β (Patrick Wardle, “FinFisher Filleted: a triage of the FinSpy (macOS) malware,” Objective-See, September 26, 2020, https://objective-see.com/blog/blog_Ox4F.html and Patrick Wardle, “Lazarus Group Goes ‘Fileless’,” Objective-See, December 3,2019, https://objective-see.com/blog/blog_0x51.html.)In a detailed report, βAll Your Macs Are Belong To Us,β on a vulnerability now patched as CVE-2021-30657, I wrote about how malware was exploiting this flaw to run unsigned and unnotarized code, βbypassing all File Quarantine, Gatekeeper, and Notarization requirements.β
macOS Malware
Add new items here: https://malpedia.caad.fkie.fraunhofer.de/login and see also here https://objective-see.org/.
Mami, Dacls, FinSpy, IPStorm, and GravityRAT, like Kitm, NetWire, and WindTail.
NetWire
Persists both as a login item and a lauch agent (see the persistence artefacts for more information).
GMERA
Launch item. Has a run.sh in the Resources/ dir.
EvilQuest
Prefers being run as a Launch Daemon. But if it finds itself only running with user privileges, it instead creates a user launch agent.
Janicab
Persists a python script as a cron job. https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab
Wardle, Patrick. The Art of Mac Malware (p. 31). No Starch Press. Kindle Edition.