CHECKLIST FOR BASIC MALWARE ANALYSIS   

START WITH BASIC STATIC ANALYSIS

0. get the sample into the VM's directories

1. Enable network (NAT interface).

2. Upload to virustotal.com
   - get MD5 and results

3. Get information from PEView
   - when compiled
   - how to start it (for a DLL)?

3. Use strings & PEiD to see if packed
   - is it a .NET program or a PE file?
   - what entropy?

4. Use dependency walker to see DLLs used
   - is it directly calling low level DLLs?
   - Does it do networking?
   - Can it change the registry?
   - Does it use mutexes?

Questions to answer:

    - Does it look like malware?
       - known?
       - cyrptic strings?
       - packed?

USE OF BASIC DYNAMIC TOOLS

0. Isolate the VM instance
   - Make sure you have a backup/clone...
     Take a snapshot!
   - Turn off network (use VMnet0)
   - Disable file shares

1. Start the process explorer

2. Run procmon
   - enable file and registry tracking
   - Command Line filter
     to look for the executable name

3. Set up virtual network
    - start Linux to run INetSim
    - Edit Menu > Virtual Network Editor
    - run ApateDNS in guest OS

4. Log network traffic using wireshark

5. Take a snapshot of the registry (regshot)

6. Start running it
   - You don't need to authorize it...

Questions to answer:

  - Does it write files/mutexes?
     especially installing programs

  - Does it change the registry?
     especially setting autoruns
     
  - Does it send information on the network?