Sr. No.

Activity

Fill incident response interview

1
question list on site project

2 Log analysis

3 Areas to look for

4 Traffic insepection using wireshark

5 Inspect prefetch folder

6 Anaylze passkey

7 Check registry entry for 'run' file

FInd malware fingerprint using

8
memory analysis
Inspect all DNS queries made from the
9
target system
Nslookup all the Ip address identified
10 to which the malware is trying to
connect
Inspect all 3-way handshakes using
11
TCP streams
12 Reversing firmware using binwalk
13 MD5 signature analysis
14 Analyze malware using Hex Editor Neo
Configure snort for analyzing
15
targetedports for the attack
To detect the type of packer or
16 compiler employed to build an
application
Check for all HTTP/HTTPs port traffic in
17
wireshark

Use virustotal to scan the signature of

18
well known malware
19 Check user profile data
20 Inspect open ports

21 Examine running processes

Identify malware using volatility

22
framework
 Inspect exported DDLs files for running
23
suspicious process
24 Inspect DOS commands with doskey
25 Identify available shares on the system
26 Check web browser download folder
27 Check browser for malicious addons
28 Analyze browser cookie files

29 Run automated tools

Check if the suspicious files are self-

40
extracting executables or not
Open suspicious files in notepad++ for
31
further analysis
Check if any suspicious file makes TCP
32
connection with any foreign address
Find ISP and other information of
33
suspicious foreign address
34 Check for the startup programs
Upload suspicious file on online
35
malware analysis sandbox

36 Navigate to suspected domain

37 Create encrtypted/encoded backdoors

38 Identify malware author's developer environment intensively.

39 Identify for the details section of the malware stub via property information. This may co
40 Check for leak information about the third-party libraries installed paths. Cross-validate/c
41 Identify micro and mini activities of Powershell scripts.
42 Identify how and from where malware stubs are being downloaded.
43 Identify how many infections are being downloaded to infect victim's machine. (Attacker
44 Identify which malware delivery mechanism is used.
45 Identify the naming convention of all the files being downloaded by the malware stub and
46 Identify sites that are compromised to host the malware on them. Identify CMS, version,
47 Identify for language ID when a version resource is compiled to a library. This may conta
48 Identify for leaked assert path and external blog references. Some libraries used the "asse
49 Identify the C&C server used, IPs, Servers.
50 Identify searching patterns and extension lists when malware is searching juicy informati
51 Identify malware code samples with previously used malware in the past. Try to determin
52 Identify malware compilation time and date.
53 Check registry entry for 'run' file.
54 Inspect traffic using Wireshark, especially for all HTTP/HTTPS outgoing traffic.
55 Inspect all DNS queries to identify possible exfiltration activities.
56 Identify the main characteristics of malware sample including size, type, compiler, crypto
57 Identify malware attributes such as functionalities, inner workings, strings, API calls, and
58 Perform malware execution in the safe environment and perform runtime monitoring to c
Tools
Manual
1) Field interview questions –
spreadsheet
2) Field notes – spreadsheet
1) Manual
2) Installed products by vendors
(IDS/IPS/Firewall/Proxy etc.)

N/A

Wireshark

Manual
Manual

Manual

WinHex

Wireshark

1) Windows Command Prompt

2) Windows Poweshell

Wireshark
Binwalk
md5sum
Hex Editor Neo
snort

PEiD

Wireshark

https://www.virustotal.com/
Manual
1) Nmap
2) Manual
1) Process Explorer
2) Tcpview
3) Autorun
4) Windows shell prompt – 'tasklst'

Volatility framework
 DLLExport viewer
Windows shell command – doskey
Windows shell command – net share
Manual
Manual
1) Galleta
2) Mozilla cookies view
1) TDSSkiller from Kaspersky
2) Malwarebytes antimalware

Manual

Manual

Netstat

whois tools (Online tools)robtex

Start > Run > msconfig > Startup
1) malwr.com
2) anubis.iseclab.org
1) Manual
2) Burpsuite
1) Empyre Framework
2) Veil Framework
loper environment intensively.
of the malware stub via property information. This may contain misleading data too.
out the third-party libraries installed paths. Cross-validate/check this information on public references to find sites/forums/blogs t
ies of Powershell scripts.
malware stubs are being downloaded.
are being downloaded to infect victim's machine. (Attackers try to brute-force their infections on victim's machine in case if one d
ry mechanism is used.
n of all the files being downloaded by the malware stub and link it with any historical ATPs.
mised to host the malware on them. Identify CMS, version, country and other properties of the website. This helps determine whe
a version resource is compiled to a library. This may contain OS artefacts taken directly from the Visual Studio.
and external blog references. Some libraries used the "assert()" mechanism to help the developers debug unexpected conditions.
IPs, Servers.
extension lists when malware is searching juicy information before the exfiltration process starts.
s with previously used malware in the past. Try to determine ATP campaign.
time and date.

k, especially for all HTTP/HTTPS outgoing traffic.

ntify possible exfiltration activities.
cs of malware sample including size, type, compiler, cryptographic hash.
ch as functionalities, inner workings, strings, API calls, and other metadata.
the safe environment and perform runtime monitoring to collect artefacts such as processes it interacts with, file systems, registr
How to do

Ask for the incident response interview question sheet and fill the relevent data in it. It looks professional and it
plan your investigation.

Check for the below areas from where we can find the source of alert1) User may complain/alert about suspiciou
going on in his/her system2) Proxy logs & alerts3) Firewall logs4) SIEM logs & alerts (IDS/IPS etc.)5) End point pr
(Macfee/Sophos/Symentic etc.)
These are the below ares which are too look for malware analysis1) User profile2) Registry run keys3) Prefetch f
Browser history and caches
1) See info field for any malicous activit name2) See info field for any unknown service name3) Analyze port spe
using belowfilter:tcp.port==4434) Analyze TCP stream after that4) Check all HTTP POST reqeust which may clic
system screenshot to some domains in background maliciously - Filename may contain .jpg extension within PO
Navigate to the path of the screenshot which is being uploaded on the web server. Verify if it is your system's sc
not
1) Inspect prefetch folder for suspicious file traces.
1) use attrib -s -h -r -a * command in C drive first.2) analyze C:/RECYCLER folder3) Hunt all isntances for the mal
detection using manual method or 'search' feature of windows OS.4) Remove identified malware folder manually
tool.
1) Navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\Curren
Check if any instances of mawlare is identified in those registry files3) If found, Delete it.
1) Open malware in WinHex2) Find any unique signature which can help later on to analyze malware further usi
resources.

1) Find DNS entries for Domain Name System(Query)2) Find DNS entries for Domain Name System(Resposne)Fi

1) Run following commandnslookup X.X.X.X2) If domain is registred then find the relevent information

1) Find SYN-SYN/ACK-ACK and PSH-PSH/ACK-ACK conversation.2) Right click on packet and select the option "Fo
Stream".3) Right click on packet and select the option "Follow UDP Stream".4) Analyze the result.
1) use binwalk tool in Kali for signature detection and othe information too.
1) Use mdfsum chintan.exe command to calcualte the hash value.2) Do it same for the original build of that soft
compare it.3) Google mdf signature hash value.
1) Open mawlare in hex editor neo2) Try to find mawlare traces (signature, company, induvidual name, nicknam
1) Installa and configure snort2) Create a rules set for snort3) Run the snort4) Analyze the result by reading log

1) Open physical build exe file in PEid tool.

1) Run wireshark with active interface2) Type “http” in the filter and analyze each request carefully.3) Identifiy s
requests.4) Send those URL to virustotal.com in two form a. Give homepage of the URL b. Give the exact locatio
taken from wireshark5) Analyze the result.

1) Open suspicious file on www.virustotal.com and analyze the result.

1) Gather user profile's data from below location.
1) Run nmap on localhost to determine open ports and servicesnmap -sV localhost2) run netstat command with
option in windows command shell and analyze the result.3) Corelate open ports with associated running process
1) Run process explorer tool. Go to Tools tab and select image verification/verify images. Detect for unknown su
vendor file running process. Also inspect all pink and red marked running process.2) Inspect all red and pink ma
process.3) Send doubtful files to virustotal.com and analyze the reuslt.4) Run tcpview to identify current process
with port number and service.5) run 'tasklist' command for analyzing active running processes.
1) Run following commands in order to analyze the operating system's state. a. plist: Gives comprehensive list o
processes b netsscan/conscan: Displays connections in memory and tries to tie with the process. c. psxview: Try
hidden processes d. malfind: Look certain malicious charactristics of specified Process and can dump the proces
 In order to inspect the previously given dos commands on windows systems, give 'doskey/history' command.
In order to inspect drive/folder sharing give dos command as 'net share'
Check all web broswer's default download folder or custom download folder location. Analyze files with virustota
tools.
Check all browsers in order to inspect any installed malicious unnecessary addons.
Analyze cookie files with virustotal and winhex tools.

Run these tools. Save log file. Take Pocs by visitng particular folder. Scan those suspicious files with www.virust
result as pocs. Qurantine files with scanners. If not removed, then remove manually and imeddiately restart the
Double click on the file and analyze in the same folder for number of new files generated after double clicking th
build.

Sometimes applications such as VBS, BAT may have self replicating and extracting code. Those should be analy

Many times malicious script runs services.exe service located at C:\Windows\Win\Services.exe -i . It creates TCP
the outerworld which needs to be analysed using netstat command.

Find ISP and location of suspicious foreign address via whois tools for further investigation.
Check if any malicious programs placed in startup entries or not.
Analyse below things1) String analysis2) Behavioural analysis3) Network analysis (To which domains this suspic
interacts with)4) Number of registry entries created5) Number of various files created in sub folder of windows s
Find any juicy information which can help to solve your analysis case. Also try to find other evidences which can
emphasize your investigation.
Use both frameworks to create your encrypted payloads in order to bypass the signatures. Never submit those p
virustotoal.com and any other websites to scan.

tion. This may contain misleading data too.

s. Cross-validate/check this information on public references to find sites/forums/blogs that mention about it. It can lead to countr

machine. (Attackers try to brute-force their infections on victim's machine in case if one doesn't work, another will work).

malware stub and link it with any historical ATPs.

fy CMS, version, country and other properties of the website. This helps determine whether ATP groups have found any zero-da
y. This may contain OS artefacts taken directly from the Visual Studio.
ies used the "assert()" mechanism to help the developers debug unexpected conditions.

ng juicy information before the exfiltration process starts.

st. Try to determine ATP campaign.

, compiler, cryptographic hash.

gs, API calls, and other metadata.
me monitoring to collect artefacts such as processes it interacts with, file systems, registry activities, and network activities.
oup information for the ATP.

any particular CMS to compromise the server and host malware stubs on it.