I was asked for tips to triage MALWARE Bazaar’s daily malware batches.
On Linux / macOS, you can unzip a malware batch and triage it with the file command.
On Windows, I don’t like to unzip the content of a daily malware batch to disk, because the malware samples have their original extension. For example, a malicious Windows executable will have extension .exe, like malware.exe. And that makes for a higher risk of inadvertenly executing malware.
What I prefer to do, is unzip the content of the ZIP file and pipe that into file-magic, like this:
The internal format I use is JSON, hence the -j and –jsoninput options.
Remark that this will not be fast: on yesterday’s malware batch (170 MB), it took almost 10 minutes. It’s more something to use in a daily bash script: download a malware batch, and triage it with zipdump and file-magic.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.