We will review the following artifacts and emphasize how they can help us gather insights about a file:Īfter covering our initial analysis toolset, we will put them to use by analyzing real samples found in the wild. Whether you want to verify that a file is trusted or malicious, or you already know that a file is malicious but you want to classify the threat to determine the appropriate response, the information and tools presented in this article will help you further support an initial analysis conclusion. This is why it’s important to consider the context of the analyzed file and the desired outcome from the analysis. The lack of valuable metadata in ELF files, such as certificates and resources, provides a weaker starting point than PE files, particularly when distinguishing between trusted and malicious files. A final result could be that we know what the file is or we must conduct a deeper analysis because this step wasn’t conclusive enough. While an artifact by itself might not be enough to make a decision, the collection of artifacts can help us determine a practical outcome for this step. The initial analysis process entails reviewing different artifacts of a file. The purpose of initial analysis is to gather as many insights about a file as possible without spending too much time on advanced analysis techniques such as behavioral analysis. In this article we will pursue ELF file analysis with an emphasis on static analysis. We discussed the current lack of ELF malware visibility, reflected in subpar detection rates by leading engines and the shortage of publicly available resources documenting Linux threats. In the previous article we profiled the ELF malware landscape and explained how malware infects systems.
0 kommentar(er)
