This cheatsheet is not indepth and detailed. It will only cover the required minimum
Might make a more indepth version when required.

Basic Static Analysis

  1. Malware Fingerprint
    • AV Scanning
      • Hashing
      • VirusTotal
  2. Finding String in Malware
    • Representation of Strings
      • ASCII (1 Byte), Hexadecimal
      • Unicode (2 Bytes)
    • BinText: String Extraction Tool
  3. Portable Executable Format
  4. Source to Execution
    • Compiler: Translates high-level code to machine code
    • Linker: Links .obj files into a single .exe executable
    • Loader: Allocates memory space and prepares the execution file
  5. Linking
    • Static Linking: Library copied into executable at start
    • Dynamic Linking: Searches and loads library at runtime
  6. Loading a PE
    • Absolute Loading: Same address
    • Relocatable Loading: Different address based on availability
    • Dynamic Run-time Loading: Different address while running
  7. Address Binding: Binding of Virtual Address to Physical Address
    • Relative Virtual Addresses
    • Base Address
  8. PE File Format
    • PE Sections
      • .edata (Export Data)
      • .reloc (Base Relocation)
    • Dependency Walker: See .edata & .idata
    • PEView: View files when compiled
  9. Packing Executable
    • PEiD: Detect packed PE
      • PEiD Unpacker: Use plugins to unpack
  10. Indicators of Malware
  • Host-based Indicators: Affect the system (files, registry, process operations)
  • Network-based Indicators: Communicate with external IPs and URLs (Internet, socket operations)

Basic Dynamic Analysis

  1. Running the Malware
    • Sandboxes
      • GFI Sandboxes
        • Mutex: Prevents multiple threads/processes from accessing a resource
      • Sandboxes Drawbacks
    • rundll32.exe: (Run DLL with export arguments)
  2. Process Monitoring
    • procmon: Historical monitoring
    • Process Explorer: Live monitoring
  3. Registry Monitoring
    • regshot: Compare registry before and after
    • CaptureBat
  4. Network Monitoring
    • ApateDNS: Fake a network (127.0.0.1)
      • Change Local Host in TCP/IP properties to 127.0.0.1
      • Change DNS reply address in ApateDNS to 127.0.0.1
    • NetCat: Command nc -l -p 443 (-l is a lowercase L)
    • Wireshark