The malware is just code so, as any other code it is possible (in theory) to analyze/reverse engineer it manually.
The triage is one of the functions of the incident response program and must answer the following three questions regarded to a specific input:
- is the input malicious ?
- if yes, what is exploiting ?
- are we exposed ?
Triage is not malware analysis and should be quick and efficient. The triage workflow:
- passive analysis.
- first interaction and download.
- some malware are crafted to be able to interact with the initial URL only limited number of times
- some malware could profile your browser, check the browser version, platform, or use the user agent script to decide if the exploit can be executed or not.
- some tools:useragentstring.com (to check your user agent), onlinecurl.com (on-line version of curl, copy paste a url and you get back the response), hurl.it (idem as previous one).
- web component analysis.
- use jsBeautify.org to try to have something human readable in case the code is obfuscated.
- exploit analysis.
- can use showmycode.com to understand the exploit; it is capable to decompile Java, Flash, .Net, PHP
- sometimes you can blindly search the metasploit exploit template library
- payload extraction.
- use ideone.com to de-obfuscate the exploit.
- payload analysis.
- can submit the file/s to VirusTotal or malwr (virtualized Cuckoo instances).
- malwr can give you infos about the registry keys created, network traffic.
- build IOCs (Indication Of Compromise).
- collection of indicators which can be used to describe a compromised system.
This was an workshop, so the participants had to play with some of the tools. Here is the quick workflow that i followed: