Malware Analysis Workflow & Cheatsheet for SOC Analysts
Malware Analysis Workflow & Cheatsheet
Primary Platforms: REMnux (Linux) | FLARE-VM (Windows)
Table of Contents
Analysis Workflow Overview
┌─────────────────────────────────────────────────────────────┐
│ MALWARE TRIAGE │
│ • File type identification │
│ • Hash calculation (MD5, SHA1, SHA256) │
│ • VirusTotal/malware bazaar lookup │
│ • Initial assessment of threat level │
└────────────────────┬────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ STATIC ANALYSIS │
│ • Strings extraction │
│ • PE header analysis (Windows) │
│ • ELF analysis (Linux) │
│ • Packed/obfuscated detection │
│ • Import/export table analysis │
└────────────────────┬────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ DYNAMIC ANALYSIS │
│ • Behavioural monitoring │
│ • API call tracing │
│ • File system modifications │
│ • Registry changes │
│ • Network communications │
└────────────────────┬────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ DEEP DIVE ANALYSIS │
│ • Code analysis/reverse engineering │
│ • Unpacking │
│ • Deobfuscation │
│ • Memory forensics │
└────────────────────┬────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ IOC EXTRACTION & REPORTING │
│ • Document findings │
│ • Extract indicators of compromise │
│ • MITRE ATT&CK mapping │
│ • Generate signatures/rules │
└─────────────────────────────────────────────────────────────┘Lab Setup & Safety
Critical Safety Rules
NEVER run malware on production systems
Always use isolated VMs with snapshots
Disable network bridging (use Host-Only or NAT with INetSim)
Keep analysis VMs offline or use controlled internet simulation
Use separate dedicated hardware if possible
REMnux Setup
# Update REMnux tools
remnux update
# Start FakeNet-NG for network simulation
sudo fakenet
# Start INetSim (alternative network simulator)
sudo inetsim
# Create analysis directory
mkdir ~/malware_analysis
cd ~/malware_analysisFLARE-VM Setup
# Take snapshot before analysis
# Enable network simulation
fakenet.exe
# Create analysis directory
New-Item -Path "C:\MalwareAnalysis" -ItemType Directory
Set-Location C:\MalwareAnalysisStatic Analysis
Phase 1: Initial Triage
Calculate File Hashes
# REMnux
md5sum sample.exe
sha1sum sample.exe
sha256sum sample.exe
# One-liner for all hashes
echo "MD5: $(md5sum sample.exe | cut -d' ' -f1)"
echo "SHA1: $(sha1sum sample.exe | cut -d' ' -f1)"
echo "SHA256: $(sha256sum sample.exe | cut -d' ' -f1)"# FLARE-VM
Get-FileHash -Algorithm MD5 sample.exe
Get-FileHash -Algorithm SHA1 sample.exe
Get-FileHash -Algorithm SHA256 sample.exeFile Type Identification
# REMnux - Detailed file analysis
file sample.exe
exiftool sample.exe
TrID sample.exe
# Check for common file signatures
xxd sample.exe | head -n 5
hexdump -C sample.exe | head -n 10VirusTotal Lookup
# REMnux - Using VT API
vt-get-hash.py <hash>
# Or use web interface
firefox https://www.virustotal.com/gui/file/<hash>Phase 2: Strings Analysis
Basic Strings Extraction
# REMnux - Extract ASCII strings
strings sample.exe > strings_ascii.txt
strings -el sample.exe > strings_unicode.txt # Unicode strings
# Look for interesting patterns
strings sample.exe | grep -i "http"
strings sample.exe | grep -i "\.exe"
strings sample.exe | grep -i "\.dll"
strings sample.exe | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'# FLARE-VM
strings.exe sample.exe > strings_output.txt
strings.exe -accepteula sample.exe | Select-String "http"FLOSS - Advanced String Extraction
# REMnux - Extract obfuscated strings
floss sample.exe > floss_output.txt
floss -n 8 sample.exe # Minimum string length of 8What to look for in strings:
URLs and IP addresses
File paths (C:, %TEMP%, %APPDATA%)
Registry keys
API function names
User-Agent strings
Email addresses
Crypto wallet addresses
Command-and-control indicators
Phase 3: PE Analysis (Windows Executables)
PEiD / Detect It Easy (DIE)
# REMnux
die sample.exe
# Check for packers/protectors
# Common packers: UPX, ASPack, PECompact, Themida, VMProtect# FLARE-VM
diec.exe sample.exePE Header Analysis with pefile
# REMnux
peframe sample.exe
# Detailed PE analysis
python3 << EOF
import pefile
pe = pefile.PE('sample.exe')
print("[+] PE Information")
print(f"Architecture: {pe.FILE_HEADER.Machine}")
print(f"Compilation Timestamp: {pe.FILE_HEADER.TimeDateStamp}")
print(f"Number of Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"\n[+] Entry Point: {hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)}")
print("\n[+] Sections:")
for section in pe.sections:
print(f"{section.Name.decode().rstrip(chr(0))}: "
f"VirtualSize={hex(section.Misc_VirtualSize)}, "
f"Entropy={section.get_entropy():.2f}")
print("\n[+] Imported DLLs:")
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(f" {entry.dll.decode()}")
for imp in entry.imports[:5]: # First 5 imports
if imp.name:
print(f" - {imp.name.decode()}")
EOFSuspicious PE Characteristics Checklist
High entropy sections (>7.0) - likely packed/encrypted
Unusual section names (.data, .text are normal; .upx, .aspack are suspicious)
Suspicious imports:
VirtualAlloc,VirtualProtect- memory manipulationCreateRemoteThread- process injectionWriteProcessMemory- code injectionWinExec,ShellExecute- command executionInternetOpen,InternetReadFile- network activityCryptEncrypt,CryptDecrypt- encryption
Compilation timestamp - Future dates or very old dates
Low import count - may indicate dynamic loading
CFF Explorer Analysis
# FLARE-VM - Launch CFF Explorer
CFF Explorer.exe sample.exe
# Check:
# - Import Directory
# - Export Directory
# - Resource Directory
# - TLS Callbacks (anti-debugging)
# - Overlay dataPhase 4: Unpacking Detection and Handling
Detecting Packed Samples
# REMnux
upx -t sample.exe # Test if UPX packed
# Check entropy per section
python3 << EOF
import pefile
pe = pefile.PE('sample.exe')
for section in pe.sections:
print(f"{section.Name.decode().rstrip(chr(0))}: Entropy = {section.get_entropy():.2f}")
EOFEntropy Guide:
0-4.5: Plain text, low compression
4.5-6.5: Compressed data
6.5-7.5: Encrypted/packed
7.5-8.0: Highly encrypted
Unpacking Common Packers
UPX Unpacking:
# REMnux
upx -d sample.exe -o unpacked.exeGeneric Unpacking with x64dbg:
# FLARE-VM
# 1. Load sample in x64dbg
x96dbg.exe sample.exe
# 2. Set breakpoint on common APIs:
# - VirtualProtect
# - VirtualAlloc
# - kernel32.VirtualProtect
#
# 3. Run (F9) until breakpoint hit
# 4. Step through until POPAD/PUSHAD instructions
# 5. Follow in dump, find MZ header (4D 5A)
# 6. Dump memory region to file
# 7. Fix import table with Scylla pluginAutomated Unpacking with OllyDumpEx:
1. Load sample in OllyDbg
2. Run to OEP (Original Entry Point)
3. Plugins -> OllyDumpEx
4. Get EIP as OEP
5. Dump to file
6. Fix imports with Import ReconstructorDynamic Analysis
Phase 1: Behavioural Monitoring Setup
REMnux Dynamic Analysis
# Start network simulation
sudo inetsim
# Capture network traffic
sudo tcpdump -i eth0 -w capture.pcap &
# Monitor system calls (for Linux malware)
strace -f -o strace.log ./malware_sample
# Monitor file operations
inotifywait -m -r /tmp /home &FLARE-VM Dynamic Analysis Setup
# Start Procmon (Process Monitor)
procmon.exe /AcceptEula /Minimized /BackingFile C:\MalwareAnalysis\procmon.pml
# Start network simulation
fakenet.exe
# Start Wireshark
wireshark.exe -k -i 1 -w C:\MalwareAnalysis\capture.pcapngPhase 2: Process Monitoring
Procmon Configuration (FLARE-VM)
Essential Filters:
Process Name is malware.exe - Include
Operation is RegSetValue - Include
Operation is WriteFile - Include
Operation is CreateFile - Include
Path contains .exe - Include
Path contains .dll - IncludeWhat to Monitor:
Registry Operations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run- PersistenceHKCU\Software\Microsoft\Windows\CurrentVersion\Run- PersistenceHKLM\System\CurrentControlSet\Services- Service creation
File System Operations:
Files created in
%TEMP%,%APPDATA%Executables dropped to disk
DLL loading patterns
Network Operations:
TCP/UDP connections
DNS queries
Process Explorer (FLARE-VM)
# Launch Process Explorer
procexp.exe
# Enable:
# - Verify Image Signatures
# - VirusTotal checking
# - Show lower pane (DLLs/Handles)Key Things to Check:
Unsigned processes
Processes with no description
Processes running from unusual locations
Unusual parent-child relationships
Injected DLLs
Phase 3: API Call Monitoring
API Monitor (FLARE-VM)
# Launch API Monitor
apimonitor-x64.exe
# Monitor categories:
# - File Management
# - Registry
# - Process and Thread
# - Network
# - CryptographySuspicious API Call Patterns:
Code Injection:
OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThreadKeylogging:
SetWindowsHookEx (WH_KEYBOARD_LL) -> GetAsyncKeyStatePersistence:
RegOpenKeyEx -> RegSetValueEx (Run keys)
CreateService -> StartServiceAnti-Analysis:
IsDebuggerPresent -> Sleep(large_value)
GetTickCount (timing checks)Phase 4: Network Analysis
Capturing Network Traffic
# REMnux - Capture with tcpdump
sudo tcpdump -i any -w malware_traffic.pcap
# Filter by host
sudo tcpdump -i any host 192.168.1.100 -w filtered.pcap
# Real-time viewing
sudo tcpdump -i any -A # ASCII payload# FLARE-VM - Using Wireshark
wireshark -k -i "Ethernet" -w capture.pcapng
# Or use tshark for command line
tshark -i "Ethernet" -w capture.pcapngAnalysing Network Traffic
Wireshark Filters:
# HTTP traffic
http
# DNS queries
dns
# Specific IP
ip.addr == 192.168.1.100
# Suspicious ports
tcp.port == 4444 || tcp.port == 5555
# Look for C2 beaconing
tcp.len > 0 && tcp.len < 100 # Small, regular packetsINetSim Configuration (REMnux)
# Edit INetSim config
sudo nano /etc/inetsim/inetsim.conf
# Key settings:
# service http 0.0.0.0 80
# service https 0.0.0.0 443
# service dns 0.0.0.0 53
# Start INetSim
sudo inetsim
# Check logs
tail -f /var/log/inetsim/service.logFakeNet-NG Usage
# REMnux
sudo fakenet -c /etc/fakenet/configs/default.ini
# Custom configuration
sudo fakenet -f # Foreground mode with output# FLARE-VM
fakenet.exe
# With custom config
fakenet.exe -c custom_config.iniPhase 5: Execution in Sandbox
Cuckoo Sandbox Analysis (REMnux)
# Submit sample to Cuckoo
cuckoo submit sample.exe
# Submit with network enabled
cuckoo submit --enforce-timeout sample.exe
# Check status
cuckoo status
# View report
cuckoo web # Access at http://localhost:8000What Cuckoo Provides:
Screenshot timeline
API call trace
Network traffic
Dropped files
Registry modifications
Memory dumps
Behavioral signatures
Manual Sandbox Execution
# FLARE-VM
# 1. Take VM snapshot
# 2. Start monitoring tools (Procmon, Wireshark, API Monitor)
# 3. Execute malware
rundll32.exe sample.dll,EntryPoint # For DLLs
# 4. Let run for 5-10 minutes
# 5. Interact with system (move mouse, browse files) to trigger behavior
# 6. Stop monitoring tools
# 7. Revert to snapshotMemory Analysis
Capturing Memory
Windows Memory Acquisition
# FLARE-VM - Using WinPmem
winpmem_mini_x64_rc2.exe memdump.raw
# Using DumpIt
DumpIt.exe # Creates memory dump in current directory
# Using FTK Imager (GUI)
# File -> Capture Memory -> Select destinationProcess Memory Dump
# Using Process Explorer
# Right-click process -> Create Dump -> Create Full Dump
# Using procdump
procdump.exe -ma <PID> output.dmp
procdump.exe -ma malware.exe malware_dump.dmpMemory Analysis with Volatility
Volatility 3 (REMnux)
# Identify profile (if needed for Volatility 2)
vol.py -f memdump.raw imageinfo
# Volatility 3 commands
# List processes
vol -f memdump.raw windows.pslist
vol -f memdump.raw windows.pstree # Tree view
# Detect hidden processes
vol -f memdump.raw windows.psscan
# Network connections
vol -f memdump.raw windows.netscan
vol -f memdump.raw windows.netstat
# DLL list for specific process
vol -f memdump.raw windows.dlllist --pid 1234
# Command line arguments
vol -f memdump.raw windows.cmdline
# Registry hives
vol -f memdump.raw windows.registry.hivelist
# Dump specific process
vol -f memdump.raw windows.pslist --pid 1234 --dump
# Scan for injected code
vol -f memdump.raw windows.malfind
# Extract files from memory
vol -f memdump.raw windows.filescan
vol -f memdump.raw windows.dumpfiles --pid 1234Memory Analysis Workflow Example
# 1. Find suspicious processes
vol -f memdump.raw windows.pslist | grep -v "^0x"
# 2. Check network connections
vol -f memdump.raw windows.netscan | grep ESTABLISHED
# 3. Look for code injection
vol -f memdump.raw windows.malfind --pid 1234
# 4. Dump suspicious process memory
vol -f memdump.raw windows.memmap --pid 1234 --dump
# 5. Check for rootkits
vol -f memdump.raw windows.ssdtSuspicious Memory Indicators:
Processes running from temp directories
Processes with no parent (PPID = 0)
Hidden processes (in psscan but not pslist)
Unusual network connections
Code injection indicators (PAGE_EXECUTE_READWRITE)
Orphan threads
Network Analysis
Protocol Analysis
HTTP/HTTPS Traffic
# REMnux - Extract HTTP objects
tshark -r capture.pcap --export-objects http,http_objects/
# View HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri
# Extract certificates
tshark -r capture.pcap -Y "ssl.handshake.certificate" -T fields -e x509ce.dNSNameDNS Analysis
# REMnux
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u
# Look for DNS tunneling (long subdomain names)
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk '{print length, $0}' | sort -rnIRC/P2P/Custom Protocols
# REMnux
# Extract payload
tshark -r capture.pcap -Y "tcp.port==6667" -T fields -e data.text
# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0NetworkMiner Analysis (FLARE-VM)
# Launch NetworkMiner
NetworkMiner.exe
# Load PCAP file
# File -> Open -> Select capture.pcapng
# Review tabs:
# - Hosts: Identified hosts and their details
# - Files: Extracted files from network traffic
# - Images: Extracted images
# - Messages: Email, chat messages
# - Credentials: Captured passwords
# - Sessions: TCP/UDP sessionsMalware Type-Specific Workflows
1. Ransomware Analysis
Static Analysis Focus
# REMnux
# Look for crypto-related strings
strings sample.exe | grep -i "crypt\|aes\|rsa\|encrypt"
# Check imports for crypto APIs
python3 << EOF
import pefile
pe = pefile.PE('ransomware.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
if 'crypt' in entry.dll.decode().lower():
print(f"Crypto DLL: {entry.dll.decode()}")
for imp in entry.imports:
if imp.name:
print(f" - {imp.name.decode()}")
EOFDynamic Analysis - Safe Execution
# FLARE-VM
# 1. Create decoy files
$extensions = @(".txt", ".doc", ".pdf", ".jpg", ".xlsx")
foreach ($ext in $extensions) {
1..50 | ForEach-Object {
New-Item -Path "C:\DecoyFiles\test_$_$ext" -ItemType File
"Decoy content $_" | Out-File "C:\DecoyFiles\test_$_$ext"
}
}
# 2. Start monitoring
procmon.exe /AcceptEula /BackingFile C:\Analysis\procmon.pml
# 3. Execute ransomware (in isolated VM!)
# 4. Monitor for:
# - File encryption operations (WriteFile operations on decoy files)
# - Ransom note creation
# - Wallpaper changes (Registry: HKCU\Control Panel\Desktop\Wallpaper)
# - Shadow copy deletion
# - Network beaconing to C2Ransomware IOC Extraction
Look for:
Ransom note file names (README.txt, HOW_TO_DECRYPT.txt)
File extension changes
Bitcoin wallet addresses in strings
Tor .onion addresses
Email addresses for contact
Shadow copy deletion commands:
vssadmin delete shadows /all /quietBoot record modification
Registry Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\Run
2. Trojan/RAT Analysis
Static Analysis Focus
# REMnux
# Look for RAT-related strings
strings rat_sample.exe | grep -iE "cmd|shell|screenshot|keylog|webcam"
# Check for common RAT ports
strings rat_sample.exe | grep -E ":[0-9]{4,5}"Dynamic Analysis Workflow
# FLARE-VM
# 1. Start packet capture
tshark -i "Ethernet" -w rat_traffic.pcapng
# 2. Start API Monitor
# Monitor: Process and Thread, File Management, Registry, Network
# 3. Execute RAT
# 4. Observe behaviours:RAT Capabilities to Test:
Command execution (create test file via RAT)
Screen capture
Keylogging (type in notepad)
File upload/download
Remote shell
Webcam access
Persistence mechanism
Common RAT Network Patterns
# Beaconing (periodic check-ins)
tshark -r rat_traffic.pcapng -Y "tcp.len > 0 && tcp.len < 200" -T fields -e frame.time_relative -e tcp.len
# Look for:
# - Regular interval connections (every 60s, 300s, etc.)
# - Small packet sizes (heartbeat)
# - Base64 encoded data in payloads3. Spyware/Infostealer Analysis
Target Data Collection Points
# FLARE-VM - Monitor these locations
procmon filter:
- Path contains "\AppData\Local\Google\Chrome\User Data"
- Path contains "\AppData\Roaming\Mozilla\Firefox\Profiles"
- Path contains "wallet.dat" # Cryptocurrency
- Path contains "\Login Data"
- Path contains "\Cookies"Common Stealer Targets
Browser Data:
Chrome:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data (passwords)
Cookies
Web Data (autofill)
Firefox:
%APPDATA%\Mozilla\Firefox\Profiles\logins.json
cookies.sqlite
Crypto Wallets:
Bitcoin:
%APPDATA%\Bitcoin\wallet.datEthereum:
%APPDATA%\Ethereum\keystore\Exodus:
%APPDATA%\Exodus\
Discord Tokens:
%APPDATA%\Discord\Local Storage\leveldb\
FTP Clients:
FileZilla:
%APPDATA%\FileZilla\recentservers.xml
Dynamic Analysis
# REMnux - Analyse exfiltration
# Watch for outbound POST requests with large data
tshark -r stealer_traffic.pcapng -Y "http.request.method == POST" -T fields -e http.host -e http.file_data
# Check for data encoding
tshark -r stealer_traffic.pcapng -Y "http" -T fields -e http.file_data | base64 -d4. Dropper/Downloader Analysis
Static Analysis
# REMnux
# Look for URLs embedded
strings dropper.exe | grep -iE "http://|https://|ftp://"
# Check for download functions
python3 << EOF
import pefile
pe = pefile.PE('dropper.exe')
download_apis = ['URLDownloadToFile', 'InternetReadFile', 'HttpSendRequest']
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name and imp.name.decode() in download_apis:
print(f"Found: {imp.name.decode()} in {entry.dll.decode()}")
EOFDynamic Analysis - Capture Dropped Files
# FLARE-VM
# Monitor file creation
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Created" -Action {
Write-Host "File created: $($Event.SourceEventArgs.FullPath)"
} | Out-Null
# Execute dropper
# Check these locations for dropped files:
# - %TEMP%
# - %APPDATA%
# - %LOCALAPPDATA%Capture Downloaded Payloads
# REMnux - Configure INetSim to serve fake payload
sudo nano /etc/inetsim/inetsim.conf
# Add:
# http_fakefile exe /var/lib/inetsim/http/fakefiles/sample.exe
# Monitor downloads
tail -f /var/log/inetsim/service.log | grep HTTP5. Document-Based Malware (Maldocs)
Microsoft Office Document Analysis
olevba (REMnux):
# Extract VBA macros
olevba malicious.doc
# Analyse macros with detailed output
olevba -a malicious.doc
# Decode obfuscated content
olevba -c malicious.doc
# Look for suspicious keywords
olevba --decode malicious.doc | grep -i "shell\|execute\|powershell"mraptor (REMnux):
# Detect malicious macros
mraptor malicious.docoleid (REMnux):
# Identify file characteristics
oleid malicious.doc
# Check for:
# - VBA Macros
# - External Relationships
# - ObjectPoolPDF Malware Analysis
pdfid (REMnux):
# Identify PDF structure
pdfid malicious.pdf
# Suspicious elements:
# /JavaScript - Embedded JavaScript
# /OpenAction - Auto-execution
# /Launch - Execute file
# /EmbeddedFile - Hidden files
# /AcroForm - Form with actionsPdf-parser (REMnux):
# Search for JavaScript
pdf-parser -s /JavaScript malicious.pdf
# Extract JavaScript from object
pdf-parser -o 15 malicious.pdf
# Dump suspicious object
pdf-parser -o 15 -d extracted_js.txt malicious.pdfpeepdf (REMnux):
# Interactive analysis
peepdf -i malicious.pdf
# Commands in peepdf:
# tree - Show object tree
# object 15 - Show object 15
# js_code - Extract all JavaScript
# decode file - Decode encoded contentMaldoc Dynamic Analysis
# FLARE-VM
# 1. Instrument with API Monitor focused on:
# - Process Creation (CreateProcess, ShellExecute)
# - File Operations
# - Network Activity
# 2. Open document in protected view disabled
# HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView
# 3. Watch for:
# - Spawned processes (cmd.exe, powershell.exe, wscript.exe)
# - Downloaded files
# - Registry modifications6. Fileless Malware Analysis
PowerShell-Based Attacks
Static Analysis:
# FLARE-VM - Deobfuscate PowerShell
# Common obfuscation: Base64
$encoded = "BASE64_STRING_HERE"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))
# For complex obfuscation, use PSDecode
PSDecode.ps1 -inputfile malicious.ps1# REMnux
# Extract PowerShell from memory or files
strings -el memory.dmp | grep -i "powershell" -A 20Dynamic Analysis:
# Enable PowerShell logging
# Set via GPO or Registry:
# HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
# View logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" |
Where-Object {$_.Id -eq 4104} |
Format-List -Property *WMI-Based Persistence
# FLARE-VM - Check for malicious WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
# Look for:
# - Unusual filter queries
# - Script/Command consumers
# - Suspicious bindingsRegistry-Based Fileless Malware
# Check for payloads in registry
Get-ItemProperty -Path "HKCU:\Software\*" -Recurse |
Where-Object {$_.PSObject.Properties.Value -like "*powershell*"}
# Look in common locations:
# HKCU\Software\Classes\
# HKLM\Software\Microsoft\Tool Reference Guide
REMnux Essential Tools
strings
Extract ASCII/Unicode strings
strings -a sample.exe
file
Identify file type
file sample
exiftool
Extract metadata
exiftool sample.exe
xxd/hexdump
Hex viewer
xxd sample.exe | head
upx
UPX unpacker
upx -d sample.exe
die
Detect packer/compiler
die sample.exe
peframe
PE file analysis
peframe sample.exe
floss
Obfuscated string extraction
floss sample.exe
olevba
VBA macro extraction
olevba document.doc
pdfid
PDF structure analysis
pdfid sample.pdf
pdf-parser
PDF object extraction
pdf-parser sample.pdf
tcpdump
Packet capture
tcpdump -i eth0 -w capture.pcap
tshark
Packet analysis (CLI)
tshark -r capture.pcap
wireshark
Packet analysis (GUI)
wireshark capture.pcap
inetsim
Internet service simulation
sudo inetsim
fakenet
Network traffic simulation
sudo fakenet
volatility
Memory forensics
vol -f mem.raw windows.pslist
yara
Pattern matching
yara rules.yar sample.exe
capa
Capability detection
capa sample.exe
FLARE-VM Essential Tools
Process Monitor
Real-time process monitoring
procmon.exe
Process Explorer
Advanced process viewer
procexp.exe
Autoruns
Startup programs analyzer
autoruns.exe
Wireshark
Packet analysis
wireshark.exe
FakeNet-NG
Network simulation
fakenet.exe
x64dbg/x32dbg
Debugger
x96dbg.exe
IDA Free
Disassembler
ida64.exe
Ghidra
Reverse engineering
ghidraRun.bat
CFF Explorer
PE editor
CFF Explorer.exe
PEiD
Packer detection
PEiD.exe
Detect It Easy
File analyzer
die.exe
API Monitor
API call monitoring
apimonitor-x64.exe
Regshot
Registry comparison
regshot.exe
NetworkMiner
Network forensics
NetworkMiner.exe
HxD
Hex editor
HxD.exe
Strings
String extraction
strings.exe
PEview
PE structure viewer
peview.exe
Capa
Capability detection
capa.exe
Quick Command Reference
Hash Calculation
# REMnux
md5sum file.exe
sha256sum file.exe
ssdeep file.exe # Fuzzy hashing# FLARE-VM
Get-FileHash -Algorithm SHA256 file.exe
Get-FileHash -Algorithm MD5 file.exeString Extraction
# REMnux
strings -a file.exe # All strings
strings -el file.exe # Unicode
floss file.exe # Obfuscated strings# FLARE-VM
strings.exe file.exe
strings.exe -n 10 file.exe # Min length 10Network Capture
# REMnux
sudo tcpdump -i any -w capture.pcap
sudo tcpdump host 192.168.1.100 -w filtered.pcap# FLARE-VM
tshark -i "Ethernet" -w capture.pcapng
netsh trace start capture=yes tracefile=C:\capture.etlIOC Extraction & Reporting
Indicator Types
Network Indicators:
IP addresses
Domain names
URLs
User-Agent strings
SSL certificate hashes
Email addresses
File Indicators:
MD5, SHA1, SHA256 hashes
File names
File paths
PDB paths
Mutexes
Registry keys
Behavioural Indicators:
API call sequences
Process injection techniques
Persistence mechanisms
C2 communication patterns
Automated IOC Extraction
Using FLOSS and Strings
# REMnux
floss sample.exe | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}|[a-zA-Z0-9-]+\.(com|net|org)" > iocs.txt
# Extract URLs
strings sample.exe | grep -E "https?://" > urls.txt
# Extract IPs
strings sample.exe | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u > ips.txtUsing IOC Extract Tools
# REMnux - Install ioc-finder
pip3 install ioc-finder
# Extract IOCs
ioc-finder sample.exe
# Or from text
cat strings.txt | ioc-finderYARA Rule Creation
Basic YARA Rule Template:
rule MalwareFamilyName_Variant
{
meta:
description = "Detects MalwareFamilyName variant"
author = "Your Name"
date = "2024-01-01"
hash = "SHA256_HASH_HERE"
strings:
$str1 = "unique_string_1" ascii wide
$str2 = "unique_string_2" ascii wide
$hex1 = { 4D 5A 90 00 } // MZ header
$api1 = "VirtualAllocEx" ascii
$api2 = "CreateRemoteThread" ascii
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 500KB and
2 of ($str*) and
all of ($api*)
}Testing YARA Rules:
# REMnux
yara rules.yar sample.exe
yara -s rules.yar sample.exe # Show matched strings
yara -r rules.yar /path/to/samples/ # Recursive scanCreating Snort/Suricata Rules
Basic Snort Rule:
alert tcp any any -> any any (msg:"Malware C2 Communication";
content:"User-Agent|3A| MalwareBot";
flow:to_server,established;
sid:1000001;
rev:1;)HTTP-Based C2 Detection:
alert http any any -> any any (msg:"Malware HTTP Beacon";
content:"POST"; http_method;
content:"/gate.php"; http_uri;
content:"id="; http_client_body;
sid:1000002;
rev:1;)Report Template
Malware Analysis Report
Executive Summary
Malware Family: [Name]
Threat Level: [Critical/High/Medium/Low]
Analysis Date: [Date]
Analyst: [Name]
Sample Information
File Name: malware.exe
File Size: 1.2 MB
MD5: abc123...
SHA256: def456...
File Type: PE32 executable
Key Findings
[Primary malware behaviour]
[Communication method]
[Persistence mechanism]
Technical Analysis
Static Analysis
Packer: [None/UPX/Other]
Compiler: [Microsoft Visual C++/Other]
Imports: [Key DLLs and functions]
Suspicious Strings: [List key strings]
Dynamic Analysis
Execution: [Behaviour observed]
Network Activity: [C2 servers, protocols]
File Operations: [Files created/modified]
Registry Changes: [Keys modified]
Persistence: [Mechanism used]
Capabilities
Indicators of Compromise (IOCs)
Network Indicators
C2 Server: 192.168.1.100
Domains: malicious-domain.com
URLs: http://malicious-domain.com/gate.php
File Indicators
Dropped Files:
C:\Users\Public\malware.dll (SHA256: ...)
Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware
Behavioural Indicators
Process injection into explorer.exe
Beacon interval: 60 seconds
MITRE ATT&CK Mapping
Initial Access: T1566 - Phishing
Execution: T1059 - Command and Scripting Interpreter
Persistence: T1547 - Registry Run Keys
Defense Evasion: T1027 - Obfuscated Files or Information
Command and Control: T1071 - Application Layer Protocol
Recommendations
Block IOCs at network and endpoint
Hunt for indicators in environment
Update detection signatures
User awareness training
Detection Rules
[Include YARA, Snort/Suricata rules]
Appendix
Full strings output
Process Monitor logs
Network traffic captures
Memory analysis results
Advanced Techniques Bypassing Anti-Analysis
Anti-VM Detection Bypass
# FLARE-VM - Common VM artifacts to modify
# 1. Change hardware identifiers
# Registry keys to modify:
# HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion
# HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion
# 2. Rename VM processes
taskkill /IM vmtoolsd.exe /F
Rename-Item "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" vmtoolsd.bak
# 3. Remove VM artifacts
Remove-Item "C:\Program Files\VMware" -Recurse -ForceAnti-Debugging Bypass
# REMnux - Patch IsDebuggerPresent checks
import pefile
pe = pefile.PE('sample.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name and b'IsDebuggerPresent' in imp.name:
# Patch to always return false
print(f"Found IsDebuggerPresent at offset: {hex(imp.address)}")Code Analysis with Ghidra
# REMnux - Headless Ghidra analysis
analyzeHeadless /tmp/ghidra_projects MyProject -import sample.exe -scriptPath /path/to/scripts -postScript ExtractStrings.pyGhidra Workflow:
Import binary (File → Import File)
Auto-analyse (Yes to prompts)
Navigate to entry point (Symbol Tree → Entry)
Rename functions for clarity
Use decompiler (Window → Decompile)
Look for interesting functions:
String references (Search → For Strings)
Cross-references (Right-click → References)
API calls
Automated Analysis with Capa
# REMnux
capa sample.exe
# Verbose output
capa -v sample.exe
# JSON output for automation
capa -j sample.exe > capabilities.jsonCapa detects:
Capabilities (what the malware can do)
MITRE ATT&CK techniques
Code patterns
Behavioral indicators
Quick Reference Checklists
Initial Triage Checklist
[ ] Calculate hashes (MD5, SHA256)
[ ] Identify file type
[ ] Check VirusTotal / MalwareBazaar
[ ] Assess threat level
[ ] Document source and context
Static Analysis Checklist
[ ] Extract strings (ASCII/Unicode)
[ ] Run FLOSS for obfuscated strings
[ ] Analyse PE headers (if Windows)
[ ] Check for packers
[ ] Review imports/exports
[ ] Examine file entropy
[ ] Extract embedded resources
[ ] Check digital signatures
Dynamic Analysis Checklist
[ ] Take VM snapshot
[ ] Start monitoring tools (Procmon, Wireshark)
[ ] Configure network simulation
[ ] Execute sample
[ ] Observe for 5-10 minutes
[ ] Interact with system
[ ] Check persistence mechanisms
[ ] Capture memory dump
[ ] Document all behaviours
[ ] Revert to snapshot
Report Checklist
[ ] Executive summary
[ ] Sample metadata
[ ] Static analysis findings
[ ] Dynamic analysis findings
[ ] Network analysis findings
[ ] Extracted IOCs
[ ] MITRE ATT&CK mapping
[ ] Detection rules (YARA/Snort)
[ ] Remediation recommendations
Common Pitfalls and Best Practices
Safety Best Practices
✅ DO:
Always work in isolated VMs
Take snapshots before analysis
Use network simulation tools
Document everything
Maintain chain of custody
Use write-protected evidence
❌ DON'T:
Analyse on production systems
Allow real internet connectivity
Trust any input from malware
Double-click unknown executables outside VM
Forget to revert snapshots
Mix personal and analysis activities
Analysis Best Practices
✅ DO:
Start with static analysis
Use multiple tools for confirmation
Search for similar samples
Look for known signatures
Document your methodology
Take screenshots of key findings
Automate repetitive tasks
Collaborate with team
❌ DON'T:
Skip basic triage
Rely only on one tool
Ignore context
Make assumptions
Forget to check for updates
Share samples insecurely
Resources and Further Learning
Essential Resources
FLARE Team Blog: https://www.mandiant.com/resources/blog
Malware Traffic Analysis: https://malware-traffic-analysis.net/
Hybrid Analysis: https://www.hybrid-analysis.com/
ANY.RUN: https://any.run/
MalwareBazaar: https://bazaar.abuse.ch/
VirusTotal: https://www.virustotal.com/
Training Resources
Practical Malware Analysis (book)
The Art of Memory Forensics (book)
SANS FOR610: Reverse-Engineering Malware
Malware Unicorn Workshops
Open Security Training
Community
r/Malware (Reddit)
r/ReverseEngineering (Reddit)
Malware Analysis Discord servers
Twitter: #MalwareAnalysis #DFIR
This document is for educational purposes only.
Last updated