Cheatsheet

Primary Platforms: REMnux (Linux) | FLARE-VM (Windows)

---

Table of Contents

1. Analysis Workflow Overview

2. Lab Setup & Safety

3. Static Analysis

4. Dynamic Analysis

5. Memory Analysis

6. Network Analysis

7. Malware Type-Specific Workflows

8. Tool Reference Guide

9. IOC Extraction & Reporting

---

Analysis Workflow Overview

┌─────────────────────────────────────────────────────────────┐
│                    MALWARE TRIAGE                           │
│  • File type identification                                 │
│  • Hash calculation (MD5, SHA1, SHA256)                     │
│  • VirusTotal/malware bazaar lookup                         │
│  • Initial assessment of threat level                       │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│                  STATIC ANALYSIS                            │
│  • Strings extraction                                       │
│  • PE header analysis (Windows)                             │
│  • ELF analysis (Linux)                                     │
│  • Packed/obfuscated detection                              │
│  • Import/export table analysis                             │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│                 DYNAMIC ANALYSIS                            │
│  • Behavioural monitoring                                    │
│  • API call tracing                                         │
│  • File system modifications                                │
│  • Registry changes                                         │
│  • Network communications                                   │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│              DEEP DIVE ANALYSIS                             │
│  • Code analysis/reverse engineering                        │
│  • Unpacking                                                │
│  • Deobfuscation                                            │
│  • Memory forensics                                         │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│           IOC EXTRACTION & REPORTING                        │
│  • Document findings                                        │
│  • Extract indicators of compromise                         │
│  • MITRE ATT&CK mapping                                     │
│  • Generate signatures/rules                                │
└─────────────────────────────────────────────────────────────┘

---

Lab Setup & Safety

Critical Safety Rules

• NEVER run malware on production systems

• Always use isolated VMs with snapshots

• Disable network bridging (use Host-Only or NAT with INetSim)

• Keep analysis VMs offline or use controlled internet simulation

• Use separate dedicated hardware if possible

REMnux Setup

# Update REMnux tools
remnux update

# Start FakeNet-NG for network simulation
sudo fakenet

# Start INetSim (alternative network simulator)
sudo inetsim

# Create analysis directory
mkdir ~/malware_analysis
cd ~/malware_analysis

FLARE-VM Setup

# Take snapshot before analysis
# Enable network simulation
fakenet.exe

# Create analysis directory
New-Item -Path "C:\MalwareAnalysis" -ItemType Directory
Set-Location C:\MalwareAnalysis

---

Static Analysis

Phase 1: Initial Triage

Calculate File Hashes

# REMnux
md5sum sample.exe
sha1sum sample.exe
sha256sum sample.exe

# One-liner for all hashes
echo "MD5:    $(md5sum sample.exe | cut -d' ' -f1)"
echo "SHA1:   $(sha1sum sample.exe | cut -d' ' -f1)"
echo "SHA256: $(sha256sum sample.exe | cut -d' ' -f1)"

# FLARE-VM
Get-FileHash -Algorithm MD5 sample.exe
Get-FileHash -Algorithm SHA1 sample.exe
Get-FileHash -Algorithm SHA256 sample.exe

File Type Identification

# REMnux - Detailed file analysis
file sample.exe
exiftool sample.exe
TrID sample.exe

# Check for common file signatures
xxd sample.exe | head -n 5
hexdump -C sample.exe | head -n 10

VirusTotal Lookup

# REMnux - Using VT API
vt-get-hash.py <hash>

# Or use web interface
firefox https://www.virustotal.com/gui/file/<hash>

Phase 2: Strings Analysis

Basic Strings Extraction

# REMnux - Extract ASCII strings
strings sample.exe > strings_ascii.txt
strings -el sample.exe > strings_unicode.txt  # Unicode strings

# Look for interesting patterns
strings sample.exe | grep -i "http"
strings sample.exe | grep -i "\.exe"
strings sample.exe | grep -i "\.dll"
strings sample.exe | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

# FLARE-VM
strings.exe sample.exe > strings_output.txt
strings.exe -accepteula sample.exe | Select-String "http"

FLOSS - Advanced String Extraction

# REMnux - Extract obfuscated strings
floss sample.exe > floss_output.txt
floss -n 8 sample.exe  # Minimum string length of 8

What to look for in strings:

• URLs and IP addresses

• File paths (C:, %TEMP%, %APPDATA%)

• Registry keys

• API function names

• User-Agent strings

• Email addresses

• Crypto wallet addresses

• Command-and-control indicators

Phase 3: PE Analysis (Windows Executables)

PEiD / Detect It Easy (DIE)

# REMnux
die sample.exe

# Check for packers/protectors
# Common packers: UPX, ASPack, PECompact, Themida, VMProtect

# FLARE-VM
diec.exe sample.exe

PE Header Analysis with pefile

# REMnux
peframe sample.exe

# Detailed PE analysis
python3 << EOF
import pefile

pe = pefile.PE('sample.exe')

print("[+] PE Information")
print(f"Architecture: {pe.FILE_HEADER.Machine}")
print(f"Compilation Timestamp: {pe.FILE_HEADER.TimeDateStamp}")
print(f"Number of Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"\n[+] Entry Point: {hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)}")

print("\n[+] Sections:")
for section in pe.sections:
    print(f"{section.Name.decode().rstrip(chr(0))}: "
          f"VirtualSize={hex(section.Misc_VirtualSize)}, "
          f"Entropy={section.get_entropy():.2f}")

print("\n[+] Imported DLLs:")
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(f"  {entry.dll.decode()}")
    for imp in entry.imports[:5]:  # First 5 imports
        if imp.name:
            print(f"    - {imp.name.decode()}")

EOF

Suspicious PE Characteristics Checklist

• High entropy sections (>7.0) - likely packed/encrypted

• Unusual section names (.data, .text are normal; .upx, .aspack are suspicious)

• Suspicious imports:

  • VirtualAlloc, VirtualProtect - memory manipulation

  • CreateRemoteThread - process injection

  • WriteProcessMemory - code injection

  • WinExec, ShellExecute - command execution

  • InternetOpen, InternetReadFile - network activity

  • CryptEncrypt, CryptDecrypt - encryption

• Compilation timestamp - Future dates or very old dates

• Low import count - may indicate dynamic loading

CFF Explorer Analysis

# FLARE-VM - Launch CFF Explorer
CFF Explorer.exe sample.exe

# Check:
# - Import Directory
# - Export Directory
# - Resource Directory
# - TLS Callbacks (anti-debugging)
# - Overlay data

Phase 4: Unpacking Detection and Handling

Detecting Packed Samples

# REMnux
upx -t sample.exe  # Test if UPX packed

# Check entropy per section
python3 << EOF
import pefile
pe = pefile.PE('sample.exe')
for section in pe.sections:
    print(f"{section.Name.decode().rstrip(chr(0))}: Entropy = {section.get_entropy():.2f}")
EOF

Entropy Guide:

• 0-4.5: Plain text, low compression

• 4.5-6.5: Compressed data

• 6.5-7.5: Encrypted/packed

• 7.5-8.0: Highly encrypted

Unpacking Common Packers

UPX Unpacking:

# REMnux
upx -d sample.exe -o unpacked.exe

Generic Unpacking with x64dbg:

# FLARE-VM
# 1. Load sample in x64dbg
x96dbg.exe sample.exe

# 2. Set breakpoint on common APIs:
#    - VirtualProtect
#    - VirtualAlloc
#    - kernel32.VirtualProtect
#    
# 3. Run (F9) until breakpoint hit
# 4. Step through until POPAD/PUSHAD instructions
# 5. Follow in dump, find MZ header (4D 5A)
# 6. Dump memory region to file
# 7. Fix import table with Scylla plugin

Automated Unpacking with OllyDumpEx:

1. Load sample in OllyDbg
2. Run to OEP (Original Entry Point)
3. Plugins -> OllyDumpEx
4. Get EIP as OEP
5. Dump to file
6. Fix imports with Import Reconstructor

---

Dynamic Analysis

Phase 1: Behavioural Monitoring Setup

REMnux Dynamic Analysis

# Start network simulation
sudo inetsim

# Capture network traffic
sudo tcpdump -i eth0 -w capture.pcap &

# Monitor system calls (for Linux malware)
strace -f -o strace.log ./malware_sample

# Monitor file operations
inotifywait -m -r /tmp /home &

FLARE-VM Dynamic Analysis Setup

# Start Procmon (Process Monitor)
procmon.exe /AcceptEula /Minimized /BackingFile C:\MalwareAnalysis\procmon.pml

# Start network simulation
fakenet.exe

# Start Wireshark
wireshark.exe -k -i 1 -w C:\MalwareAnalysis\capture.pcapng

Phase 2: Process Monitoring

Procmon Configuration (FLARE-VM)

Essential Filters:

Process Name is malware.exe - Include
Operation is RegSetValue - Include
Operation is WriteFile - Include
Operation is CreateFile - Include
Path contains .exe - Include
Path contains .dll - Include

What to Monitor:

1. Registry Operations:

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Persistence

   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Persistence

   • HKLM\System\CurrentControlSet\Services - Service creation

2. File System Operations:

   • Files created in %TEMP%, %APPDATA%

   • Executables dropped to disk

   • DLL loading patterns

3. Network Operations:

   • TCP/UDP connections

   • DNS queries

Process Explorer (FLARE-VM)

# Launch Process Explorer
procexp.exe

# Enable:
# - Verify Image Signatures
# - VirusTotal checking
# - Show lower pane (DLLs/Handles)

Key Things to Check:

• Unsigned processes

• Processes with no description

• Processes running from unusual locations

• Unusual parent-child relationships

• Injected DLLs

Phase 3: API Call Monitoring

API Monitor (FLARE-VM)

# Launch API Monitor
apimonitor-x64.exe

# Monitor categories:
# - File Management
# - Registry
# - Process and Thread
# - Network
# - Cryptography

Suspicious API Call Patterns:

Code Injection:

OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread

Keylogging:

SetWindowsHookEx (WH_KEYBOARD_LL) -> GetAsyncKeyState

Persistence:

RegOpenKeyEx -> RegSetValueEx (Run keys)
CreateService -> StartService

Anti-Analysis:

IsDebuggerPresent -> Sleep(large_value)
GetTickCount (timing checks)

Phase 4: Network Analysis

Capturing Network Traffic

# REMnux - Capture with tcpdump
sudo tcpdump -i any -w malware_traffic.pcap

# Filter by host
sudo tcpdump -i any host 192.168.1.100 -w filtered.pcap

# Real-time viewing
sudo tcpdump -i any -A  # ASCII payload

# FLARE-VM - Using Wireshark
wireshark -k -i "Ethernet" -w capture.pcapng

# Or use tshark for command line
tshark -i "Ethernet" -w capture.pcapng

Analysing Network Traffic

Wireshark Filters:

# HTTP traffic
http

# DNS queries
dns

# Specific IP
ip.addr == 192.168.1.100

# Suspicious ports
tcp.port == 4444 || tcp.port == 5555

# Look for C2 beaconing
tcp.len > 0 && tcp.len < 100  # Small, regular packets

INetSim Configuration (REMnux)

# Edit INetSim config
sudo nano /etc/inetsim/inetsim.conf

# Key settings:
# service http 0.0.0.0 80
# service https 0.0.0.0 443
# service dns 0.0.0.0 53

# Start INetSim
sudo inetsim

# Check logs
tail -f /var/log/inetsim/service.log

FakeNet-NG Usage

# REMnux
sudo fakenet -c /etc/fakenet/configs/default.ini

# Custom configuration
sudo fakenet -f  # Foreground mode with output

# FLARE-VM
fakenet.exe

# With custom config
fakenet.exe -c custom_config.ini

Phase 5: Execution in Sandbox

Cuckoo Sandbox Analysis (REMnux)

# Submit sample to Cuckoo
cuckoo submit sample.exe

# Submit with network enabled
cuckoo submit --enforce-timeout sample.exe

# Check status
cuckoo status

# View report
cuckoo web  # Access at http://localhost:8000

What Cuckoo Provides:

• Screenshot timeline

• API call trace

• Network traffic

• Dropped files

• Registry modifications

• Memory dumps

• Behavioral signatures

Manual Sandbox Execution

# FLARE-VM
# 1. Take VM snapshot
# 2. Start monitoring tools (Procmon, Wireshark, API Monitor)
# 3. Execute malware
rundll32.exe sample.dll,EntryPoint  # For DLLs

# 4. Let run for 5-10 minutes
# 5. Interact with system (move mouse, browse files) to trigger behavior
# 6. Stop monitoring tools
# 7. Revert to snapshot

---

Memory Analysis

Capturing Memory

Windows Memory Acquisition

# FLARE-VM - Using WinPmem
winpmem_mini_x64_rc2.exe memdump.raw

# Using DumpIt
DumpIt.exe  # Creates memory dump in current directory

# Using FTK Imager (GUI)
# File -> Capture Memory -> Select destination

Process Memory Dump

# Using Process Explorer
# Right-click process -> Create Dump -> Create Full Dump

# Using procdump
procdump.exe -ma <PID> output.dmp
procdump.exe -ma malware.exe malware_dump.dmp

Memory Analysis with Volatility

Volatility 3 (REMnux)

# Identify profile (if needed for Volatility 2)
vol.py -f memdump.raw imageinfo

# Volatility 3 commands

# List processes
vol -f memdump.raw windows.pslist
vol -f memdump.raw windows.pstree  # Tree view

# Detect hidden processes
vol -f memdump.raw windows.psscan

# Network connections
vol -f memdump.raw windows.netscan
vol -f memdump.raw windows.netstat

# DLL list for specific process
vol -f memdump.raw windows.dlllist --pid 1234

# Command line arguments
vol -f memdump.raw windows.cmdline

# Registry hives
vol -f memdump.raw windows.registry.hivelist

# Dump specific process
vol -f memdump.raw windows.pslist --pid 1234 --dump

# Scan for injected code
vol -f memdump.raw windows.malfind

# Extract files from memory
vol -f memdump.raw windows.filescan
vol -f memdump.raw windows.dumpfiles --pid 1234

Memory Analysis Workflow Example

# 1. Find suspicious processes
vol -f memdump.raw windows.pslist | grep -v "^0x"

# 2. Check network connections
vol -f memdump.raw windows.netscan | grep ESTABLISHED

# 3. Look for code injection
vol -f memdump.raw windows.malfind --pid 1234

# 4. Dump suspicious process memory
vol -f memdump.raw windows.memmap --pid 1234 --dump

# 5. Check for rootkits
vol -f memdump.raw windows.ssdt

Suspicious Memory Indicators:

• Processes running from temp directories

• Processes with no parent (PPID = 0)

• Hidden processes (in psscan but not pslist)

• Unusual network connections

• Code injection indicators (PAGE_EXECUTE_READWRITE)

• Orphan threads

---

Network Analysis

Protocol Analysis

HTTP/HTTPS Traffic

# REMnux - Extract HTTP objects
tshark -r capture.pcap --export-objects http,http_objects/

# View HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# Extract certificates
tshark -r capture.pcap -Y "ssl.handshake.certificate" -T fields -e x509ce.dNSName

DNS Analysis

# REMnux
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

# Look for DNS tunneling (long subdomain names)
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk '{print length, $0}' | sort -rn

IRC/P2P/Custom Protocols

# REMnux
# Extract payload
tshark -r capture.pcap -Y "tcp.port==6667" -T fields -e data.text

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

NetworkMiner Analysis (FLARE-VM)

# Launch NetworkMiner
NetworkMiner.exe

# Load PCAP file
# File -> Open -> Select capture.pcapng

# Review tabs:
# - Hosts: Identified hosts and their details
# - Files: Extracted files from network traffic
# - Images: Extracted images
# - Messages: Email, chat messages
# - Credentials: Captured passwords
# - Sessions: TCP/UDP sessions

---

Malware Type-Specific Workflows

1. Ransomware Analysis

Static Analysis Focus

# REMnux
# Look for crypto-related strings
strings sample.exe | grep -i "crypt\|aes\|rsa\|encrypt"

# Check imports for crypto APIs
python3 << EOF
import pefile
pe = pefile.PE('ransomware.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    if 'crypt' in entry.dll.decode().lower():
        print(f"Crypto DLL: {entry.dll.decode()}")
        for imp in entry.imports:
            if imp.name:
                print(f"  - {imp.name.decode()}")
EOF

Dynamic Analysis - Safe Execution

# FLARE-VM
# 1. Create decoy files
$extensions = @(".txt", ".doc", ".pdf", ".jpg", ".xlsx")
foreach ($ext in $extensions) {
    1..50 | ForEach-Object {
        New-Item -Path "C:\DecoyFiles\test_$_$ext" -ItemType File
        "Decoy content $_" | Out-File "C:\DecoyFiles\test_$_$ext"
    }
}

# 2. Start monitoring
procmon.exe /AcceptEula /BackingFile C:\Analysis\procmon.pml

# 3. Execute ransomware (in isolated VM!)

# 4. Monitor for:
# - File encryption operations (WriteFile operations on decoy files)
# - Ransom note creation
# - Wallpaper changes (Registry: HKCU\Control Panel\Desktop\Wallpaper)
# - Shadow copy deletion
# - Network beaconing to C2

Ransomware IOC Extraction

Look for:

• Ransom note file names (README.txt, HOW_TO_DECRYPT.txt)

• File extension changes

• Bitcoin wallet addresses in strings

• Tor .onion addresses

• Email addresses for contact

• Shadow copy deletion commands: vssadmin delete shadows /all /quiet

• Boot record modification

Registry Keys:

• HKLM\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2. Trojan/RAT Analysis

Static Analysis Focus

# REMnux
# Look for RAT-related strings
strings rat_sample.exe | grep -iE "cmd|shell|screenshot|keylog|webcam"

# Check for common RAT ports
strings rat_sample.exe | grep -E ":[0-9]{4,5}"

Dynamic Analysis Workflow

# FLARE-VM
# 1. Start packet capture
tshark -i "Ethernet" -w rat_traffic.pcapng

# 2. Start API Monitor
# Monitor: Process and Thread, File Management, Registry, Network

# 3. Execute RAT

# 4. Observe behaviours:

RAT Capabilities to Test:

• Command execution (create test file via RAT)

• Screen capture

• Keylogging (type in notepad)

• File upload/download

• Remote shell

• Webcam access

• Persistence mechanism

Common RAT Network Patterns

# Beaconing (periodic check-ins)
tshark -r rat_traffic.pcapng -Y "tcp.len > 0 && tcp.len < 200" -T fields -e frame.time_relative -e tcp.len

# Look for:
# - Regular interval connections (every 60s, 300s, etc.)
# - Small packet sizes (heartbeat)
# - Base64 encoded data in payloads

3. Spyware/Infostealer Analysis

Target Data Collection Points

# FLARE-VM - Monitor these locations
procmon filter:
- Path contains "\AppData\Local\Google\Chrome\User Data"
- Path contains "\AppData\Roaming\Mozilla\Firefox\Profiles"
- Path contains "wallet.dat"  # Cryptocurrency
- Path contains "\Login Data"
- Path contains "\Cookies"

Common Stealer Targets

Browser Data:

• Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\

  • Login Data (passwords)

  • Cookies

  • Web Data (autofill)

• Firefox: %APPDATA%\Mozilla\Firefox\Profiles\

  • logins.json

  • cookies.sqlite

Crypto Wallets:

• Bitcoin: %APPDATA%\Bitcoin\wallet.dat

• Ethereum: %APPDATA%\Ethereum\keystore\

• Exodus: %APPDATA%\Exodus\

Discord Tokens:

• %APPDATA%\Discord\Local Storage\leveldb\

FTP Clients:

• FileZilla: %APPDATA%\FileZilla\recentservers.xml

Dynamic Analysis

# REMnux - Analyse exfiltration
# Watch for outbound POST requests with large data
tshark -r stealer_traffic.pcapng -Y "http.request.method == POST" -T fields -e http.host -e http.file_data

# Check for data encoding
tshark -r stealer_traffic.pcapng -Y "http" -T fields -e http.file_data | base64 -d

4. Dropper/Downloader Analysis

Static Analysis

# REMnux
# Look for URLs embedded
strings dropper.exe | grep -iE "http://|https://|ftp://"

# Check for download functions
python3 << EOF
import pefile
pe = pefile.PE('dropper.exe')
download_apis = ['URLDownloadToFile', 'InternetReadFile', 'HttpSendRequest']
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    for imp in entry.imports:
        if imp.name and imp.name.decode() in download_apis:
            print(f"Found: {imp.name.decode()} in {entry.dll.decode()}")
EOF

Dynamic Analysis - Capture Dropped Files

# FLARE-VM
# Monitor file creation
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true

Register-ObjectEvent $watcher "Created" -Action {
    Write-Host "File created: $($Event.SourceEventArgs.FullPath)"
} | Out-Null

# Execute dropper
# Check these locations for dropped files:
# - %TEMP%
# - %APPDATA%
# - %LOCALAPPDATA%

Capture Downloaded Payloads

# REMnux - Configure INetSim to serve fake payload
sudo nano /etc/inetsim/inetsim.conf

# Add:
# http_fakefile exe /var/lib/inetsim/http/fakefiles/sample.exe

# Monitor downloads
tail -f /var/log/inetsim/service.log | grep HTTP

5. Document-Based Malware (Maldocs)

Microsoft Office Document Analysis

olevba (REMnux):

# Extract VBA macros
olevba malicious.doc

# Analyse macros with detailed output
olevba -a malicious.doc

# Decode obfuscated content
olevba -c malicious.doc

# Look for suspicious keywords
olevba --decode malicious.doc | grep -i "shell\|execute\|powershell"

mraptor (REMnux):

# Detect malicious macros
mraptor malicious.doc

oleid (REMnux):

# Identify file characteristics
oleid malicious.doc

# Check for:
# - VBA Macros
# - External Relationships
# - ObjectPool

PDF Malware Analysis

pdfid (REMnux):

# Identify PDF structure
pdfid malicious.pdf

# Suspicious elements:
# /JavaScript - Embedded JavaScript
# /OpenAction - Auto-execution
# /Launch - Execute file
# /EmbeddedFile - Hidden files
# /AcroForm - Form with actions

Pdf-parser (REMnux):

# Search for JavaScript
pdf-parser -s /JavaScript malicious.pdf

# Extract JavaScript from object
pdf-parser -o 15 malicious.pdf

# Dump suspicious object
pdf-parser -o 15 -d extracted_js.txt malicious.pdf

peepdf (REMnux):

# Interactive analysis
peepdf -i malicious.pdf

# Commands in peepdf:
# tree - Show object tree
# object 15 - Show object 15
# js_code - Extract all JavaScript
# decode file - Decode encoded content

Maldoc Dynamic Analysis

# FLARE-VM
# 1. Instrument with API Monitor focused on:
# - Process Creation (CreateProcess, ShellExecute)
# - File Operations
# - Network Activity

# 2. Open document in protected view disabled
# HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView

# 3. Watch for:
# - Spawned processes (cmd.exe, powershell.exe, wscript.exe)
# - Downloaded files
# - Registry modifications

6. Fileless Malware Analysis

PowerShell-Based Attacks

Static Analysis:

# FLARE-VM - Deobfuscate PowerShell
# Common obfuscation: Base64
$encoded = "BASE64_STRING_HERE"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))

# For complex obfuscation, use PSDecode
PSDecode.ps1 -inputfile malicious.ps1

# REMnux
# Extract PowerShell from memory or files
strings -el memory.dmp | grep -i "powershell" -A 20

Dynamic Analysis:

# Enable PowerShell logging
# Set via GPO or Registry:
# HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

# View logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
    Where-Object {$_.Id -eq 4104} | 
    Format-List -Property *

WMI-Based Persistence

# FLARE-VM - Check for malicious WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Look for:
# - Unusual filter queries
# - Script/Command consumers
# - Suspicious bindings

Registry-Based Fileless Malware

# Check for payloads in registry
Get-ItemProperty -Path "HKCU:\Software\*" -Recurse | 
    Where-Object {$_.PSObject.Properties.Value -like "*powershell*"}

# Look in common locations:
# HKCU\Software\Classes\
# HKLM\Software\Microsoft\

---

Tool Reference Guide

REMnux Essential Tools

Tool	Purpose	Basic Usage
strings	Extract ASCII/Unicode strings	strings -a sample.exe
file	Identify file type	file sample
exiftool	Extract metadata	exiftool sample.exe
xxd/hexdump	Hex viewer	xxd sample.exe | head
upx	UPX unpacker	upx -d sample.exe
die	Detect packer/compiler	die sample.exe
peframe	PE file analysis	peframe sample.exe
floss	Obfuscated string extraction	floss sample.exe
olevba	VBA macro extraction	olevba document.doc
pdfid	PDF structure analysis	pdfid sample.pdf
pdf-parser	PDF object extraction	pdf-parser sample.pdf
tcpdump	Packet capture	tcpdump -i eth0 -w capture.pcap
tshark	Packet analysis (CLI)	tshark -r capture.pcap
wireshark	Packet analysis (GUI)	wireshark capture.pcap
inetsim	Internet service simulation	sudo inetsim
fakenet	Network traffic simulation	sudo fakenet
volatility	Memory forensics	vol -f mem.raw windows.pslist
yara	Pattern matching	yara rules.yar sample.exe
capa	Capability detection	capa sample.exe

FLARE-VM Essential Tools

Tool	Purpose	Basic Usage
Process Monitor	Real-time process monitoring	procmon.exe
Process Explorer	Advanced process viewer	procexp.exe
Autoruns	Startup programs analyzer	autoruns.exe
Wireshark	Packet analysis	wireshark.exe
FakeNet-NG	Network simulation	fakenet.exe
x64dbg/x32dbg	Debugger	x96dbg.exe
IDA Free	Disassembler	ida64.exe
Ghidra	Reverse engineering	ghidraRun.bat
CFF Explorer	PE editor	CFF Explorer.exe
PEiD	Packer detection	PEiD.exe
Detect It Easy	File analyzer	die.exe
API Monitor	API call monitoring	apimonitor-x64.exe
Regshot	Registry comparison	regshot.exe
NetworkMiner	Network forensics	NetworkMiner.exe
HxD	Hex editor	HxD.exe
Strings	String extraction	strings.exe
PEview	PE structure viewer	peview.exe
Capa	Capability detection	capa.exe

Quick Command Reference

Hash Calculation

# REMnux
md5sum file.exe
sha256sum file.exe
ssdeep file.exe  # Fuzzy hashing

# FLARE-VM
Get-FileHash -Algorithm SHA256 file.exe
Get-FileHash -Algorithm MD5 file.exe

String Extraction

# REMnux
strings -a file.exe              # All strings
strings -el file.exe             # Unicode
floss file.exe                   # Obfuscated strings

# FLARE-VM
strings.exe file.exe
strings.exe -n 10 file.exe       # Min length 10

Network Capture

# REMnux
sudo tcpdump -i any -w capture.pcap
sudo tcpdump host 192.168.1.100 -w filtered.pcap

# FLARE-VM
tshark -i "Ethernet" -w capture.pcapng
netsh trace start capture=yes tracefile=C:\capture.etl

---

IOC Extraction & Reporting

Indicator Types

Network Indicators:

• IP addresses

• Domain names

• URLs

• User-Agent strings

• SSL certificate hashes

• Email addresses

File Indicators:

• MD5, SHA1, SHA256 hashes

• File names

• File paths

• PDB paths

• Mutexes

• Registry keys

Behavioural Indicators:

• API call sequences

• Process injection techniques

• Persistence mechanisms

• C2 communication patterns

Automated IOC Extraction

Using FLOSS and Strings

# REMnux
floss sample.exe | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}|[a-zA-Z0-9-]+\.(com|net|org)" > iocs.txt

# Extract URLs
strings sample.exe | grep -E "https?://" > urls.txt

# Extract IPs
strings sample.exe | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u > ips.txt

Using IOC Extract Tools

# REMnux - Install ioc-finder
pip3 install ioc-finder

# Extract IOCs
ioc-finder sample.exe

# Or from text
cat strings.txt | ioc-finder

YARA Rule Creation

Basic YARA Rule Template:

rule MalwareFamilyName_Variant
{
    meta:
        description = "Detects MalwareFamilyName variant"
        author = "Your Name"
        date = "2024-01-01"
        hash = "SHA256_HASH_HERE"
        
    strings:
        $str1 = "unique_string_1" ascii wide
        $str2 = "unique_string_2" ascii wide
        $hex1 = { 4D 5A 90 00 }  // MZ header
        $api1 = "VirtualAllocEx" ascii
        $api2 = "CreateRemoteThread" ascii
        
    condition:
        uint16(0) == 0x5A4D and  // MZ header
        filesize < 500KB and
        2 of ($str*) and
        all of ($api*)
}

Testing YARA Rules:

# REMnux
yara rules.yar sample.exe
yara -s rules.yar sample.exe  # Show matched strings
yara -r rules.yar /path/to/samples/  # Recursive scan

Creating Snort/Suricata Rules

Basic Snort Rule:

alert tcp any any -> any any (msg:"Malware C2 Communication"; 
    content:"User-Agent|3A| MalwareBot"; 
    flow:to_server,established; 
    sid:1000001; 
    rev:1;)

HTTP-Based C2 Detection:

alert http any any -> any any (msg:"Malware HTTP Beacon"; 
    content:"POST"; http_method; 
    content:"/gate.php"; http_uri; 
    content:"id="; http_client_body; 
    sid:1000002; 
    rev:1;)

Report Template

Malware Analysis Report

Executive Summary

• Malware Family: [Name]

• Threat Level: [Critical/High/Medium/Low]

• Analysis Date: [Date]

• Analyst: [Name]

Sample Information

• File Name: malware.exe

• File Size: 1.2 MB

• MD5: abc123...

• SHA256: def456...

• File Type: PE32 executable

Key Findings

• [Primary malware behaviour]

• [Communication method]

• [Persistence mechanism]

Technical Analysis

Static Analysis

• Packer: [None/UPX/Other]

• Compiler: [Microsoft Visual C++/Other]

• Imports: [Key DLLs and functions]

• Suspicious Strings: [List key strings]

Dynamic Analysis

• Execution: [Behaviour observed]

• Network Activity: [C2 servers, protocols]

• File Operations: [Files created/modified]

• Registry Changes: [Keys modified]

• Persistence: [Mechanism used]

Capabilities

• Remote Command Execution

• Data Exfiltration

• Keylogging

• Screen Capture

• Lateral Movement

• Anti-Analysis Techniques

Indicators of Compromise (IOCs)

Network Indicators

• C2 Server: 192.168.1.100

• Domains: malicious-domain.com

• URLs: http://malicious-domain.com/gate.php

File Indicators

• Dropped Files:

  • C:\Users\Public\malware.dll (SHA256: ...)

• Registry Keys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware

Behavioural Indicators

• Process injection into explorer.exe

• Beacon interval: 60 seconds

MITRE ATT&CK Mapping

• Initial Access: T1566 - Phishing

• Execution: T1059 - Command and Scripting Interpreter

• Persistence: T1547 - Registry Run Keys

• Defense Evasion: T1027 - Obfuscated Files or Information

• Command and Control: T1071 - Application Layer Protocol

Recommendations

1. Block IOCs at network and endpoint

2. Hunt for indicators in environment

3. Update detection signatures

4. User awareness training

Detection Rules

[Include YARA, Snort/Suricata rules]

Appendix

• Full strings output

• Process Monitor logs

• Network traffic captures

• Memory analysis results

Advanced Techniques Bypassing Anti-Analysis

Anti-VM Detection Bypass

# FLARE-VM - Common VM artifacts to modify

# 1. Change hardware identifiers
# Registry keys to modify:
# HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion
# HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion

# 2. Rename VM processes
taskkill /IM vmtoolsd.exe /F
Rename-Item "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" vmtoolsd.bak

# 3. Remove VM artifacts
Remove-Item "C:\Program Files\VMware" -Recurse -Force

Anti-Debugging Bypass

# REMnux - Patch IsDebuggerPresent checks
import pefile

pe = pefile.PE('sample.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    for imp in entry.imports:
        if imp.name and b'IsDebuggerPresent' in imp.name:
            # Patch to always return false
            print(f"Found IsDebuggerPresent at offset: {hex(imp.address)}")

Code Analysis with Ghidra

# REMnux - Headless Ghidra analysis
analyzeHeadless /tmp/ghidra_projects MyProject -import sample.exe -scriptPath /path/to/scripts -postScript ExtractStrings.py

Ghidra Workflow:

1. Import binary (File → Import File)

2. Auto-analyse (Yes to prompts)

3. Navigate to entry point (Symbol Tree → Entry)

4. Rename functions for clarity

5. Use decompiler (Window → Decompile)

6. Look for interesting functions:

   • String references (Search → For Strings)

   • Cross-references (Right-click → References)

   • API calls

Automated Analysis with Capa

# REMnux
capa sample.exe

# Verbose output
capa -v sample.exe

# JSON output for automation
capa -j sample.exe > capabilities.json

Capa detects:

• Capabilities (what the malware can do)

• MITRE ATT&CK techniques

• Code patterns

• Behavioral indicators

---

Quick Reference Checklists

Initial Triage Checklist

• [ ] Calculate hashes (MD5, SHA256)

• [ ] Identify file type

• [ ] Check VirusTotal / MalwareBazaar

• [ ] Assess threat level

• [ ] Document source and context

Static Analysis Checklist

• [ ] Extract strings (ASCII/Unicode)

• [ ] Run FLOSS for obfuscated strings

• [ ] Analyse PE headers (if Windows)

• [ ] Check for packers

• [ ] Review imports/exports

• [ ] Examine file entropy

• [ ] Extract embedded resources

• [ ] Check digital signatures

Dynamic Analysis Checklist

• [ ] Take VM snapshot

• [ ] Start monitoring tools (Procmon, Wireshark)

• [ ] Configure network simulation

• [ ] Execute sample

• [ ] Observe for 5-10 minutes

• [ ] Interact with system

• [ ] Check persistence mechanisms

• [ ] Capture memory dump

• [ ] Document all behaviours

• [ ] Revert to snapshot

Report Checklist

• [ ] Executive summary

• [ ] Sample metadata

• [ ] Static analysis findings

• [ ] Dynamic analysis findings

• [ ] Network analysis findings

• [ ] Extracted IOCs

• [ ] MITRE ATT&CK mapping

• [ ] Detection rules (YARA/Snort)

• [ ] Remediation recommendations

---

Common Pitfalls and Best Practices

Safety Best Practices

✅ DO:

• Always work in isolated VMs

• Take snapshots before analysis

• Use network simulation tools

• Document everything

• Maintain chain of custody

• Use write-protected evidence

❌ DON'T:

• Analyse on production systems

• Allow real internet connectivity

• Trust any input from malware

• Double-click unknown executables outside VM

• Forget to revert snapshots

• Mix personal and analysis activities

Analysis Best Practices

✅ DO:

• Start with static analysis

• Use multiple tools for confirmation

• Search for similar samples

• Look for known signatures

• Document your methodology

• Take screenshots of key findings

• Automate repetitive tasks

• Collaborate with team

❌ DON'T:

• Skip basic triage

• Rely only on one tool

• Ignore context

• Make assumptions

• Forget to check for updates

• Share samples insecurely

---

Resources and Further Learning

Essential Resources

• FLARE Team Blog: https://www.mandiant.com/resources/blog

• Malware Traffic Analysis: https://malware-traffic-analysis.net/

• Hybrid Analysis: https://www.hybrid-analysis.com/

• ANY.RUN: https://any.run/

• MalwareBazaar: https://bazaar.abuse.ch/

• VirusTotal: https://www.virustotal.com/

Training Resources

• Practical Malware Analysis (book)

• The Art of Memory Forensics (book)

• SANS FOR610: Reverse-Engineering Malware

• Malware Unicorn Workshops

• Open Security Training

Community

• r/Malware (Reddit)

• r/ReverseEngineering (Reddit)

• Malware Analysis Discord servers

• Twitter: #MalwareAnalysis #DFIR

---

This document is for educational purposes only.