Malware Analysis Workflow & Cheatsheet for SOC Analysts

Malware Analysis Workflow & Cheatsheet

Primary Platforms: REMnux (Linux) | FLARE-VM (Windows)

Analysis Workflow Overview

┌─────────────────────────────────────────────────────────────┐
│                    MALWARE TRIAGE                           │
│  • File type identification                                 │
│  • Hash calculation (MD5, SHA1, SHA256)                     │
│  • VirusTotal/malware bazaar lookup                         │
│  • Initial assessment of threat level                       │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│                  STATIC ANALYSIS                            │
│  • Strings extraction                                       │
│  • PE header analysis (Windows)                             │
│  • ELF analysis (Linux)                                     │
│  • Packed/obfuscated detection                              │
│  • Import/export table analysis                             │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│                 DYNAMIC ANALYSIS                            │
│  • Behavioural monitoring                                    │
│  • API call tracing                                         │
│  • File system modifications                                │
│  • Registry changes                                         │
│  • Network communications                                   │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│              DEEP DIVE ANALYSIS                             │
│  • Code analysis/reverse engineering                        │
│  • Unpacking                                                │
│  • Deobfuscation                                            │
│  • Memory forensics                                         │
└────────────────────┬────────────────────────────────────────┘
                     │
                     ▼
┌─────────────────────────────────────────────────────────────┐
│           IOC EXTRACTION & REPORTING                        │
│  • Document findings                                        │
│  • Extract indicators of compromise                         │
│  • MITRE ATT&CK mapping                                     │
│  • Generate signatures/rules                                │
└─────────────────────────────────────────────────────────────┘

Lab Setup & Safety

Critical Safety Rules

NEVER run malware on production systems
Always use isolated VMs with snapshots
Disable network bridging (use Host-Only or NAT with INetSim)
Keep analysis VMs offline or use controlled internet simulation
Use separate dedicated hardware if possible

REMnux Setup

# Update REMnux tools
remnux update

# Start FakeNet-NG for network simulation
sudo fakenet

# Start INetSim (alternative network simulator)
sudo inetsim

# Create analysis directory
mkdir ~/malware_analysis
cd ~/malware_analysis

FLARE-VM Setup

# Take snapshot before analysis
# Enable network simulation
fakenet.exe

# Create analysis directory
New-Item -Path "C:\MalwareAnalysis" -ItemType Directory
Set-Location C:\MalwareAnalysis

Static Analysis

Phase 1: Initial Triage

Calculate File Hashes

# REMnux
md5sum sample.exe
sha1sum sample.exe
sha256sum sample.exe

# One-liner for all hashes
echo "MD5:    $(md5sum sample.exe | cut -d' ' -f1)"
echo "SHA1:   $(sha1sum sample.exe | cut -d' ' -f1)"
echo "SHA256: $(sha256sum sample.exe | cut -d' ' -f1)"

# FLARE-VM
Get-FileHash -Algorithm MD5 sample.exe
Get-FileHash -Algorithm SHA1 sample.exe
Get-FileHash -Algorithm SHA256 sample.exe

File Type Identification

# REMnux - Detailed file analysis
file sample.exe
exiftool sample.exe
TrID sample.exe

# Check for common file signatures
xxd sample.exe | head -n 5
hexdump -C sample.exe | head -n 10

VirusTotal Lookup

# REMnux - Using VT API
vt-get-hash.py <hash>

# Or use web interface
firefox https://www.virustotal.com/gui/file/<hash>

Phase 2: Strings Analysis

Basic Strings Extraction

# REMnux - Extract ASCII strings
strings sample.exe > strings_ascii.txt
strings -el sample.exe > strings_unicode.txt  # Unicode strings

# Look for interesting patterns
strings sample.exe | grep -i "http"
strings sample.exe | grep -i "\.exe"
strings sample.exe | grep -i "\.dll"
strings sample.exe | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

# FLARE-VM
strings.exe sample.exe > strings_output.txt
strings.exe -accepteula sample.exe | Select-String "http"

FLOSS - Advanced String Extraction

# REMnux - Extract obfuscated strings
floss sample.exe > floss_output.txt
floss -n 8 sample.exe  # Minimum string length of 8

What to look for in strings:

URLs and IP addresses
File paths (C:, %TEMP%, %APPDATA%)
Registry keys
API function names
User-Agent strings
Email addresses
Crypto wallet addresses
Command-and-control indicators

Phase 3: PE Analysis (Windows Executables)

PEiD / Detect It Easy (DIE)

# REMnux
die sample.exe

# Check for packers/protectors
# Common packers: UPX, ASPack, PECompact, Themida, VMProtect

# FLARE-VM
diec.exe sample.exe

PE Header Analysis with pefile

# REMnux
peframe sample.exe

# Detailed PE analysis
python3 << EOF
import pefile

pe = pefile.PE('sample.exe')

print("[+] PE Information")
print(f"Architecture: {pe.FILE_HEADER.Machine}")
print(f"Compilation Timestamp: {pe.FILE_HEADER.TimeDateStamp}")
print(f"Number of Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"\n[+] Entry Point: {hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint)}")

print("\n[+] Sections:")
for section in pe.sections:
    print(f"{section.Name.decode().rstrip(chr(0))}: "
          f"VirtualSize={hex(section.Misc_VirtualSize)}, "
          f"Entropy={section.get_entropy():.2f}")

print("\n[+] Imported DLLs:")
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(f"  {entry.dll.decode()}")
    for imp in entry.imports[:5]:  # First 5 imports
        if imp.name:
            print(f"    - {imp.name.decode()}")

EOF

Suspicious PE Characteristics Checklist

High entropy sections (>7.0) - likely packed/encrypted
Unusual section names (.data, .text are normal; .upx, .aspack are suspicious)
Suspicious imports:
- VirtualAlloc, VirtualProtect - memory manipulation
- CreateRemoteThread - process injection
- WriteProcessMemory - code injection
- WinExec, ShellExecute - command execution
- InternetOpen, InternetReadFile - network activity
- CryptEncrypt, CryptDecrypt - encryption
Compilation timestamp - Future dates or very old dates
Low import count - may indicate dynamic loading

CFF Explorer Analysis

# FLARE-VM - Launch CFF Explorer
CFF Explorer.exe sample.exe

# Check:
# - Import Directory
# - Export Directory
# - Resource Directory
# - TLS Callbacks (anti-debugging)
# - Overlay data

Phase 4: Unpacking Detection and Handling

Detecting Packed Samples

# REMnux
upx -t sample.exe  # Test if UPX packed

# Check entropy per section
python3 << EOF
import pefile
pe = pefile.PE('sample.exe')
for section in pe.sections:
    print(f"{section.Name.decode().rstrip(chr(0))}: Entropy = {section.get_entropy():.2f}")
EOF

Entropy Guide:

0-4.5: Plain text, low compression
4.5-6.5: Compressed data
6.5-7.5: Encrypted/packed
7.5-8.0: Highly encrypted

Unpacking Common Packers

UPX Unpacking:

# REMnux
upx -d sample.exe -o unpacked.exe

Generic Unpacking with x64dbg:

# FLARE-VM
# 1. Load sample in x64dbg
x96dbg.exe sample.exe

# 2. Set breakpoint on common APIs:
#    - VirtualProtect
#    - VirtualAlloc
#    - kernel32.VirtualProtect
#    
# 3. Run (F9) until breakpoint hit
# 4. Step through until POPAD/PUSHAD instructions
# 5. Follow in dump, find MZ header (4D 5A)
# 6. Dump memory region to file
# 7. Fix import table with Scylla plugin

Automated Unpacking with OllyDumpEx:

1. Load sample in OllyDbg
2. Run to OEP (Original Entry Point)
3. Plugins -> OllyDumpEx
4. Get EIP as OEP
5. Dump to file
6. Fix imports with Import Reconstructor

Dynamic Analysis

Phase 1: Behavioural Monitoring Setup

REMnux Dynamic Analysis

# Start network simulation
sudo inetsim

# Capture network traffic
sudo tcpdump -i eth0 -w capture.pcap &

# Monitor system calls (for Linux malware)
strace -f -o strace.log ./malware_sample

# Monitor file operations
inotifywait -m -r /tmp /home &

FLARE-VM Dynamic Analysis Setup

# Start Procmon (Process Monitor)
procmon.exe /AcceptEula /Minimized /BackingFile C:\MalwareAnalysis\procmon.pml

# Start network simulation
fakenet.exe

# Start Wireshark
wireshark.exe -k -i 1 -w C:\MalwareAnalysis\capture.pcapng

Phase 2: Process Monitoring

Procmon Configuration (FLARE-VM)

Essential Filters:

Process Name is malware.exe - Include
Operation is RegSetValue - Include
Operation is WriteFile - Include
Operation is CreateFile - Include
Path contains .exe - Include
Path contains .dll - Include

What to Monitor:

Registry Operations:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run - Persistence
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run - Persistence
- HKLM\System\CurrentControlSet\Services - Service creation
File System Operations:
- Files created in %TEMP%, %APPDATA%
- Executables dropped to disk
- DLL loading patterns
Network Operations:
- TCP/UDP connections
- DNS queries

Process Explorer (FLARE-VM)

# Launch Process Explorer
procexp.exe

# Enable:
# - Verify Image Signatures
# - VirusTotal checking
# - Show lower pane (DLLs/Handles)

Key Things to Check:

Unsigned processes
Processes with no description
Processes running from unusual locations
Unusual parent-child relationships
Injected DLLs

Phase 3: API Call Monitoring

API Monitor (FLARE-VM)

# Launch API Monitor
apimonitor-x64.exe

# Monitor categories:
# - File Management
# - Registry
# - Process and Thread
# - Network
# - Cryptography

Suspicious API Call Patterns:

Code Injection:

OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread

Keylogging:

SetWindowsHookEx (WH_KEYBOARD_LL) -> GetAsyncKeyState

Persistence:

RegOpenKeyEx -> RegSetValueEx (Run keys)
CreateService -> StartService

Anti-Analysis:

IsDebuggerPresent -> Sleep(large_value)
GetTickCount (timing checks)

Phase 4: Network Analysis

Capturing Network Traffic

# REMnux - Capture with tcpdump
sudo tcpdump -i any -w malware_traffic.pcap

# Filter by host
sudo tcpdump -i any host 192.168.1.100 -w filtered.pcap

# Real-time viewing
sudo tcpdump -i any -A  # ASCII payload

# FLARE-VM - Using Wireshark
wireshark -k -i "Ethernet" -w capture.pcapng

# Or use tshark for command line
tshark -i "Ethernet" -w capture.pcapng

Analysing Network Traffic

Wireshark Filters:

# HTTP traffic
http

# DNS queries
dns

# Specific IP
ip.addr == 192.168.1.100

# Suspicious ports
tcp.port == 4444 || tcp.port == 5555

# Look for C2 beaconing
tcp.len > 0 && tcp.len < 100  # Small, regular packets

INetSim Configuration (REMnux)

# Edit INetSim config
sudo nano /etc/inetsim/inetsim.conf

# Key settings:
# service http 0.0.0.0 80
# service https 0.0.0.0 443
# service dns 0.0.0.0 53

# Start INetSim
sudo inetsim

# Check logs
tail -f /var/log/inetsim/service.log

FakeNet-NG Usage

# REMnux
sudo fakenet -c /etc/fakenet/configs/default.ini

# Custom configuration
sudo fakenet -f  # Foreground mode with output

# FLARE-VM
fakenet.exe

# With custom config
fakenet.exe -c custom_config.ini

Phase 5: Execution in Sandbox

Cuckoo Sandbox Analysis (REMnux)

# Submit sample to Cuckoo
cuckoo submit sample.exe

# Submit with network enabled
cuckoo submit --enforce-timeout sample.exe

# Check status
cuckoo status

# View report
cuckoo web  # Access at http://localhost:8000

What Cuckoo Provides:

Screenshot timeline
API call trace
Network traffic
Dropped files
Registry modifications
Memory dumps
Behavioral signatures

Manual Sandbox Execution

# FLARE-VM
# 1. Take VM snapshot
# 2. Start monitoring tools (Procmon, Wireshark, API Monitor)
# 3. Execute malware
rundll32.exe sample.dll,EntryPoint  # For DLLs

# 4. Let run for 5-10 minutes
# 5. Interact with system (move mouse, browse files) to trigger behavior
# 6. Stop monitoring tools
# 7. Revert to snapshot

Memory Analysis

Capturing Memory

Windows Memory Acquisition

# FLARE-VM - Using WinPmem
winpmem_mini_x64_rc2.exe memdump.raw

# Using DumpIt
DumpIt.exe  # Creates memory dump in current directory

# Using FTK Imager (GUI)
# File -> Capture Memory -> Select destination

Process Memory Dump

# Using Process Explorer
# Right-click process -> Create Dump -> Create Full Dump

# Using procdump
procdump.exe -ma <PID> output.dmp
procdump.exe -ma malware.exe malware_dump.dmp

Memory Analysis with Volatility

Volatility 3 (REMnux)

# Identify profile (if needed for Volatility 2)
vol.py -f memdump.raw imageinfo

# Volatility 3 commands

# List processes
vol -f memdump.raw windows.pslist
vol -f memdump.raw windows.pstree  # Tree view

# Detect hidden processes
vol -f memdump.raw windows.psscan

# Network connections
vol -f memdump.raw windows.netscan
vol -f memdump.raw windows.netstat

# DLL list for specific process
vol -f memdump.raw windows.dlllist --pid 1234

# Command line arguments
vol -f memdump.raw windows.cmdline

# Registry hives
vol -f memdump.raw windows.registry.hivelist

# Dump specific process
vol -f memdump.raw windows.pslist --pid 1234 --dump

# Scan for injected code
vol -f memdump.raw windows.malfind

# Extract files from memory
vol -f memdump.raw windows.filescan
vol -f memdump.raw windows.dumpfiles --pid 1234

Memory Analysis Workflow Example

# 1. Find suspicious processes
vol -f memdump.raw windows.pslist | grep -v "^0x"

# 2. Check network connections
vol -f memdump.raw windows.netscan | grep ESTABLISHED

# 3. Look for code injection
vol -f memdump.raw windows.malfind --pid 1234

# 4. Dump suspicious process memory
vol -f memdump.raw windows.memmap --pid 1234 --dump

# 5. Check for rootkits
vol -f memdump.raw windows.ssdt

Suspicious Memory Indicators:

Processes running from temp directories
Processes with no parent (PPID = 0)
Hidden processes (in psscan but not pslist)
Unusual network connections
Code injection indicators (PAGE_EXECUTE_READWRITE)
Orphan threads

Network Analysis

Protocol Analysis

HTTP/HTTPS Traffic

# REMnux - Extract HTTP objects
tshark -r capture.pcap --export-objects http,http_objects/

# View HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.host -e http.request.uri

# Extract certificates
tshark -r capture.pcap -Y "ssl.handshake.certificate" -T fields -e x509ce.dNSName

DNS Analysis

# REMnux
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name | sort -u

# Look for DNS tunneling (long subdomain names)
tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | awk '{print length, $0}' | sort -rn

IRC/P2P/Custom Protocols

# REMnux
# Extract payload
tshark -r capture.pcap -Y "tcp.port==6667" -T fields -e data.text

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

NetworkMiner Analysis (FLARE-VM)

# Launch NetworkMiner
NetworkMiner.exe

# Load PCAP file
# File -> Open -> Select capture.pcapng

# Review tabs:
# - Hosts: Identified hosts and their details
# - Files: Extracted files from network traffic
# - Images: Extracted images
# - Messages: Email, chat messages
# - Credentials: Captured passwords
# - Sessions: TCP/UDP sessions

Malware Type-Specific Workflows

1. Ransomware Analysis

Static Analysis Focus

# REMnux
# Look for crypto-related strings
strings sample.exe | grep -i "crypt\|aes\|rsa\|encrypt"

# Check imports for crypto APIs
python3 << EOF
import pefile
pe = pefile.PE('ransomware.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    if 'crypt' in entry.dll.decode().lower():
        print(f"Crypto DLL: {entry.dll.decode()}")
        for imp in entry.imports:
            if imp.name:
                print(f"  - {imp.name.decode()}")
EOF

Dynamic Analysis - Safe Execution

# FLARE-VM
# 1. Create decoy files
$extensions = @(".txt", ".doc", ".pdf", ".jpg", ".xlsx")
foreach ($ext in $extensions) {
    1..50 | ForEach-Object {
        New-Item -Path "C:\DecoyFiles\test_$_$ext" -ItemType File
        "Decoy content $_" | Out-File "C:\DecoyFiles\test_$_$ext"
    }
}

# 2. Start monitoring
procmon.exe /AcceptEula /BackingFile C:\Analysis\procmon.pml

# 3. Execute ransomware (in isolated VM!)

# 4. Monitor for:
# - File encryption operations (WriteFile operations on decoy files)
# - Ransom note creation
# - Wallpaper changes (Registry: HKCU\Control Panel\Desktop\Wallpaper)
# - Shadow copy deletion
# - Network beaconing to C2

Ransomware IOC Extraction

Look for:

Ransom note file names (README.txt, HOW_TO_DECRYPT.txt)
File extension changes
Bitcoin wallet addresses in strings
Tor .onion addresses
Email addresses for contact
Shadow copy deletion commands: vssadmin delete shadows /all /quiet
Boot record modification

Registry Keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

2. Trojan/RAT Analysis

Static Analysis Focus

# REMnux
# Look for RAT-related strings
strings rat_sample.exe | grep -iE "cmd|shell|screenshot|keylog|webcam"

# Check for common RAT ports
strings rat_sample.exe | grep -E ":[0-9]{4,5}"

Dynamic Analysis Workflow

# FLARE-VM
# 1. Start packet capture
tshark -i "Ethernet" -w rat_traffic.pcapng

# 2. Start API Monitor
# Monitor: Process and Thread, File Management, Registry, Network

# 3. Execute RAT

# 4. Observe behaviours:

RAT Capabilities to Test:

Command execution (create test file via RAT)
Screen capture
Keylogging (type in notepad)
File upload/download
Remote shell
Webcam access
Persistence mechanism

Common RAT Network Patterns

# Beaconing (periodic check-ins)
tshark -r rat_traffic.pcapng -Y "tcp.len > 0 && tcp.len < 200" -T fields -e frame.time_relative -e tcp.len

# Look for:
# - Regular interval connections (every 60s, 300s, etc.)
# - Small packet sizes (heartbeat)
# - Base64 encoded data in payloads

3. Spyware/Infostealer Analysis

Target Data Collection Points

# FLARE-VM - Monitor these locations
procmon filter:
- Path contains "\AppData\Local\Google\Chrome\User Data"
- Path contains "\AppData\Roaming\Mozilla\Firefox\Profiles"
- Path contains "wallet.dat"  # Cryptocurrency
- Path contains "\Login Data"
- Path contains "\Cookies"

Common Stealer Targets

Browser Data:

Chrome: %LOCALAPPDATA%\Google\Chrome\User Data\Default\
- Login Data (passwords)
- Cookies
- Web Data (autofill)
Firefox: %APPDATA%\Mozilla\Firefox\Profiles\
- logins.json
- cookies.sqlite

Crypto Wallets:

Bitcoin: %APPDATA%\Bitcoin\wallet.dat
Ethereum: %APPDATA%\Ethereum\keystore\
Exodus: %APPDATA%\Exodus\

Discord Tokens:

%APPDATA%\Discord\Local Storage\leveldb\

FTP Clients:

FileZilla: %APPDATA%\FileZilla\recentservers.xml

Dynamic Analysis

# REMnux - Analyse exfiltration
# Watch for outbound POST requests with large data
tshark -r stealer_traffic.pcapng -Y "http.request.method == POST" -T fields -e http.host -e http.file_data

# Check for data encoding
tshark -r stealer_traffic.pcapng -Y "http" -T fields -e http.file_data | base64 -d

4. Dropper/Downloader Analysis

Static Analysis

# REMnux
# Look for URLs embedded
strings dropper.exe | grep -iE "http://|https://|ftp://"

# Check for download functions
python3 << EOF
import pefile
pe = pefile.PE('dropper.exe')
download_apis = ['URLDownloadToFile', 'InternetReadFile', 'HttpSendRequest']
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    for imp in entry.imports:
        if imp.name and imp.name.decode() in download_apis:
            print(f"Found: {imp.name.decode()} in {entry.dll.decode()}")
EOF

Dynamic Analysis - Capture Dropped Files

# FLARE-VM
# Monitor file creation
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true

Register-ObjectEvent $watcher "Created" -Action {
    Write-Host "File created: $($Event.SourceEventArgs.FullPath)"
} | Out-Null

# Execute dropper
# Check these locations for dropped files:
# - %TEMP%
# - %APPDATA%
# - %LOCALAPPDATA%

Capture Downloaded Payloads

# REMnux - Configure INetSim to serve fake payload
sudo nano /etc/inetsim/inetsim.conf

# Add:
# http_fakefile exe /var/lib/inetsim/http/fakefiles/sample.exe

# Monitor downloads
tail -f /var/log/inetsim/service.log | grep HTTP

5. Document-Based Malware (Maldocs)

Microsoft Office Document Analysis

olevba (REMnux):

# Extract VBA macros
olevba malicious.doc

# Analyse macros with detailed output
olevba -a malicious.doc

# Decode obfuscated content
olevba -c malicious.doc

# Look for suspicious keywords
olevba --decode malicious.doc | grep -i "shell\|execute\|powershell"

mraptor (REMnux):

# Detect malicious macros
mraptor malicious.doc

oleid (REMnux):

# Identify file characteristics
oleid malicious.doc

# Check for:
# - VBA Macros
# - External Relationships
# - ObjectPool

PDF Malware Analysis

pdfid (REMnux):

# Identify PDF structure
pdfid malicious.pdf

# Suspicious elements:
# /JavaScript - Embedded JavaScript
# /OpenAction - Auto-execution
# /Launch - Execute file
# /EmbeddedFile - Hidden files
# /AcroForm - Form with actions

Pdf-parser (REMnux):

# Search for JavaScript
pdf-parser -s /JavaScript malicious.pdf

# Extract JavaScript from object
pdf-parser -o 15 malicious.pdf

# Dump suspicious object
pdf-parser -o 15 -d extracted_js.txt malicious.pdf

peepdf (REMnux):

# Interactive analysis
peepdf -i malicious.pdf

# Commands in peepdf:
# tree - Show object tree
# object 15 - Show object 15
# js_code - Extract all JavaScript
# decode file - Decode encoded content

Maldoc Dynamic Analysis

# FLARE-VM
# 1. Instrument with API Monitor focused on:
# - Process Creation (CreateProcess, ShellExecute)
# - File Operations
# - Network Activity

# 2. Open document in protected view disabled
# HKCU\Software\Microsoft\Office\16.0\Word\Security\ProtectedView

# 3. Watch for:
# - Spawned processes (cmd.exe, powershell.exe, wscript.exe)
# - Downloaded files
# - Registry modifications

6. Fileless Malware Analysis

PowerShell-Based Attacks

Static Analysis:

# FLARE-VM - Deobfuscate PowerShell
# Common obfuscation: Base64
$encoded = "BASE64_STRING_HERE"
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($encoded))

# For complex obfuscation, use PSDecode
PSDecode.ps1 -inputfile malicious.ps1

# REMnux
# Extract PowerShell from memory or files
strings -el memory.dmp | grep -i "powershell" -A 20

Dynamic Analysis:

# Enable PowerShell logging
# Set via GPO or Registry:
# HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

# View logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | 
    Where-Object {$_.Id -eq 4104} | 
    Format-List -Property *

WMI-Based Persistence

# FLARE-VM - Check for malicious WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding

# Look for:
# - Unusual filter queries
# - Script/Command consumers
# - Suspicious bindings

Registry-Based Fileless Malware

# Check for payloads in registry
Get-ItemProperty -Path "HKCU:\Software\*" -Recurse | 
    Where-Object {$_.PSObject.Properties.Value -like "*powershell*"}

# Look in common locations:
# HKCU\Software\Classes\
# HKLM\Software\Microsoft\

Tool Reference Guide

REMnux Essential Tools

Tool

Purpose

Basic Usage

strings

Extract ASCII/Unicode strings

strings -a sample.exe

file

Identify file type

file sample

exiftool

Extract metadata

exiftool sample.exe

xxd/hexdump

Hex viewer

xxd sample.exe | head

upx

UPX unpacker

upx -d sample.exe

die

Detect packer/compiler

die sample.exe

peframe

PE file analysis

peframe sample.exe

floss

Obfuscated string extraction

floss sample.exe

olevba

VBA macro extraction

olevba document.doc

pdfid

PDF structure analysis

pdfid sample.pdf

pdf-parser

PDF object extraction

pdf-parser sample.pdf

tcpdump

Packet capture

tcpdump -i eth0 -w capture.pcap

tshark

Packet analysis (CLI)

tshark -r capture.pcap

wireshark

Packet analysis (GUI)

wireshark capture.pcap

inetsim

Internet service simulation

sudo inetsim

fakenet

Network traffic simulation

sudo fakenet

volatility

Memory forensics

vol -f mem.raw windows.pslist

yara

Pattern matching

yara rules.yar sample.exe

capa

Capability detection

capa sample.exe

FLARE-VM Essential Tools

Tool

Purpose

Basic Usage

Process Monitor

Real-time process monitoring

procmon.exe

Process Explorer

Advanced process viewer

procexp.exe

Autoruns

Startup programs analyzer

autoruns.exe

Wireshark

Packet analysis

wireshark.exe

FakeNet-NG

Network simulation

fakenet.exe

x64dbg/x32dbg

Debugger

x96dbg.exe

IDA Free

Disassembler

ida64.exe

Ghidra

Reverse engineering

ghidraRun.bat

CFF Explorer

PE editor

CFF Explorer.exe

PEiD

Packer detection

PEiD.exe

Detect It Easy

File analyzer

die.exe

API Monitor

API call monitoring

apimonitor-x64.exe

Regshot

Registry comparison

regshot.exe

NetworkMiner

Network forensics

NetworkMiner.exe

HxD

Hex editor

HxD.exe

Strings

String extraction

strings.exe

PEview

PE structure viewer

peview.exe

Capa

Capability detection

capa.exe

Quick Command Reference

Hash Calculation

# REMnux
md5sum file.exe
sha256sum file.exe
ssdeep file.exe  # Fuzzy hashing

# FLARE-VM
Get-FileHash -Algorithm SHA256 file.exe
Get-FileHash -Algorithm MD5 file.exe

String Extraction

# REMnux
strings -a file.exe              # All strings
strings -el file.exe             # Unicode
floss file.exe                   # Obfuscated strings

# FLARE-VM
strings.exe file.exe
strings.exe -n 10 file.exe       # Min length 10

Network Capture

# REMnux
sudo tcpdump -i any -w capture.pcap
sudo tcpdump host 192.168.1.100 -w filtered.pcap

# FLARE-VM
tshark -i "Ethernet" -w capture.pcapng
netsh trace start capture=yes tracefile=C:\capture.etl

IOC Extraction & Reporting

Indicator Types

Network Indicators:

IP addresses
Domain names
URLs
User-Agent strings
SSL certificate hashes
Email addresses

File Indicators:

MD5, SHA1, SHA256 hashes
File names
File paths
PDB paths
Mutexes
Registry keys

Behavioural Indicators:

API call sequences
Process injection techniques
Persistence mechanisms
C2 communication patterns

Automated IOC Extraction

Using FLOSS and Strings

# REMnux
floss sample.exe | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}|[a-zA-Z0-9-]+\.(com|net|org)" > iocs.txt

# Extract URLs
strings sample.exe | grep -E "https?://" > urls.txt

# Extract IPs
strings sample.exe | grep -oE "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort -u > ips.txt

Using IOC Extract Tools

# REMnux - Install ioc-finder
pip3 install ioc-finder

# Extract IOCs
ioc-finder sample.exe

# Or from text
cat strings.txt | ioc-finder

YARA Rule Creation

Basic YARA Rule Template:

rule MalwareFamilyName_Variant
{
    meta:
        description = "Detects MalwareFamilyName variant"
        author = "Your Name"
        date = "2024-01-01"
        hash = "SHA256_HASH_HERE"
        
    strings:
        $str1 = "unique_string_1" ascii wide
        $str2 = "unique_string_2" ascii wide
        $hex1 = { 4D 5A 90 00 }  // MZ header
        $api1 = "VirtualAllocEx" ascii
        $api2 = "CreateRemoteThread" ascii
        
    condition:
        uint16(0) == 0x5A4D and  // MZ header
        filesize < 500KB and
        2 of ($str*) and
        all of ($api*)
}

Testing YARA Rules:

# REMnux
yara rules.yar sample.exe
yara -s rules.yar sample.exe  # Show matched strings
yara -r rules.yar /path/to/samples/  # Recursive scan

Creating Snort/Suricata Rules

Basic Snort Rule:

alert tcp any any -> any any (msg:"Malware C2 Communication"; 
    content:"User-Agent|3A| MalwareBot"; 
    flow:to_server,established; 
    sid:1000001; 
    rev:1;)

HTTP-Based C2 Detection:

alert http any any -> any any (msg:"Malware HTTP Beacon"; 
    content:"POST"; http_method; 
    content:"/gate.php"; http_uri; 
    content:"id="; http_client_body; 
    sid:1000002; 
    rev:1;)

Report Template

Malware Analysis Report

Executive Summary

Malware Family: [Name]
Threat Level: [Critical/High/Medium/Low]
Analysis Date: [Date]
Analyst: [Name]

Sample Information

File Name: malware.exe
File Size: 1.2 MB
MD5: abc123...
SHA256: def456...
File Type: PE32 executable

Key Findings

[Primary malware behaviour]
[Communication method]
[Persistence mechanism]

Technical Analysis

Static Analysis

Packer: [None/UPX/Other]
Compiler: [Microsoft Visual C++/Other]
Imports: [Key DLLs and functions]
Suspicious Strings: [List key strings]

Dynamic Analysis

Execution: [Behaviour observed]
Network Activity: [C2 servers, protocols]
File Operations: [Files created/modified]
Registry Changes: [Keys modified]
Persistence: [Mechanism used]

Capabilities

Indicators of Compromise (IOCs)

Network Indicators

C2 Server: 192.168.1.100
Domains: malicious-domain.com
URLs: http://malicious-domain.com/gate.php

File Indicators

Dropped Files:
- C:\Users\Public\malware.dll (SHA256: ...)
Registry Keys:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware

Behavioural Indicators

Process injection into explorer.exe
Beacon interval: 60 seconds

MITRE ATT&CK Mapping

Initial Access: T1566 - Phishing
Execution: T1059 - Command and Scripting Interpreter
Persistence: T1547 - Registry Run Keys
Defense Evasion: T1027 - Obfuscated Files or Information
Command and Control: T1071 - Application Layer Protocol

Recommendations

Block IOCs at network and endpoint
Hunt for indicators in environment
Update detection signatures
User awareness training

Detection Rules

[Include YARA, Snort/Suricata rules]

Appendix

Full strings output
Process Monitor logs
Network traffic captures
Memory analysis results

Advanced Techniques Bypassing Anti-Analysis

Anti-VM Detection Bypass

# FLARE-VM - Common VM artifacts to modify

# 1. Change hardware identifiers
# Registry keys to modify:
# HKLM\HARDWARE\DESCRIPTION\System\SystemBiosVersion
# HKLM\HARDWARE\DESCRIPTION\System\VideoBiosVersion

# 2. Rename VM processes
taskkill /IM vmtoolsd.exe /F
Rename-Item "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" vmtoolsd.bak

# 3. Remove VM artifacts
Remove-Item "C:\Program Files\VMware" -Recurse -Force

Anti-Debugging Bypass

# REMnux - Patch IsDebuggerPresent checks
import pefile

pe = pefile.PE('sample.exe')
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    for imp in entry.imports:
        if imp.name and b'IsDebuggerPresent' in imp.name:
            # Patch to always return false
            print(f"Found IsDebuggerPresent at offset: {hex(imp.address)}")

Code Analysis with Ghidra

# REMnux - Headless Ghidra analysis
analyzeHeadless /tmp/ghidra_projects MyProject -import sample.exe -scriptPath /path/to/scripts -postScript ExtractStrings.py

Ghidra Workflow:

Import binary (File → Import File)
Auto-analyse (Yes to prompts)
Navigate to entry point (Symbol Tree → Entry)
Rename functions for clarity
Use decompiler (Window → Decompile)
Look for interesting functions:
- String references (Search → For Strings)
- Cross-references (Right-click → References)
- API calls

Automated Analysis with Capa

# REMnux
capa sample.exe

# Verbose output
capa -v sample.exe

# JSON output for automation
capa -j sample.exe > capabilities.json

Capa detects:

Capabilities (what the malware can do)
MITRE ATT&CK techniques
Code patterns
Behavioral indicators

Quick Reference Checklists

Initial Triage Checklist

[ ] Calculate hashes (MD5, SHA256)
[ ] Identify file type
[ ] Check VirusTotal / MalwareBazaar
[ ] Assess threat level
[ ] Document source and context

Static Analysis Checklist

[ ] Extract strings (ASCII/Unicode)
[ ] Run FLOSS for obfuscated strings
[ ] Analyse PE headers (if Windows)
[ ] Check for packers
[ ] Review imports/exports
[ ] Examine file entropy
[ ] Extract embedded resources
[ ] Check digital signatures

Dynamic Analysis Checklist

[ ] Take VM snapshot
[ ] Start monitoring tools (Procmon, Wireshark)
[ ] Configure network simulation
[ ] Execute sample
[ ] Observe for 5-10 minutes
[ ] Interact with system
[ ] Check persistence mechanisms
[ ] Capture memory dump
[ ] Document all behaviours
[ ] Revert to snapshot

Report Checklist

[ ] Executive summary
[ ] Sample metadata
[ ] Static analysis findings
[ ] Dynamic analysis findings
[ ] Network analysis findings
[ ] Extracted IOCs
[ ] MITRE ATT&CK mapping
[ ] Detection rules (YARA/Snort)
[ ] Remediation recommendations

Common Pitfalls and Best Practices

Safety Best Practices

✅ DO:

Always work in isolated VMs
Take snapshots before analysis
Use network simulation tools
Document everything
Maintain chain of custody
Use write-protected evidence

❌ DON'T:

Analyse on production systems
Allow real internet connectivity
Trust any input from malware
Double-click unknown executables outside VM
Forget to revert snapshots
Mix personal and analysis activities

Analysis Best Practices

✅ DO:

Start with static analysis
Use multiple tools for confirmation
Search for similar samples
Look for known signatures
Document your methodology
Take screenshots of key findings
Automate repetitive tasks
Collaborate with team

❌ DON'T:

Skip basic triage
Rely only on one tool
Ignore context
Make assumptions
Forget to check for updates
Share samples insecurely

Resources and Further Learning

Essential Resources

FLARE Team Blog: https://www.mandiant.com/resources/blog
Malware Traffic Analysis: https://malware-traffic-analysis.net/
Hybrid Analysis: https://www.hybrid-analysis.com/
ANY.RUN: https://any.run/
MalwareBazaar: https://bazaar.abuse.ch/
VirusTotal: https://www.virustotal.com/

Training Resources

Practical Malware Analysis (book)
The Art of Memory Forensics (book)
SANS FOR610: Reverse-Engineering Malware
Malware Unicorn Workshops
Open Security Training

Community

r/Malware (Reddit)
r/ReverseEngineering (Reddit)
Malware Analysis Discord servers
Twitter: #MalwareAnalysis #DFIR

This document is for educational purposes only.

PreviousWindows AD Attack Investigation – Defender & Sentinel KQL Cheat Sheet NextSOC Detection Engineer

Last updated 11 days ago