Synced from an Obsidian vault
For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.
Malware Analysis SOP
Table of Contentsβ
- Scope & Principles
- Safety & OPSEC β π Pre-Flight Checklist
- Intake & Chain of Custody
- Rapid Triage (Static Analysis)
- Behavior Analysis (Dynamic, In-Lab Only)
- Artefact Extraction & Normalization
- Specialized File Analysis
- Classification & TTP Mapping
- IOCs & Detection Engineering
- Reporting & Documentation
- Advanced Techniques
- QA & Peer Review
- Extended Reference Resources
0. Scope & Principlesβ
- Objective: Analyze suspicious binaries/objects to extract IOCs, assess behavior, and assist containment/detection.
- Execution Environment: Use only isolated, disposable VM snapshots (no host execution). No clipboard or dragβandβdrop. Prefer offline analysis or simulated internet (INetSim/DNS sinkhole).
- Legal Notice: If evidence of child safety concerns or imminent harm arises, stop immediately. Collect metadata and follow Sensitive Crime Escalation procedures.
- Confidentiality: Treat all outputs/samples as sensitive. Share on a need-to-know basis only. Label clearly (e.g.,
MALWARE / DO-NOT-TOUCH).
1. Safety & OPSEC β π Pre-Flight Checklistβ
- Use VM snapshot (clean, no shared folders/network, no host time sync).
- Use analysis persona (no personal/org credentials).
- Hostname, username, timezone must be non-attributable.
- No real internet. Simulated network only (e.g., INetSim).
- Tooling integrity: Verify hashes before installation; use only approved tools.
- Encrypt artefacts and label with warnings when transporting.
- Avoid uploading binaries to public services. Prefer hash-only queries.
Lab Environment Setupβ
VMware/VirtualBox Configuration:
# Recommended VM specifications
- OS: Windows 10/11 or REMnux/FlareVM
- RAM: 4GB minimum (8GB preferred)
- Disk: 60GB thin provisioned
- Network: Host-only or NAT with INetSim
- Snapshots: Take "Clean State" before each analysis
# Disable shared features
- Shared folders: OFF
- Clipboard sharing: OFF
- Drag and drop: OFF
- Time synchronization: OFF
- Guest additions: Minimal/None
INetSim Setup (Simulated Internet):
# Install INetSim (Linux-based)
sudo apt install inetsim
# Configure /etc/inetsim/inetsim.conf
service_bind_address 0.0.0.0
dns_default_ip 192.168.56.1
https_bind_port 443
http_bind_port 80
# Start INetSim
sudo inetsim
# Configure VM to use INetSim as DNS
# Set DNS server to INetSim host IP (e.g., 192.168.56.1)
FlareVM Installation (Windows Analysis):
# Run as Administrator
Set-ExecutionPolicy Unrestricted -Force
Invoke-WebRequest https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1 -OutFile install.ps1
.\install.ps1
# Post-install: Disable Windows Defender (analysis VM only)
Set-MpPreference -DisableRealtimeMonitoring $true
REMnux Installation (Linux Malware Analysis):
# Download REMnux OVA or install on existing Ubuntu
wget https://REMnux.org/remnux-cli
sudo bash remnux-cli install
# Update tools
remnux update
2. Intake & Chain of Custodyβ
Sample Acquisition & Metadata Collectionβ
-
Assign identifiers:
case_id: CASE-2025-1005-001
sample_id: SAM-20251005-1430-001 -
Log acquisition metadata:
- Source (email attachment, endpoint, URL, upload)
- Timestamp (UTC)
- Submitter name and contact
- Original filename and path
- Context (incident ticket, alert ID, user report)
-
Calculate file hashes:
# Linux/macOS
sha256sum sample.exe
sha1sum sample.exe
md5sum sample.exe
# Windows (PowerShell)
Get-FileHash sample.exe -Algorithm SHA256
Get-FileHash sample.exe -Algorithm SHA1
Get-FileHash sample.exe -Algorithm MD5
# All at once (PowerShell)
@('SHA256', 'SHA1', 'MD5') | ForEach-Object { Get-FileHash sample.exe -Algorithm $_ } -
Store original in evidence vault:
# Create case structure
mkdir -p /evidence/CASE-2025-1005-001/{intake,binaries,static,dynamic,artifacts,iocs,detections,report}
# Copy with hash verification
cp sample.exe /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.bin
sha256sum /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.bin
# Create password-protected archive (password: infected)
7z a -pinfected -mhe=on /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.7z sample.exe -
Extract email headers (if applicable):
# Save .eml file and extract headers
grep -E "^(From|To|Subject|Date|Received|Return-Path|X-|Message-ID):" sample.eml > headers.txt
# Extract attachments with munpack (mpack package)
munpack -t sample.eml -
VirusTotal hash lookup (no upload):
# Using VT CLI (requires API key)
vt file <SHA256_HASH>
# Manual lookup
# https://www.virustotal.com/gui/file/<SHA256_HASH>
Chain of Custody Formβ
| Field | Value |
|--------------------|------------------------------------|
| Case ID | CASE-2025-1005-001 |
| Sample ID | SAM-20251005-1430-001 |
| Filename | invoice_2025.exe |
| SHA256 | a1b2c3d4e5f6... |
| Acquisition Date | 2025-10-05 14:30:00 UTC |
| Source | Email attachment (phishing report) |
| Submitter | John Doe (john.doe@example.com) |
| Custodian | Analyst Name |
| Storage Location | /evidence/CASE-2025-1005-001/ |
| Access Log | See access_log.txt |
3. Rapid Triage (Static Analysis)β
3.1 File Identification & Packingβ
Identify file type:
# Linux
file sample.bin
file -b sample.bin # Brief output
# Check magic bytes manually
xxd sample.bin | head
hexdump -C sample.bin | head
# Windows (PowerShell with TrID)
trid sample.bin
PE file analysis (Windows executables):
# Using pestudio (Windows GUI)
pestudio.exe sample.exe
# Using pefile (Python)
python -c "import pefile; pe = pefile.PE('sample.exe'); print(pe.dump_info())"
# Check sections for packing indicators
# VirtualSize >> RawSize = likely packed
peframe sample.exe | grep -A 10 "Sections"
# Common packer section names
# UPX0, UPX1, UPX2 β UPX packer
# .aspack β ASPack
# .petite β PETite
# .ndata β .NET obfuscation
PE metadata extraction:
# Using exiftool
exiftool sample.exe | grep -E "(FileDescription|CompanyName|OriginalFilename|LegalCopyright|ProductName)"
# Check digital signature
sigcheck -a sample.exe # Sysinternals
# Extract timestamp (can be forged)
peframe sample.exe | grep "Timestamp"
# Check for overlay data (appended after PE sections)
# If file size > sum of section sizes β overlay exists
Unpacking (if safe):
# UPX unpacking
upx -d sample.exe -o sample_unpacked.exe
# Check entropy (high entropy = encrypted/packed)
peframe sample.exe | grep "Entropy"
# Manual unpacking requires debugger (x64dbg/IDA Pro)
# Set breakpoint on: VirtualAlloc, VirtualProtect, CreateProcess
ELF file analysis (Linux binaries):
# File type
file sample.bin
# ELF header info
readelf -h sample.bin
# Section headers
readelf -S sample.bin
# Program headers
readelf -l sample.bin
# Check for UPX in ELF
readelf -S sample.bin | grep UPX
# Unpack ELF UPX
upx -d sample.bin -o sample_unpacked.bin
3.2 Strings & Importsβ
String extraction (obfuscated and plaintext):
# FLARE Obfuscated String Solver (FLOSS) - best for malware
floss sample.exe > floss_output.txt
floss --no-static-strings sample.exe # Only decoded strings
floss -n 8 sample.exe # Minimum string length of 8
# Traditional strings (fallback)
strings -a -n 8 sample.exe > strings.txt
strings -el sample.exe # UTF-16LE (Windows Unicode)
# Search for specific patterns
grep -E "https?://" floss_output.txt # URLs
grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt # IP addresses
grep -i "user-agent" floss_output.txt
grep -i "password\|username\|token" floss_output.txt
Specific indicators to extract:
# URLs and domains
grep -oE "(http|https)://[a-zA-Z0-9./?=_%:-]*" floss_output.txt | sort -u
# IP addresses
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt | sort -u
# Registry keys
grep -i "hkey\|hklm\|hkcu\|software\\\\microsoft" floss_output.txt
# Mutexes (process synchronization objects)
grep -i "mutex\|global\\\\" floss_output.txt
# File paths
grep -E "C:\\\\|\\\\Windows\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\" floss_output.txt
# Base64 encoded data (look for long alphanumeric strings ending in =)
grep -oE "[A-Za-z0-9+/]{40,}={0,2}" floss_output.txt
# PDB paths (reveal development environment)
grep -i "\.pdb" floss_output.txt
# Common crypto libraries
grep -i "advapi32\|bcrypt\|crypt32\|wincrypt" floss_output.txt
# Email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" floss_output.txt
Import/Export analysis (PE files):
# Using peframe
peframe sample.exe | grep -A 50 "Imported Functions"
peframe sample.exe | grep -A 20 "Exported Functions"
# Using pefile (Python)
python -c "import pefile; pe = pefile.PE('sample.exe'); print('\\n'.join([e.dll.decode() + ' -> ' + f.name.decode() for e in pe.DIRECTORY_ENTRY_IMPORT for f in e.imports if f.name]))"
# Using objdump (Linux)
objdump -p sample.exe | grep "DLL Name"
# Dangerous import functions to flag
# Network: URLDownloadToFile, InternetOpen, InternetConnect, send, recv, WSAStartup
# Process: CreateProcess, ShellExecute, WinExec, CreateRemoteThread
# Injection: VirtualAlloc, VirtualAllocEx, WriteProcessMemory, NtQueueApcThread
# Persistence: RegSetValue, CreateService, SetWindowsHookEx
# Crypto: CryptEncrypt, CryptDecrypt, CryptAcquireContext
# Anti-analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess
ELF imports (Linux binaries):
# List imported libraries
ldd sample.bin
# List imported symbols
nm -D sample.bin
# Check for dangerous functions
nm -D sample.bin | grep -E "(system|exec|fork|ptrace|socket|connect)"
# Disassemble imports section
objdump -T sample.bin
3.3 Capability Detectionβ
CAPA (Mandiant Capability Analysis):
# Run CAPA with default rules
capa sample.exe
# Output to file
capa sample.exe > capa_report.txt
# Verbose output with offsets
capa -v sample.exe
# JSON output for parsing
capa -j sample.exe > capa_report.json
# Analyze unpacked sample
capa sample_unpacked.exe
Key capabilities to flag:
| Capability | Indicators | MITRE ATT&CK |
|---|---|---|
| Network Communication | URLDownloadToFile, InternetOpen, send, recv, WSAStartup | T1071 |
| Process Injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread | T1055 |
| Code Execution | CreateProcess, ShellExecute, WinExec, system() | T1059 |
| Persistence | RegSetValue, CreateService, SetWindowsHookEx, WMI | T1547, T1053 |
| Credential Access | LsaEnumerateLogonSessions, CredEnumerate, SamIConnect | T1003 |
| Defense Evasion | IsDebuggerPresent, VirtualProtect, SetThreadContext | T1140, T1622 |
| Encryption/Encoding | CryptEncrypt, CryptDecrypt, Base64 decode | T1027 |
| Keylogging | SetWindowsHookEx (WH_KEYBOARD), GetAsyncKeyState | T1056.001 |
| Screen Capture | BitBlt, GetDC, CreateCompatibleBitmap | T1113 |
| File Deletion | DeleteFile, SHFileOperation, MoveFileEx (MOVEFILE_DELAY...) | T1070.004 |
Manual capability review (if CAPA unavailable):
# Check for specific WinAPI calls in disassembly
objdump -d sample.exe | grep -i "urldownloadtofile\|internetopen\|createprocess"
# Or use strings to find API names
strings sample.exe | grep -i "createremotethread\|virtualalloc\|writeprocessmemory"
3.4 Multi-Engine Scanningβ
Hash-only lookups (preferred - no sample upload):
# VirusTotal CLI (requires API key)
vt file <SHA256_HASH>
# Manual lookup URLs
# https://www.virustotal.com/gui/file/<SHA256_HASH>
# https://www.hybrid-analysis.com/search?hash=<SHA256_HASH>
# https://tria.ge/<SHA256_HASH>
# Check MalwareBazaar database
curl -X POST https://mb-api.abuse.ch/api/v1/ -d "query=get_info&hash=<SHA256_HASH>"
# Check ThreatFox IOC database
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{"query":"search_hash","hash":"<SHA256_HASH>"}'
Local/offline AV scanning (if available):
# ClamAV (open-source)
clamscan -r --bell -i sample.exe
# Update signatures first
freshclam
# YARA scanning with community rules
yara -r /path/to/yara-rules/ sample.exe
Detection name analysis: If VirusTotal shows detections, analyze vendor names:
Trojan.Genericβ Generic heuristic detectionTrojan.Agentβ Unknown malware familyWin32.Emotet.Aβ Specific family (Emotet) and variant (A)Ransom.Lockbitβ Ransomware family (Lockbit)PUA/PUPβ Potentially Unwanted Application/ProgramPacked.VMProtectβ Packer/protector detection
4. Behavior Analysis (Dynamic, In-Lab Only)β
4.1 Monitoring Setupβ
Pre-execution checklist:
- Take clean VM snapshot
- Verify network is isolated (INetSim active)
- Start monitoring tools
- Set up screen recording (optional but recommended)
Process Monitor (Procmon) - Sysinternals:
# Launch Procmon
procmon.exe
# Configure filters to reduce noise:
# Filter -> Process Name -> is -> sample.exe -> Include
# Filter -> Process Name -> is -> rundll32.exe -> Include (if sample uses it)
# Filter -> Operation -> contains -> Reg -> Include (registry operations)
# Filter -> Operation -> contains -> File -> Include (file operations)
# Enable: Show File System Activity, Show Registry Activity, Show Network Activity
# Disable: Show Process and Thread Activity (too noisy)
# Save output after execution
# File -> Save -> All Events -> CSV format
Wireshark (Network Traffic Capture):
# Start capture on adapter connected to INetSim
wireshark -i eth0 -k
# Apply display filter for analysis
# DNS queries: dns
# HTTP traffic: http
# TLS/SSL: tls
# Specific IP: ip.addr == 192.168.56.101
# Save PCAP after execution
# File -> Save As -> sample_traffic.pcapng
Process Hacker (Process & Memory Analysis):
# Launch Process Hacker as Administrator
ProcessHacker.exe
# Monitor for:
# - New process creation (sample.exe and child processes)
# - Memory allocations (Heap, Private memory)
# - Handles (Files, Registry, Mutexes)
# - Network connections
# To dump process memory:
# Right-click process -> Create dump file
Sysmon (Advanced Windows Logging):
# Install Sysmon with SwiftOnSecurity config
sysmon64.exe -accepteula -i sysmonconfig-export.xml
# Download config from:
# https://github.com/SwiftOnSecurity/sysmon-config
# View Sysmon logs
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Format-List
# Export Sysmon logs
wevtutil epl Microsoft-Windows-Sysmon/Operational C:\evidence\sysmon_logs.evtx
Regshot (Registry Comparison):
# Take snapshot before execution
Regshot.exe -> 1st shot
# Execute malware
# Take snapshot after execution
Regshot.exe -> 2nd shot
# Compare and save
Compare -> Output to HTML
Noriben (Automated Procmon Analysis):
# Run Noriben with automatic procmon collection
python Noriben.py --cmd sample.exe
# Generates: Noriben_<timestamp>.txt with parsed behavior
4.2 Execution & Observationβ
Execute the sample:
# Execute in isolated VM
.\sample.exe
# Or with arguments if required
.\sample.exe --install
# For DLL files, use rundll32
rundll32.exe sample.dll,DllMain
# For scripts
powershell.exe -ExecutionPolicy Bypass -File sample.ps1
cscript.exe //NoLogo sample.vbs
Track spawned processes:
# PowerShell - monitor process creation
Get-WmiObject Win32_Process | Select-Object ProcessId,Name,CommandLine,ParentProcessId | Format-Table
# Command line - watch for new processes
wmic process list full
# Check process tree in Process Hacker
# View -> Tree view -> Expand sample.exe
Inspect dropped files:
# Find recently created files (last 5 minutes)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddMinutes(-5)}
# Common drop locations to check manually
C:\Users\<user>\AppData\Local\Temp\
C:\Users\<user>\AppData\Roaming\
C:\ProgramData\
C:\Windows\Temp\
# Hash all dropped files
Get-ChildItem -Path C:\Users\<user>\AppData\Local\Temp\ -Recurse | Get-FileHash -Algorithm SHA256
Common persistence mechanisms to check:
| Location | Command | Technique |
|---|---|---|
| Registry Run Keys | reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run | T1547.001 |
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run | ||
| Startup Folder | dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" | T1547.001 |
dir "%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup" | ||
| Scheduled Tasks | schtasks /query /fo LIST /v | T1053.005 |
Get-ScheduledTask | Where-Object {$_.TaskName -notlike "Microsoft*"} | ||
| Services | sc query | T1543.003 |
Get-Service | Where-Object {$_.Status -eq "Running"} | ||
| WMI Event Subscription | Get-WmiObject -Namespace root\Subscription -Class __EventFilter | T1546.003 |
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer | ||
| DLL Hijacking | Check for unexpected DLLs in application directories | T1574.001 |
Inspect mutexes and named objects:
# Using Process Hacker
# Select process -> Handles tab -> Filter: "Mutant"
# Using Handle.exe (Sysinternals)
handle.exe -a -p <PID>
# Common mutex names to flag
# Global\<random_string>
# Local\<random_string>
Check for injection into legitimate processes:
# Look for unusual memory allocations in explorer.exe, svchost.exe, etc.
# Process Hacker -> Select process -> Memory tab
# Flag RWX (Read-Write-Execute) memory regions
# Dump suspicious memory regions
# Right-click memory region -> Save -> memory_dump.bin
4.3 Network Behaviorβ
DNS traffic analysis:
# Wireshark display filter for DNS
dns
# Extract DNS queries from PCAP (tshark)
tshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u
# Look for:
# - DGA (Domain Generation Algorithm) patterns (long random domains)
# - Known C2 domains
# - Unusual TLDs (.tk, .ml, .ga, .cf)
# - Fast-flux DNS (multiple A records)
HTTP/HTTPS traffic analysis:
# Wireshark filter for HTTP
http
# Extract HTTP requests
tshark -r sample_traffic.pcapng -Y http.request -T fields -e http.host -e http.request.uri
# Extract User-Agent strings
tshark -r sample_traffic.pcapng -Y http -T fields -e http.user_agent | sort -u
# Check for:
# - Suspicious User-Agents (PowerShell, python-requests, curl)
# - C2 beacon patterns (regular intervals)
# - POST requests with encrypted/encoded data
# - Downloads (exe, dll, ps1, vbs files)
TLS/SSL analysis:
# Extract TLS Server Name Indication (SNI)
tshark -r sample_traffic.pcapng -Y tls.handshake.extensions_server_name -T fields -e tls.handshake.extensions_server_name | sort -u
# Check certificate details
tshark -r sample_traffic.pcapng -Y ssl.handshake.certificate -T fields -e x509sat.printableString
# Flag:
# - Self-signed certificates
# - Unusual certificate issuers
# - Mismatched SNI and certificate CN
Identify outbound connections:
# Using TCPView (GUI)
tcpview.exe
# Using netstat (command line)
netstat -ano | findstr ESTABLISHED
# Get full connection details
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Format-Table
# Check for common C2 ports
# 443, 8443 (HTTPS)
# 80, 8080 (HTTP)
# 53 (DNS tunneling)
# 4444, 5555 (Metasploit default)
# 1234, 31337 (backdoors)
Test C2 communication (lab environment only):
# Set up ncat listener to catch reverse shell
ncat -lnvp 4444
# For HTTPS/TLS callbacks
ncat -lnvp 443 --ssl
# Monitor all connection attempts
tcpdump -i any -n -vv
Extract network IOCs:
# List all contacted IPs
tshark -r sample_traffic.pcapng -T fields -e ip.dst | sort -u | grep -v "192.168\|10.0\|127.0.0.1"
# List all contacted domains
tshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u
# Extract URLs from HTTP traffic
tshark -r sample_traffic.pcapng -Y http.request -T fields -e http.host -e http.request.uri | awk '{print "http://"$1$2}'
5. Artefact Extraction & Normalizationβ
- Collect & rehash dropped files
- Export:
- PCAP
procmonlogs- Registry diffs
- Event logs
- Screenshots
- Normalize timestamps to UTC
- Extract PDB paths & PE metadata
- Store in structured case folder:
/CASE-<case_id>/
intake/
binaries/
static/
dynamic/
artifacts/
iocs/
detections/
report/
6. Specialized File Analysisβ
6.1 .NET/C# Analysisβ
.NET detection:
# Check for .NET assembly
file sample.exe | grep "PE32.*Mono/.Net assembly"
# Or use strings
strings sample.exe | grep "mscoree.dll"
# Check assembly info with ildasm (Microsoft IL Disassembler)
ildasm sample.exe
Decompilation with dnSpy:
1. Open sample.exe in dnSpy
2. Navigate Assembly Explorer -> sample.exe -> Namespace -> Class
3. Look for:
- Main() function (entry point)
- Embedded resources (right-click assembly -> Go to Resources)
- Obfuscated strings (base64, XOR, etc.)
- System.Net (HTTP, WebClient, DownloadFile)
- System.Security.Cryptography (AES, DES, RSA)
- System.Reflection (dynamic code loading)
- System.Diagnostics.Process (command execution)
4. Set breakpoints and debug dynamically (Start button)
Decompilation with ILSpy:
# Command-line decompilation
ilspycmd sample.exe -o decompiled_output/
# GUI version
ilspy.exe sample.exe
# Look for:
# - Hardcoded IPs/domains in strings
# - Decryption routines
# - Anti-VM checks
Extract embedded resources:
# Using dnSpy
# Right-click Assembly -> Resources -> Save All
# Using ResourceHacker (Windows)
ResourceHacker.exe -open sample.exe -save resources.txt -action extract
# Embedded payloads often stored as:
# - Encrypted byte arrays
# - Compressed streams (GZip, Deflate)
# - Base64-encoded strings
.NET deobfuscation:
# de4dot - .NET deobfuscator
de4dot sample.exe -o sample_deobfuscated.exe
# Handles common obfuscators:
# - ConfuserEx
# - .NET Reactor
# - Eazfuscator
6.2 Office/Macro Analysisβ
Identify macro-enabled documents:
# File extensions with macros
# .docm, .xlsm, .pptm, .doc (legacy), .xls (legacy)
# Detect OLE files
file document.docm
# Output: "Composite Document File V2 Document"
# Quick check for VBA macros
strings document.docm | grep -i "vba\|macro\|autoopen\|document_open"
Extract macros with oledump.py (Didier Stevens):
# List all streams in OLE file
oledump.py document.docm
# Look for "M" indicator (macros present)
# Example output:
# 1: 114 '\x01CompObj'
# 2: 4096 '\x05DocumentSummaryInformation'
# 3: M 8192 'Macros/VBA/ThisDocument' <- Macro present
# Extract macro from stream 3
oledump.py -s 3 -v document.docm
# Decompress corrupt VBA
oledump.py -s 3 --vbadecompresscorrupt document.docm
# Dump all macros to file
oledump.py -s 3 -v document.docm > macros.vba
Extract macros with olevba (oletools):
# Analyze and extract VBA macros
olevba document.docm
# Summary mode (flags suspicious keywords)
olevba --decode document.docm
# JSON output
olevba -j document.docm > macros.json
# Look for IOCs (URLs, IPs, file paths)
olevba --decode document.docm | grep -E "http|https|ftp|powershell|cmd|wscript"
Suspicious VBA keywords to flag:
AutoOpen,Document_Open,Workbook_Open(Auto-execution)Shell,CreateObject("WScript.Shell")(Command execution)URLDownloadToFile,MSXML2.XMLHTTP(File download)CreateObject("Scripting.FileSystemObject")(File operations)ExecuteStatement,Eval(Dynamic code execution)CallByName(Obfuscation technique)
Inspect .docx/.xlsx structure (ZIP format):
# Extract Office Open XML document
unzip document.docx -d document_extracted/
# Check for template injection
cat document_extracted/word/_rels/document.xml.rels | grep "Target.*http"
# Look for external relationships (template injection)
# <Relationship Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
# Target="http://malicious.com/template.dotm" TargetMode="External"/>
# Check for embedded objects
ls document_extracted/word/embeddings/
Analyze Excel 4.0 macros (XLM macros):
# XLM macros in .xls files (legacy format)
oledump.py document.xls | grep XL
# Extract XLM formulas with XLMMacroDeobfuscator
python XLMMacroDeobfuscator.py -f document.xls
# Or use olevba
olevba document.xls --deobf
Dynamic analysis (sandbox execution):
1. Use Office in isolated VM (FlareVM)
2. Enable Content when prompted (activates macro)
3. Monitor with Procmon for:
- PowerShell execution
- WScript/CScript execution
- File writes to temp directories
- Network connections
6.3 PDF Analysisβ
Analyze PDF structure:
# Scan for malicious content with pdfid.py
pdfid.py document.pdf
# Flags to watch for:
# /OpenAction, /AA (Auto-execute on open)
# /JavaScript, /JS (Embedded JavaScript)
# /Launch (Execute external program)
# /EmbeddedFile (Embedded files)
# /RichMedia (Flash, multimedia)
# Analyze PDF streams
pdf-parser.py document.pdf
# Extract JavaScript
pdf-parser.py --search javascript document.pdf
# Dump specific object
pdf-parser.py --object 15 document.pdf
# Extract all streams
pdf-parser.py --raw document.pdf > pdf_streams.txt
Extract embedded files from PDF:
# Using peepdf
peepdf -i document.pdf
# Commands in interactive mode:
# > tree (show object structure)
# > object 15 (inspect object)
# > stream 15 (extract stream)
# > extract stream 15 > extracted_payload.bin
6.4 Script Analysis (PowerShell/VBS/JS)β
PowerShell deobfuscation:
# Common obfuscation patterns
# Base64 encoded commands
$encoded = "Base64StringHere"
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded))
# Examine script without executing
Get-Content malicious.ps1
# Look for:
# - Invoke-Expression (IEX) - executes string as code
# - DownloadString, DownloadFile - downloads payload
# - FromBase64String - decodes embedded payload
# - Compression (IO.Compression.GzipStream)
# - WMI queries (Get-WmiObject)
# - Invoke-WebRequest, Invoke-RestMethod
# Static deobfuscation with PSDecode
Import-Module PSDecode
PSDecode -InputFile malicious.ps1 -OutputFile decoded.txt
# Or use online tools (in isolated environment)
# https://github.com/R3MRUM/PSDecode
VBScript/JScript analysis:
# Analyze without execution
cat malicious.vbs
# Common patterns:
# - CreateObject("WScript.Shell").Run - command execution
# - CreateObject("MSXML2.XMLHTTP") - HTTP requests
# - CreateObject("Scripting.FileSystemObject") - file operations
# - Eval(), Execute() - dynamic code execution
# Deobfuscate with decoder (manual)
# Replace Eval() with WScript.Echo() to print instead of execute
JavaScript (JS) analysis:
# Beautify obfuscated JS
cat malicious.js | js-beautify > beautified.js
# Or use online tools
# https://beautifier.io/
# Look for:
# - eval() - executes string as code
# - unescape(), decodeURIComponent() - decode strings
# - ActiveXObject - COM object creation (Windows only)
# - WScript.Shell, WScript.CreateObject
6.5 Archive Analysisβ
Inspect archives safely:
# List contents without extraction
7z l archive.zip
unzip -l archive.zip
tar -tzf archive.tar.gz
# Look for:
# - Double extensions (invoice.pdf.exe)
# - LNK files (Windows shortcuts)
# - Executable files masquerading as documents
# - Nested archives (archive.zip -> archive2.zip -> payload.exe)
# Extract to isolated directory
7z x archive.zip -o/tmp/extracted/
# Check extracted file types
cd /tmp/extracted/
file *
Analyze LNK (shortcut) files:
# Parse LNK file with LECmd (Windows)
LECmd.exe -f malicious.lnk
# Or use lnk-parser (Linux)
lnkinfo malicious.lnk
# Look for:
# - Target path (what it executes)
# - Command line arguments
# - Working directory
# - Icon location (may reveal payload location)
6.6 Linux/ELF Analysisβ
Basic ELF analysis:
# File type and architecture
file suspicious.bin
# Output: ELF 64-bit LSB executable, x86-64
# ELF header
readelf -h suspicious.bin
# Section headers
readelf -S suspicious.bin
# Program headers
readelf -l suspicious.bin
# Symbol table
readelf -s suspicious.bin
# Check for suspicious libraries
ldd suspicious.bin
# Look for:
# - libc.so (standard)
# - libssl.so (network encryption)
# - libcrypto.so (cryptography)
# - Unusual paths (/tmp/lib.so)
Dynamic analysis (Linux malware):
# Use strace to monitor system calls
strace -f -e trace=network,file,process ./suspicious.bin
# Monitor file operations
strace -e trace=open,read,write,close ./suspicious.bin
# Monitor network operations
strace -e trace=socket,connect,send,recv ./suspicious.bin
# ltrace to monitor library calls
ltrace -f ./suspicious.bin
7. Classification & TTP Mappingβ
- Propose malware family or threat cluster (if possible)
- Map behaviors to MITRE ATT&CK:
- T1055 β Process Injection
- T1083 β File Discovery
- T1105 β Remote File Copy
- T1140 β Deobfuscation
8. IOCs & Detection Engineeringβ
8.1 IOC Extraction & Defangingβ
Extract all IOC types:
# File hashes
sha256sum sample.exe dropped_file1.dll dropped_file2.exe
md5sum sample.exe dropped_file1.dll dropped_file2.exe
# Network indicators from strings/PCAP
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt # IPs
grep -oE "[a-zA-Z0-9.-]+\.(com|net|org|ru|cn)" floss_output.txt # Domains
tshark -r traffic.pcapng -T fields -e ip.dst | sort -u # Contacted IPs
tshark -r traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u # DNS queries
# Registry keys from Procmon/Regshot
grep "RegSetValue" procmon.csv | awk -F',' '{print $5}' | sort -u
# Mutexes from Process Hacker or strings
strings sample.exe | grep -i "mutex\|global\\\\"
# User-Agents from PCAP
tshark -r traffic.pcapng -Y http -T fields -e http.user_agent | sort -u
Defang IOCs for safe sharing:
# Defanging patterns
# http:// β hxxp://
# https:// β hxxps://
# . β [.]
# @ β [@]
# Examples:
# malicious.com β malicious[.]com
# http://evil.com/payload.exe β hxxp://evil[.]com/payload[.]exe
# attacker@evil.com β attacker[@]evil[.]com
# 192.168.1.100 β 192[.]168[.]1[.]100
# Automated defanging with ioc-fanger (Python)
pip install ioc-fanger
echo "http://malicious.com" | fanger --defang
# Or manual sed replacement
echo "http://malicious.com/payload.exe" | sed 's/http:/hxxp:/g; s/\./[.]/g'
8.2 IOC Confidence & Volatility Ratingβ
| IOC Type | Confidence | Volatility | Notes |
|---|---|---|---|
| File hash | High | Static | Unique to specific sample |
| Mutex name | High | Static | Hardcoded in malware |
| Registry key | High | Static | Persistence mechanism |
| IP address | Medium | Dynamic | May change (DGA, fast-flux) |
| Domain (C2) | Medium | Dynamic | May change frequently |
| User-Agent | Low | Dynamic | Common strings, high false positive |
| File path | Medium | Static | May vary by environment |
| PDB path | High | Static | Reveals dev environment |
| Certificate hash | High | Static | Used for code signing |
8.3 YARA Rule Creationβ
Basic YARA rule template:
rule Malware_Family_Emotet_Variant_A {
meta:
description = "Detects Emotet variant A based on strings and imports"
author = "Analyst Name"
date = "2025-10-05"
reference = "CASE-2025-1005-001"
hash = "a1b2c3d4e5f6..."
strings:
$s1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii
$s2 = "C:\\Windows\\SysWOW64\\rundll32.exe" wide
$s3 = { 4D 5A 90 00 03 00 00 00 } // MZ header
$mutex = "Global\\M12345" wide nocase
$api1 = "VirtualAlloc" ascii
$api2 = "CreateRemoteThread" ascii
$api3 = "WriteProcessMemory" ascii
condition:
uint16(0) == 0x5A4D and // PE file
filesize < 500KB and
2 of ($s*) and
all of ($api*)
}
Test YARA rule:
# Test against sample
yara malware_rule.yar sample.exe
# Scan directory
yara -r malware_rule.yar /path/to/samples/
# Save matches to file
yara -r malware_rule.yar /path/to/samples/ > matches.txt
YARA rule repositories:
- https://github.com/Yara-Rules/rules
- https://github.com/Neo23x0/signature-base
- https://github.com/reversinglabs/reversinglabs-yara-rules
8.4 Sigma Rule Creationβ
Sigma rule for malicious behavior (Sysmon Event ID 1 - Process Creation):
title: Suspicious PowerShell Download Cradle
id: 12345678-1234-1234-1234-123456789abc
status: experimental
description: Detects PowerShell download cradle execution
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Analyst Name
date: 2025-10-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- 'DownloadString'
- 'Invoke-Expression'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
Convert Sigma to SIEM queries:
# Install sigmac
pip install sigma-cli
# Convert to Splunk
sigma convert -t splunk rule.yml
# Convert to Elastic
sigma convert -t elasticsearch rule.yml
# Convert to QRadar
sigma convert -t qradar rule.yml
8.5 Suricata Rule Creationβ
Network IDS rule for C2 traffic:
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Emotet C2 Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/"; http_uri; depth:1; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64)"; sid:1234567; rev:1; metadata:created_at 2025_10_05;)
DNS-based detection:
alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Suspicious DGA Domain Query"; dns.query; content:".tk"; nocase; sid:1234568; rev:1;)
Test Suricata rules:
# Test rule syntax
suricata -T -c /etc/suricata/suricata.yaml -S custom.rules
# Run Suricata on PCAP
suricata -r sample_traffic.pcapng -S custom.rules -l /var/log/suricata/
9.1 Malware Analysis Report Templateβ
# Malware Analysis Report
## Executive Summary
- **Malware Family:** Emotet (Variant A)
- **Threat Level:** High
- **Initial Vector:** Phishing email with malicious attachment
- **Primary Capability:** Banking trojan, credential theft, lateral movement
- **Recommended Action:** Block all network IOCs, hunt for persistence mechanisms
---
## Case Metadata
| Field | Value |
|--------------------|------------------------------------------|
| Case ID | CASE-2025-1005-001 |
| Sample ID | SAM-20251005-1430-001 |
| Analyst | Analyst Name |
| Analysis Date | 2025-10-05 |
| Filename (original)| invoice_2025.exe |
| SHA256 | a1b2c3d4e5f6... |
| File Size | 245 KB |
| File Type | PE32 executable (GUI) x86, for MS Windows|
---
## Technical Analysis
### Static Analysis
**File Properties:**
- Compiler: Microsoft Visual C++ 8.0
- Timestamp: 2025-09-28 14:23:11 UTC (possibly forged)
- Digital Signature: None
- Packer: UPX (detected and unpacked)
- Entropy: 7.2 (high - indicates encryption/packing)
**Capabilities (CAPA):**
- Network communication (URLDownloadToFile, InternetOpen)
- Process injection (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)
- Persistence via registry (RegSetValue)
- Credential theft (CredEnumerate, LsaEnumerateLogonSessions)
**Suspicious Strings:**
- hxxp://malicious[.]com/payload[.]exe
- 192[.]168[.]56[.]101
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Global\M12345 (mutex)
- C:\Users\Public\svchost.exe (dropped file)
### Dynamic Analysis
**Execution Flow:**
1. Creates mutex "Global\M12345" to prevent multiple infections
2. Drops secondary payload to C:\Users\Public\svchost.exe
3. Establishes persistence via registry Run key
4. Injects code into explorer.exe
5. Connects to C2 server at 192[.]168[.]56[.]101:443
6. Exfiltrates credentials via HTTP POST
**Persistence Mechanisms:**
- Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
- Scheduled Task: N/A
- Service: N/A
**Network Behavior:**
- DNS queries: malicious[.]com, c2-server[.]tk
- C2 communication: HTTPS POST to 192[.]168[.]56[.]101:443
- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
- Beacon interval: 60 seconds
---
## Indicators of Compromise (IOCs)
### File Hashes
| Hash Type | Value |
|-----------|--------------------------------------------------------------------|
| SHA256 | a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890 |
| SHA1 | 1234567890abcdef1234567890abcdef12345678 |
| MD5 | 12345678901234567890123456789012 |
### Dropped Files
| Filename | SHA256 | Path |
|------------------------------|-------------------|-----------------------------|
| svchost.exe | b2c3d4e5f6... | C:\Users\Public\svchost.exe |
### Network Indicators (Medium Confidence - Dynamic)
| Type | Value (Defanged) | Context |
|--------|---------------------------|--------------------|
| Domain | malicious[.]com | C2 server |
| Domain | c2-server[.]tk | Backup C2 |
| IP | 192[.]168[.]56[.]101 | C2 IP address |
| URL | hxxps://malicious[.]com/api | C2 callback URL |
### Host Indicators (High Confidence - Static)
| Type | Value |
|--------------|---------------------------------------------------------|
| Mutex | Global\M12345 |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender |
| File Path | C:\Users\Public\svchost.exe |
---
## MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Evidence |
|------------------|---------------|---------------------------------|-----------------------------------|
| Execution | T1059.003 | Windows Command Shell | cmd.exe spawned by sample |
| Persistence | T1547.001 | Registry Run Keys | HKCU\...\Run key created |
| Defense Evasion | T1055.001 | Process Injection | Code injected into explorer.exe |
| Credential Access| T1003.001 | LSASS Memory Dump | LsaEnumerateLogonSessions called |
| Command & Control| T1071.001 | Web Protocols (HTTP/HTTPS) | HTTPS POST to C2 |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | Credentials sent via HTTP POST |
---
## Detection & Hunting Guidance
### YARA Rule
```yara
rule Malware_Emotet_VariantA {
meta:
description = "Detects Emotet variant A"
author = "Analyst Name"
date = "2025-10-05"
hash = "a1b2c3d4e5f6..."
strings:
$mutex = "Global\\M12345" wide
$c2 = "malicious.com" ascii
$ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
### Sigma Rule (Process Creation)
```yaml
title: Emotet Registry Persistence
detection:
selection:
CommandLine|contains: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
condition: selection
### Hunting Queries
**Splunk:**
index=windows EventCode=1 (CommandLine="*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR Image="*\\svchost.exe" AND Image!="C:\\Windows\\System32\\svchost.exe")
**Elastic:**
event.code:1 AND (process.command_line:*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR (process.executable:*svchost.exe AND NOT process.executable:C\:\\Windows\\System32\\svchost.exe))
---
## Recommendations
### Immediate Actions
1. **Block network IOCs** at firewall/proxy (malicious[.]com, c2-server[.]tk, 192.168.56.101)
2. **Hunt for mutex** "Global\M12345" on endpoints
3. **Check registry Run keys** for "Windows Defender" entry pointing to non-standard path
4. **Search for file** C:\Users\Public\svchost.exe across environment
### Remediation Steps
1. Isolate infected hosts from network
2. Kill malicious processes (svchost.exe in C:\Users\Public\)
3. Delete dropped files and registry persistence
4. Reset credentials for affected users
5. Re-image compromised systems
### Long-term Mitigations
- Enable PowerShell logging (ScriptBlock, Module, Transcription)
- Deploy endpoint detection and response (EDR) solution
- Implement application whitelisting
- User security awareness training on phishing
---
## Appendix
### Evidence Files
- `sample.exe` (original) - SHA256: a1b2c3d4e5f6...
- `sample_unpacked.exe` - SHA256: b2c3d4e5f6...
- `svchost.exe` (dropped) - SHA256: c3d4e5f6...
- `procmon_output.csv` - Process Monitor logs
- `traffic_capture.pcapng` - Network traffic capture
- `regshot_comparison.html` - Registry changes
### Analysis Tools Used
- FLOSS 2.3 (string extraction)
- CAPA 7.0 (capability detection)
- PE-bear 0.6 (PE analysis)
- Procmon 3.95 (behavioral analysis)
- Wireshark 4.0 (network analysis)
### References
- MITRE ATT&CK: https://attack.mitre.org/
- VirusTotal: https://www.virustotal.com/gui/file/<SHA256>
- MalwareBazaar: https://bazaar.abuse.ch/
---
**Report Date:** 2025-10-05
**Last Updated:** 2025-10-05
9.2 Evidence Package Structureβ
/CASE-2025-1005-001/
βββ report/
β βββ malware_analysis_report.md
β βββ malware_analysis_report.pdf
βββ intake/
β βββ SAM-20251005-1430-001.7z (password: infected)
β βββ chain_of_custody.txt
βββ binaries/
β βββ sample.exe (original)
β βββ sample_unpacked.exe
β βββ svchost.exe (dropped)
βββ static/
β βββ floss_output.txt
β βββ capa_report.txt
β βββ peframe_analysis.txt
β βββ strings.txt
βββ dynamic/
β βββ procmon_output.csv
β βββ regshot_comparison.html
β βββ sysmon_logs.evtx
β βββ traffic_capture.pcapng
βββ iocs/
β βββ iocs.txt (defanged)
β βββ iocs.json
β βββ iocs.csv
βββ detections/
β βββ emotet_variantA.yar
β βββ emotet_sigma.yml
β βββ emotet_suricata.rules
βββ hashes.txt (SHA256 of all files)
9.3 Handoff Checklistβ
- All file hashes verified in evidence package
- IOCs defanged in report
- Sensitive data (credentials, PII) sanitized
- Detection rules tested against sample
- MITRE ATT&CK mapping complete
- Recommendations reviewed with stakeholders
- Evidence package encrypted (password: infected)
- Report approved by peer reviewer
- Findings briefed to incident response team
- Threat intelligence shared (if authorized)
10. Advanced Techniquesβ
10.1 Memory Forensics Integrationβ
Acquire memory dump during dynamic analysis:
# Using FTK Imager (GUI)
# File -> Capture Memory
# Using DumpIt (command line)
DumpIt.exe
# Using WinPMEM
winpmem_mini_x64.exe -o memory.dmp
# Verify memory dump
Get-FileHash memory.dmp -Algorithm SHA256
Analyze with Volatility 3:
# Easy way for Windows memory analysis
# -> https://github.com/gl0bal01/volatility-windows-analysis
# List available plugins
vol.py -h
# Identify OS profile
vol.py -f memory.dmp windows.info
# List running processes
vol.py -f memory.dmp windows.pslist
vol.py -f memory.dmp windows.pstree
# Find hidden/injected processes
vol.py -f memory.dmp windows.pscan
# Network connections
vol.py -f memory.dmp windows.netscan
# Scan for malware signatures
vol.py -f memory.dmp windows.malfind
# Dump suspicious process memory
vol.py -f memory.dmp -o dump_dir windows.memmap --pid 1234 --dump
# Extract command lines
vol.py -f memory.dmp windows.cmdline
# Registry hives
vol.py -f memory.dmp windows.registry.hivelist
vol.py -f memory.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
YARA scan in memory:
# Scan memory dump with YARA rules
vol.py -f memory.dmp windows.yarascan --yara-file malware.yar
10.2 Automated Sandbox Analysisβ
ANY.RUN (cloud-based):
1. Upload sample to https://app.any.run
2. Select Windows version and network simulation
3. Interact with sample (click buttons, wait for execution)
4. Review process tree, network traffic, file operations
5. Download PCAP and artifacts
Joe Sandbox (cloud/on-prem):
# Submit via jbxapi
jbxapi submit sample.exe --systems win10x64
# Wait for analysis
jbxapi status <submission_id>
# Download report
jbxapi download <submission_id> --type html > joe_report.html
jbxapi download <submission_id> --type json > joe_report.json
10.3 Reverse Engineering Workflowβ
Disassembly with IDA Pro/Ghidra:
# IDA Pro workflow
1. Open sample.exe in IDA Pro
2. Auto-analysis completes
3. Navigate to Functions window
4. Find entry point (start/main function)
5. Identify interesting functions:
- Network functions (send, recv, InternetOpen)
- Crypto functions (CryptEncrypt, AES_encrypt)
- String decryption routines
6. Set breakpoints for dynamic analysis
7. Use F5 (Hex-Rays) to decompile to pseudocode
# Ghidra workflow (free alternative)
1. Create new project
2. Import sample.exe
3. Analyze with default options
4. Use Symbol Tree to find functions
5. Decompiler window shows pseudocode
6. Look for XREFs to suspicious functions
Dynamic debugging with x64dbg:
1. Open sample.exe in x64dbg
2. Set breakpoints on:
- VirtualAlloc (memory allocation)
- CreateRemoteThread (process injection)
- InternetConnect (network connection)
- RegSetValue (persistence)
3. Run until breakpoint
4. Step through code (F7 - step into, F8 - step over)
5. Dump decrypted strings or payloads from memory
6. Follow execution flow to understand behavior
Anti-analysis bypass:
Common anti-analysis techniques and bypasses:
| Technique | Detection Method | Bypass |
|------------------------|--------------------------------------|----------------------------------|
| IsDebuggerPresent | Check PEB.BeingDebugged flag | Patch return value to 0 |
| CheckRemoteDebugger | NtQueryInformationProcess | Patch return value |
| RDTSC timing check | Measure execution time | Hardware breakpoints instead |
| VM detection (CPUID) | Check hypervisor bit | Modify CPUID response |
| Sandbox sleep evasion | Sleep(300000) before execution | Patch sleep call or hook API |
10.4 Common Pitfalls & Best Practicesβ
β Common Mistakes:
- Running malware on host system (always use isolated VM)
- Uploading samples to public sandboxes (may alert adversary)
- Not taking VM snapshots before execution (cannot reproduce)
- Analyzing packed samples without unpacking (miss true behavior)
- Ignoring string encoding (miss Unicode/base64 IOCs)
- Assuming timestamps are accurate (often forged)
- Forgetting to defang IOCs in reports (accidental clicks)
β Best Practices:
- Always analyze in snapshottable isolated VM
- Use hash-only lookups for intelligence gathering
- Document every command and observation
- Verify all hashes before and after transfer
- Store samples in password-protected archives (password: infected)
- Use defanged IOCs in all communications
- Maintain chain of custody documentation
- Peer review findings before publishing
- Test detection rules before deployment
- Keep analysis tools updated
11. QA & Peer Reviewβ
Review checklist:
- Second analyst reproduces key behaviors in clean VM
- Validate all file hashes (SHA256, SHA1, MD5)
- Verify MITRE ATT&CK technique mappings
- Confirm IOC confidence ratings (High/Medium/Low)
- Test YARA/Sigma/Suricata rules against sample
- Check for false positive indicators
- Remove private/organizational data from report
- Sanitize screenshots (no usernames, hostnames, IPs)
- Verify all URLs and domains are defanged
- Spell-check and grammar review
- Final sign-off in case notebook
- Archive evidence with verified hashes
π§ Appendix β Tooling Referenceβ
Static Analysisβ
| Tool | Use | Platform | Link |
|---|---|---|---|
| FLOSS | Obfuscated string extraction | Win/Linux/Mac | GitHub |
| CAPA | Capability detection | Win/Linux/Mac | GitHub |
| peframe | PE file inspection | Linux | GitHub |
| PE-bear | PE file GUI analysis | Windows | Website |
| pestudio | PE analysis GUI | Windows | Website |
| pefile | PE parsing library (Python) | Win/Linux/Mac | PyPI |
| TrID | File type identification | Win/Linux | Website |
| Detect It Easy | Packer/compiler detection | Win/Linux/Mac | GitHub |
| strings | Extract strings (built-in) | Linux/Mac | Built-in |
Dynamic Analysisβ
| Tool | Use | Platform | Link |
|---|---|---|---|
| Process Monitor | File/registry/network tracking | Windows | Sysinternals |
| Process Hacker | Process/memory analysis | Windows | Website |
| Wireshark | Network traffic capture/analysis | Win/Linux/Mac | Website |
| TCPView | Live network connections | Windows | Sysinternals |
| Regshot | Registry comparison | Windows | SourceForge |
| Sysmon | Advanced Windows event logging | Windows | Sysinternals |
| Noriben | Automated Procmon analysis | Windows | GitHub |
Reverse Engineeringβ
| Tool | Use | Platform | Link |
|---|---|---|---|
| IDA Pro | Disassembler/debugger (commercial) | Win/Linux/Mac | Hex-Rays |
| Ghidra | Disassembler/decompiler (free) | Win/Linux/Mac | NSA |
| x64dbg | Windows debugger | Windows | Website |
| OllyDbg | 32-bit debugger | Windows | Website |
| Radare2 | Reverse engineering framework | Win/Linux/Mac | Website |
| Binary Ninja | Disassembler/decompiler | Win/Linux/Mac | Website |
Specialized Toolsβ
| Tool | Use | Platform | Link |
|---|---|---|---|
| oledump.py | Office macro extraction | Win/Linux/Mac | Didier Stevens |
| olevba | VBA macro analysis | Win/Linux/Mac | oletools |
| dnSpy | .NET decompiler/debugger | Windows | GitHub |
| ILSpy | .NET assembly browser | Win/Linux/Mac | GitHub |
| de4dot | .NET deobfuscator | Windows | GitHub |
| pdfid.py | PDF structure analysis | Win/Linux/Mac | Didier Stevens |
| pdf-parser.py | PDF object extraction | Win/Linux/Mac | Didier Stevens |
| PSDecode | PowerShell deobfuscator | Win/Linux/Mac | GitHub |
| js-beautify | JavaScript beautifier | Win/Linux/Mac | NPM |
| LECmd | LNK file parser | Windows | EricZimmerman |
Memory Forensicsβ
| Tool | Use | Platform | Link |
|---|---|---|---|
| Volatility 3 | Memory forensics framework | Win/Linux/Mac | GitHub |
| FTK Imager | Memory/disk acquisition | Windows | AccessData |
| DumpIt | Memory acquisition | Windows | Magnet Forensics |
| WinPMEM | Memory acquisition | Windows | GitHub |
Sandboxes (Cloud)β
| Service | Use | Type | Link |
|---|---|---|---|
| VirusTotal | Multi-engine AV + intelligence | Free/Paid | Website |
| ANY.RUN | Interactive sandbox | Free/Paid | Website |
| Hybrid Analysis | Cloud sandbox | Free/Paid | Website |
| Tria.ge | Automated triage sandbox | Free/Paid | Website |
| Joe Sandbox | Advanced cloud sandbox | Commercial | Website |
Threat Intelligenceβ
| Service | Use | Link |
|---|---|---|
| MalwareBazaar | Malware sample repository | abuse.ch |
| ThreatFox | IOC database | abuse.ch |
| URLhaus | Malicious URL database | abuse.ch |
| MalAPI.io | Windows API behavior lookup | Website |
| GTFOBins | Unix binaries exploit database | Website |
Detection Engineeringβ
| Tool | Use | Link |
|---|---|---|
| YARA | Pattern matching engine | GitHub |
| Sigma | Generic SIEM rule format | GitHub |
| Suricata | Network IDS/IPS | Website |
| ioc-fanger | IOC defanging/fanging tool | GitHub |
Analysis Distributionsβ
| Distribution | Description | Link |
|---|---|---|
| FlareVM | Windows malware analysis VM | GitHub |
| REMnux | Linux malware analysis distro | Website |
| SIFT Workstation | Digital forensics distro | SANS |
π Additional Resourcesβ
Reference Materialsβ
- SANS Malware Analysis Cheat Sheet: https://www.sans.org/posters/
- Practical Malware Analysis Book: https://practicalmalwareanalysis.com/
- FLARE VM Setup Guide: https://github.com/mandiant/flare-vm
- Volatility 3 Documentation: https://volatility3.readthedocs.io/
- Volatility Reference Guide: https://github.com/gl0bal01/volatility
- Volatility Windows Analysis Script: https://github.com/gl0bal01/volatility-windows-analysis
Communities & Forumsβ
- r/Malware (Reddit): https://www.reddit.com/r/Malware/
- MalwareTech Blog: https://www.malwaretech.com/
- Malpedia (Malware Encyclopedia): https://malpedia.caad.fkie.fraunhofer.de/
12. Extended Reference Resourcesβ
Comprehensive Malware Analysis Guidesβ
- Malware Unicorn's Workshop - malwareunicorn.org
- Reverse engineering workshops and training materials
- x86 assembly crash course
- HackTricks - Malware Analysis - book.hacktricks.xyz/forensics/malware-analysis
- Comprehensive malware analysis techniques
- Static and dynamic analysis methodologies
- SANS Malware Analysis Toolkit - sans.org/tools
- Curated malware analysis tools and techniques
- OALabs Research - penanalysis.net and their Discord
- Malware unpacking and analysis tutorials
- YouTube channel with detailed walkthroughs
Malware Repositories & Threat Intelligenceβ
- MalwareBazaar - bazaar.abuse.ch
- Malware sample sharing platform
- API for automated lookups
- Malpedia - malpedia.caad.fkie.fraunhofer.de
- Malware family encyclopedia
- Detailed family profiles and IOCs
- ThreatFox - threatfox.abuse.ch
- IOC database for malware
- Real-time threat intelligence
- URLhaus - urlhaus.abuse.ch
- Malicious URL tracking
- Hybrid Analysis - hybrid-analysis.com
- Free malware analysis sandbox
- VirusTotal Graph - virustotal.com/graph
- Visualize malware relationships
YARA Rules & Signaturesβ
- Awesome YARA - github.com/InQuest/awesome-yara
- Curated list of YARA resources
- YARA-Rules Repository - github.com/Yara-Rules/rules
- Community YARA rules collection
- Neo23x0 Signature Base - github.com/Neo23x0/signature-base
- Florian Roth's YARA and Sigma rules
- ReversingLabs YARA Rules - github.com/reversinglabs/reversinglabs-yara-rules
- Commercial-grade YARA rules
Sandbox & Dynamic Analysisβ
- ANY.RUN - app.any.run
- Interactive malware sandbox
- Real-time analysis observation
- Tria.ge - tria.ge
- Automated malware analysis
- Free tier available
- Joe Sandbox - joesandbox.com
- Advanced malware analysis sandbox
- CAPE Sandbox - github.com/kevoreilly/CAPEv2
- Open-source malware sandbox
- Config extractor for malware families
Reverse Engineering Resourcesβ
- Practical Malware Analysis - practicalmalwareanalysis.com
- Classic malware analysis textbook
- Reverse Engineering for Beginners - beginners.re
- Free book by Dennis Yurichev
- Malware Analysis for Hedgehogs (YouTube) - Colin Hardy's channel
- Detailed malware analysis walkthroughs
- LiveOverflow Malware Series - youtube.com/LiveOverflow
- Binary exploitation and malware analysis
Specialized Analysis Techniquesβ
- Unpacking Malware - unprotect.it
- Malware evasion techniques database
- Unpacking methods and anti-analysis
- Didier Stevens Tools - blog.didierstevens.com/programs
- PDF analysis, Office macro tools
- oledump.py, pdfid.py, pdf-parser.py
- FLOSS Documentation - github.com/mandiant/flare-floss
- Mandiant's obfuscated string solver
- CAPA Rules - github.com/mandiant/capa-rules
- Capability detection rules
Memory Forensicsβ
- Volatility Cheat Sheet - github.com/gl0bal01/volatility
- Quick reference for Volatility commands
API & Behavior Referencesβ
- MalAPI.io - malapi.io
- Windows API calls used by malware
- Categorized by function (persistence, evasion, etc.)
- MITRE ATT&CK - attack.mitre.org
- Adversary tactics and techniques
- ATT&CK Navigator - mitre-attack.github.io/attack-navigator
- Visualize ATT&CK techniques
- LOLBins - lolbas-project.github.io
- Living Off the Land binaries (Windows)
- GTFOBins - gtfobins.github.io
- Unix binaries for exploitation
.NET & PowerShell Analysisβ
- dnSpyEx - github.com/dnSpyEx/dnSpy
- .NET debugger and decompiler (maintained fork)
- de4dot - github.com/de4dot/de4dot
- .NET deobfuscator
- PSDecode - github.com/R3MRUM/PSDecode
- PowerShell deobfuscation tool
- PowerShell Empire Detection - github.com/EmpireProject/Empire
- Understanding PowerShell malware
Office & Document Malwareβ
- oletools - github.com/decalage2/oletools
- Python tools for malicious Office files
- olevba, rtfobj, msodde
- XLMMacroDeobfuscator - github.com/DissectMalware/XLMMacroDeobfuscator
- Excel 4.0 macro analysis
- VBA Stomping Detection - outflank.nl/blog
- Understanding VBA stomping techniques
Courses & Trainingβ
- SANS FOR610 - Reverse Engineering Malware: Malware Analysis Tools and Techniques
- SANS FOR710 - Reverse Engineering Malware: Advanced Code Analysis
- TCM Security - Practical Malware Analysis & Triage - tcm-sec.com/pmat
- Malware Analysis Boot Camp (Cybrary) - cybrary.it
- eLearnSecurity Malware Analysis Professional (eCMAP)
Blogs & Researchβ
- MalwareTech - malwaretech.com
- Marcus Hutchins' malware research blog
- Kryptos Logic - kryptoslogic.com/blog
- Advanced malware analysis
- Mandiant Blog - mandiant.com/resources/blog
- APT and malware research
- Malwarebytes Labs - blog.malwarebytes.com
- Consumer malware trends
- CERT-EU Security Advisories - cert.europa.eu
- European CERT malware alerts
Forensics Integrationβ
- SANS Digital Forensics Blog - sans.org/blog
- 13Cubed (YouTube) - youtube.com/c/13Cubed
- Digital forensics and incident response
- DFIR.it - dfir.it
- Digital forensics resources
Communities & Forumsβ
- r/Malware - reddit.com/r/Malware
- Malware analysis community
- r/ReverseEngineering - reddit.com/r/ReverseEngineering
- Reverse engineering discussions
- Malware Analysis Discord - Various community servers
- Stack Overflow - Reverse Engineering - reverseengineering.stackexchange.com
Automated Analysis Platformsβ
- DRAKVUF Sandbox - github.com/CERT-Polska/drakvuf-sandbox
- Agentless malware sandbox
- Noriben - github.com/Rurik/Noriben
- Automated Procmon analysis script
Related SOPsβ
Analysis:
- Reverse Engineering - Disassembly, decompilation, and binary analysis
- Cryptography Analysis - Analyzing encryption in malware
- Hash Generation Methods - File hashing and integrity
Pentesting & Security:
- Forensics Investigation - Post-incident analysis and evidence collection
- Detection Evasion Testing - Understanding malware evasion techniques
- Vulnerability Research - Finding vulnerabilities exploited by malware
π¦ This SOP is designed for Obsidian vault integration. Link from incident case folders or use as standalone reference for malware analysis workflows.