Objective: Analyze suspicious binaries/objects to extract IOCs, assess behavior, and assist containment/detection.
Execution Environment: Use only isolated, disposable VM snapshots (no host execution). No clipboard or drag‑and‑drop. Prefer offline analysis or simulated internet (INetSim/DNS sinkhole).
Legal Notice: If evidence of child safety concerns or imminent harm arises, stop immediately. Collect metadata and follow Sensitive Crime Escalation procedures.
Confidentiality: Treat all outputs/samples as sensitive. Share on a need-to-know basis only. Label clearly (e.g., MALWARE / DO-NOT-TOUCH).
1. Safety & OPSEC — 🔒 Pre-Flight Checklist
Use VM snapshot (clean, no shared folders/network, no host time sync).
Use analysis persona (no personal/org credentials).
Hostname, username, timezone must be non-attributable.
No real internet. Simulated network only (e.g., INetSim).
Tooling integrity: Verify hashes before installation; use only approved tools.
Encrypt artefacts and label with warnings when transporting.
Avoid uploading binaries to public services. Prefer hash-only queries.
Lab Environment Setup
VMware/VirtualBox Configuration:
# Recommended VM specifications- OS: Windows 10/11 or REMnux/FlareVM- RAM: 4GB minimum (8GB preferred)- Disk: 60GB thin provisioned- Network: Host-only or NAT with INetSim- Snapshots: Take "Clean State" before each analysis# Disable shared features- Shared folders: OFF- Clipboard sharing: OFF- Drag and drop: OFF- Time synchronization: OFF- Guest additions: Minimal/None
INetSim Setup (Simulated Internet):
# Install INetSim (Linux-based)sudo apt install inetsim# Configure /etc/inetsim/inetsim.confservice_bind_address 0.0.0.0dns_default_ip 192.168.56.1https_bind_port 443http_bind_port 80# Start INetSimsudo inetsim# Configure VM to use INetSim as DNS# Set DNS server to INetSim host IP (e.g., 192.168.56.1)
FlareVM Installation (Windows Analysis):
# Run as AdministratorSet-ExecutionPolicy Unrestricted -ForceInvoke-WebRequest https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1 -OutFile install.ps1.\install.ps1# Post-install: Disable Windows Defender (analysis VM only)Set-MpPreference -DisableRealtimeMonitoring $true
REMnux Installation (Linux Malware Analysis):
# Download REMnux OVA or install on existing Ubuntuwget https://REMnux.org/remnux-clisudo bash remnux-cli install# Update toolsremnux update
# Using pestudio (Windows GUI)pestudio.exe sample.exe# Using pefile (Python)python -c "import pefile; pe = pefile.PE('sample.exe'); print(pe.dump_info())"# Check sections for packing indicators# VirtualSize >> RawSize = likely packedpeframe sample.exe | grep -A 10 "Sections"# Common packer section names# UPX0, UPX1, UPX2 → UPX packer# .aspack → ASPack# .petite → PETite# .ndata → .NET obfuscation
PE metadata extraction:
# Using exiftoolexiftool sample.exe | grep -E "(FileDescription|CompanyName|OriginalFilename|LegalCopyright|ProductName)"# Check digital signaturesigcheck -a sample.exe # Sysinternals# Extract timestamp (can be forged)peframe sample.exe | grep "Timestamp"# Check for overlay data (appended after PE sections)# If file size > sum of section sizes → overlay exists
# Check for specific WinAPI calls in disassemblyobjdump -d sample.exe | grep -i "urldownloadtofile\|internetopen\|createprocess"# Or use strings to find API namesstrings sample.exe | grep -i "createremotethread\|virtualalloc\|writeprocessmemory"
3.4 Multi-Engine Scanning
Hash-only lookups (preferred - no sample upload):
# VirusTotal CLI (requires API key)vt file <SHA256_HASH># Manual lookup URLs# https://www.virustotal.com/gui/file/<SHA256_HASH># https://www.hybrid-analysis.com/search?hash=<SHA256_HASH># https://tria.ge/<SHA256_HASH># Check MalwareBazaar databasecurl -X POST https://mb-api.abuse.ch/api/v1/ -d "query=get_info&hash=<SHA256_HASH>"# Check ThreatFox IOC databasecurl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{"query":"search_hash","hash":"<SHA256_HASH>"}'
Local/offline AV scanning (if available):
# ClamAV (open-source)clamscan -r --bell -i sample.exe# Update signatures firstfreshclam# YARA scanning with community rulesyara -r /path/to/yara-rules/ sample.exe
Detection name analysis:
If VirusTotal shows detections, analyze vendor names:
Trojan.Generic → Generic heuristic detection
Trojan.Agent → Unknown malware family
Win32.Emotet.A → Specific family (Emotet) and variant (A)
When entropy is high, imports are sparse, and section names look unfamiliar, the sample is almost certainly packed or protected. Static analysis on the packed binary yields almost nothing — pivot to identification, then either unpack statically (UPX-class) or capture the unpacked image during dynamic analysis (commercial protectors).
Quick signals that a sample is packed:
Entropy > 7.0 overall, or any individual section > 6.8.
Import table very small, or limited to LoadLibrary / GetProcAddress / VirtualAlloc / VirtualProtect (runtime-resolution pattern).
Section names match known packer fingerprints (table below).
Section characteristics — executable section with no readable strings, or a single oversized section combining code and data.
PE anomalies — entry point outside the first section, missing .text/.rsrc, unusually small code section, large overlay.
Common packers and reversibility:
Packer / Protector
Section / Signature Indicators
Static unpacking?
UPX
UPX0 / UPX1 / UPX2 sections, UPX! magic in overlay
Yes — upx -d sample.exe
ASPack
.aspack section, aSPack string, low import count
Partially — community tools
MPRESS
.MPRESS1 / .MPRESS2, LZMA-compressed body
Partially — community tools
Themida / WinLicense
.themida / .winlicen sections, virtualized code, heavy anti-debug
No — requires dynamic dump
VMProtect
.vmp0 / .vmp1 sections, custom VM bytecode, anti-tamper
No — requires dynamic dump
Enigma Protector
.enigma1 / .enigma2, license-check stubs
No — requires dynamic dump
Custom / unknown
Unknown section names, high entropy, minimal imports
No — dynamic + manual
Workflow when packing is detected:
Identify the packer with Detect It Easy (DIE), pestudio, or ExeinfoPE. Record the packer name and per-section entropy in the triage notes.
Record both hashes. The packed hash is the delivery artifact (use it for VT pivots and IOCs); the unpacked hash often matches a known family.
Re-run §3.2 / §3.3 on the unpacked binary — imports and strings are usually an order of magnitude richer.
For commercial protectors (Themida, VMProtect, Enigma) and custom packers, static unpacking is not viable. Dump the unpacked image during dynamic analysis instead — break on VirtualAlloc(PAGE_EXECUTE_READWRITE) followed by WriteProcessMemory / memcpy into the new region, or use pe-sieve / hollows_hunter against the running PID:
Both tools dump suspicious in-memory regions (hollowed sections, RWX shellcode, unpacked PE images) to disk for static analysis.
Sophistication signal. Commercial protectors → Advanced. Custom packer → Advanced / APT-grade. Note this in the report — packer choice is itself an attribution data point.
PE analysis with packer detection + entropy visualization.
PEiD
Older but widely-referenced signature DB; treat as supporting evidence.
ExeinfoPE
Fills gaps when DIE is inconclusive.
CFF Explorer
Manual section / header inspection.
4. Behavior Analysis (Dynamic, In-Lab Only)
4.1 Monitoring Setup
Pre-execution checklist:
Take clean VM snapshot
Verify network is isolated (INetSim active)
Start monitoring tools
Set up screen recording (optional but recommended)
Process Monitor (Procmon) - Sysinternals:
# Launch Procmonprocmon.exe# Configure filters to reduce noise:# Filter -> Process Name -> is -> sample.exe -> Include# Filter -> Process Name -> is -> rundll32.exe -> Include (if sample uses it)# Filter -> Operation -> contains -> Reg -> Include (registry operations)# Filter -> Operation -> contains -> File -> Include (file operations)# Enable: Show File System Activity, Show Registry Activity, Show Network Activity# Disable: Show Process and Thread Activity (too noisy)# Save output after execution# File -> Save -> All Events -> CSV format
Wireshark (Network Traffic Capture):
# Start capture on adapter connected to INetSimwireshark -i eth0 -k# Apply display filter for analysis# DNS queries: dns# HTTP traffic: http# TLS/SSL: tls# Specific IP: ip.addr == 192.168.56.101# Save PCAP after execution# File -> Save As -> sample_traffic.pcapng
System Informer (Process & Memory Analysis):
Formerly Process Hacker — renamed to System Informer in 2022 and now maintained by Winsider Seminars & Solutions. The legacy ProcessHacker.exe binary is still distributed for compatibility but new analysis builds should use the SystemInformer.exe build from the official repo (https://github.com/winsiderss/systeminformer).
# Launch System Informer as AdministratorSystemInformer.exe# Monitor for:# - New process creation (sample.exe and child processes)# - Memory allocations (Heap, Private memory)# - Handles (Files, Registry, Mutexes)# - Network connections# To dump process memory:# Right-click process -> Create dump file
# Take snapshot before executionRegshot.exe -> 1st shot# Execute malware# Take snapshot after executionRegshot.exe -> 2nd shot# Compare and saveCompare -> Output to HTML
Noriben (Automated Procmon Analysis):
# Run Noriben with automatic procmon collectionpython Noriben.py --cmd sample.exe# Generates: Noriben_<timestamp>.txt with parsed behavior
4.2 Execution & Observation
Execute the sample:
# Execute in isolated VM.\sample.exe# Or with arguments if required.\sample.exe --install# For DLL files, use rundll32rundll32.exe sample.dll,DllMain# For scriptspowershell.exe -ExecutionPolicy Bypass -File sample.ps1cscript.exe //NoLogo sample.vbs
Track spawned processes:
# PowerShell - monitor process creationGet-WmiObject Win32_Process | Select-Object ProcessId,Name,CommandLine,ParentProcessId | Format-Table# Command line - watch for new processeswmic process list full# Check process tree in System Informer# View -> Tree view -> Expand sample.exe
Inspect dropped files:
# Find recently created files (last 5 minutes)Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddMinutes(-5)}# Common drop locations to check manuallyC:\Users\<user>\AppData\Local\Temp\C:\Users\<user>\AppData\Roaming\C:\ProgramData\C:\Windows\Temp\# Hash all dropped filesGet-ChildItem -Path C:\Users\<user>\AppData\Local\Temp\ -Recurse | Get-FileHash -Algorithm SHA256
Check for unexpected DLLs in application directories
T1574.001
Inspect mutexes and named objects:
# Using System Informer# Select process -> Handles tab -> Filter: "Mutant"# Using Handle.exe (Sysinternals)handle.exe -a -p <PID># Common mutex names to flag# Global\<random_string># Local\<random_string>
Check for injection into legitimate processes:
# Look for unusual memory allocations in explorer.exe, svchost.exe, etc.# System Informer -> Select process -> Memory tab# Flag RWX (Read-Write-Execute) memory regions# Dump suspicious memory regions# Right-click memory region -> Save -> memory_dump.bin
4.3 Network Behavior
DNS traffic analysis:
# Wireshark display filter for DNSdns# Extract DNS queries from PCAP (tshark)tshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u# Look for:# - DGA (Domain Generation Algorithm) patterns (long random domains)# - Known C2 domains# - Unusual TLDs (.tk, .ml, .ga, .cf)# - Fast-flux DNS (multiple A records)
DNS-over-HTTPS (DoH) tunneling — outbound TLS to cloudflare-dns.com, dns.google, dns.quad9.net, or any host on :443 returning the application/dns-message content type. Procmon dns.google resolutions paired with TLS to those IPs from a non-browser process is a strong signal. Capture full PCAP and decrypt with a TLS keylog file (SSLKEYLOGFILE) when possible.
Named-pipe C2 — beacons that talk locally over \\.\pipe\<name> to a sibling process (often a hollowed svchost.exe or stomped DLL — see §10.4). System Informer → process → Handles tab → filter Named Pipe makes these visible. Common with Cobalt Strike SMB beacons.
Domain fronting — TLS handshake SNI is a popular CDN-hosted hostname (Azure Front Door, Fastly, CloudFront), but the inner HTTP Host: header points to the actual C2. tshark filter tls.handshake.extensions_server_name versus http2.header.value (or post-decryption http.host) reveals the mismatch. Most major fronting providers have closed the technique on production tenants but it still appears in older toolkits and self-hosted CDNs.
HTTPS with pinned certificates — sample carries the C2 server cert hash in code; INetSim’s default self-signed response causes the malware to drop the connection. Symptom is “no traffic after first TLS ClientHello.” Workaround: configure mitmproxy with a captured/forged cert, or static-analyze the pinned hash and replace it.
Identify outbound connections:
# Using TCPView (GUI)tcpview.exe# Using netstat (command line)netstat -ano | findstr ESTABLISHED# Get full connection detailsGet-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Format-Table# Check for common C2 ports# 443, 8443 (HTTPS)# 80, 8080 (HTTP)# 53 (DNS tunneling)# 4444, 5555 (Metasploit default)# 1234, 31337 (backdoors)
Test C2 communication (lab environment only):
# Set up ncat listener to catch reverse shellncat -lnvp 4444# For HTTPS/TLS callbacksncat -lnvp 443 --ssl# Monitor all connection attemptstcpdump -i any -n -vv
Extract network IOCs:
# List all contacted IPstshark -r sample_traffic.pcapng -T fields -e ip.dst | sort -u | grep -v "192.168\|10.0\|127.0.0.1"# List all contacted domainstshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u# Extract URLs from HTTP traffictshark -r sample_traffic.pcapng -Y http.request -T fields -e http.host -e http.request.uri | awk '{print "http://"$1$2}'
# Check for .NET assemblyfile sample.exe | grep "PE32.*Mono/.Net assembly"# Or use stringsstrings sample.exe | grep "mscoree.dll"# Check assembly info with ildasm (Microsoft IL Disassembler)ildasm sample.exe
Decompilation with dnSpy:
1. Open sample.exe in dnSpy
2. Navigate Assembly Explorer -> sample.exe -> Namespace -> Class
3. Look for:
- Main() function (entry point)
- Embedded resources (right-click assembly -> Go to Resources)
- Obfuscated strings (base64, XOR, etc.)
- System.Net (HTTP, WebClient, DownloadFile)
- System.Security.Cryptography (AES, DES, RSA)
- System.Reflection (dynamic code loading)
- System.Diagnostics.Process (command execution)
4. Set breakpoints and debug dynamically (Start button)
CVE-2023-26369 — Adobe Acrobat Reader out-of-bounds write; flagged as actively exploited in the wild.
CVE-2024-4367 — PDF.js arbitrary JavaScript execution; affects Firefox and any web app embedding the vulnerable PDF.js viewer.
CVE-2023-36664 — Ghostscript command injection via crafted PDF; primarily impacts server-side PDF processing pipelines (mail gateways, CI rendering).
If pdfid flags /JavaScript, /AA, or /OpenAction and the sample arrived in a context likely to hit one of these renderers, prioritize extracting embedded JS / streams and cross-reference vendor advisories before declaring benign.
6.4 Script Analysis (PowerShell/VBS/JS)
PowerShell deobfuscation:
# Common obfuscation patterns# Base64 encoded commands$encoded = "Base64StringHere"[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded))# Examine script without executingGet-Content malicious.ps1# Look for:# - Invoke-Expression (IEX) - executes string as code# - DownloadString, DownloadFile - downloads payload# - FromBase64String - decodes embedded payload# - Compression (IO.Compression.GzipStream)# - WMI queries (Get-WmiObject)# - Invoke-WebRequest, Invoke-RestMethod# Static deobfuscation with PSDecodeImport-Module PSDecodePSDecode -InputFile malicious.ps1 -OutputFile decoded.txt# Or use online tools (in isolated environment)# https://github.com/R3MRUM/PSDecode
Common obfuscation primitives and how to defeat them statically:
Chr() concatenation — characters built from ASCII codes to hide strings:
cmd = Chr(99) & Chr(109) & Chr(100) ' = "cmd"
# Resolve all Chr() calls in a samplepython3 -c "import recode = open('malicious.vbs').read()for m in re.finditer(r'Chr\((\d+)\)', code): print(f'Chr({m.group(1)}) -> {chr(int(m.group(1)))}')" | sort -u
StrReverse — string stored backwards to evade signature matching:
Execute / ExecuteGlobal / Eval — dynamic code execution. SAFE deobfuscation idiom: swap the runtime-execution call for WScript.Echo() so the payload prints instead of running, then re-run with cscript /nologo in the analysis VM:
' OriginalExecuteGlobal(decodedPayload)' Replace with this for safe extractionWScript.Echo(decodedPayload)
GetObject("new:{CLSID}") — alternative to CreateObject that avoids the literal string WScript.Shell in the source. CLSID {72C24DD5-D70A-438B-8A42-98424B88AFB8} is the Windows Script Host shell instance — flag it on sight.
Variable substitution tracing: for chained obfuscation, follow each variable from its assignment to its use and reconstruct the final value by hand. Most VBScript loaders are <300 lines and tractable to trace manually.
# List contents without extraction7z l archive.zipunzip -l archive.ziptar -tzf archive.tar.gz# Look for:# - Double extensions (invoice.pdf.exe)# - LNK files (Windows shortcuts)# - Executable files masquerading as documents# - Nested archives (archive.zip -> archive2.zip -> payload.exe)# Extract to isolated directory7z x archive.zip -o/tmp/extracted/# Check extracted file typescd /tmp/extracted/file *
Analyze LNK (shortcut) files:
# Parse LNK file with LECmd (Windows)LECmd.exe -f malicious.lnk# Or use lnk-parser (Linux)lnkinfo malicious.lnk# Look for:# - Target path (what it executes)# - Command line arguments# - Working directory# - Icon location (may reveal payload location)
6.6 Linux/ELF Analysis
Basic ELF analysis:
# File type and architecturefile suspicious.bin# Output: ELF 64-bit LSB executable, x86-64# ELF headerreadelf -h suspicious.bin# Section headersreadelf -S suspicious.bin# Program headersreadelf -l suspicious.bin# Symbol tablereadelf -s suspicious.bin# Check for suspicious librariesldd suspicious.bin# Look for:# - libc.so (standard)# - libssl.so (network encryption)# - libcrypto.so (cryptography)# - Unusual paths (/tmp/lib.so)
Dynamic analysis (Linux malware):
# Use strace to monitor system callsstrace -f -e trace=network,file,process ./suspicious.bin# Monitor file operationsstrace -e trace=open,read,write,close ./suspicious.bin# Monitor network operationsstrace -e trace=socket,connect,send,recv ./suspicious.bin# ltrace to monitor library callsltrace -f ./suspicious.bin
6.7 HTA (HTML Application) Analysis
HTA files (.hta) are HTML documents executed by mshta.exe (Microsoft HTML Application Host) instead of a browser. Because mshta.exe is a signed Microsoft binary, the script runs with the full privileges of the current user with no browser sandbox — full COM, ActiveX, and filesystem access. HTAs are routinely used in phishing chains, often dropped inside ISO/ZIP archives.
MITRE ATT&CK: T1218.005 — System Binary Proxy Execution: Mshta.
Detection:
file suspicious.hta# Output is typically "HTML document text" — always verify the .hta extension separatelystrings suspicious.hta | grep -iE "mshta|WScript|Shell|ActiveX|XMLHTTP|powershell|CreateObject"
Static triage approach: HTAs are plain text. Open in any editor — never double-click.
Pull script blocks.grep -A 50 "<script" suspicious.hta and identify the language attribute (VBScript / JScript / mixed).
Enumerate every COM instantiation. ActiveX/COM is the entire attack surface in HTAs:
Apply the §6.4 VBScript deobfuscation idiom (swap Execute / ExecuteGlobal for WScript.Echo and re-run with cscript /nologo in the lab VM) to extract chained payloads safely.
Dynamic confirmation: in the analysis VM, run Procmon filtered on Process Name is mshta.exe. Inspect every CreateFile, WriteFile, RegSetValue, and Process Create event — they reveal dropped paths, persistence keys, and child-process command lines.
6.8 Disk Image Analysis (ISO / IMG / VHD / VHDX)
Disk-image containers are a MOTW (Mark-of-the-Web) bypass primitive. When a file is downloaded from the internet, Windows attaches a Zone.Identifier:$DATA ADS marking it Zone 3 (untrusted) — SmartScreen, Office Protected View, and the Win10/11 LNK warning all key on this. Files extracted from a mounted ISO / VHD do not inherit the parent image’s MOTW, so payloads inside execute without those prompts. On Windows 10+ .iso auto-mounts as a virtual DVD on double-click and .vhd / .vhdx auto-mount as virtual disks.
file suspicious.iso # "ISO 9660 CD-ROM filesystem data"file suspicious.img # "DOS/MBR boot sector" or "Linux rev 1.0 ext2 filesystem data"file suspicious.vhd # "Microsoft Disk Image, Virtual Server or Virtual PC, version 0x00010000"file suspicious.vhdx # "Microsoft Disk Image eXtended"
Always analyze read-only and never execute contents outside the analysis VM.
Option A — extract without mounting (safest, cross-platform):
7z l suspicious.iso # list firstmkdir /tmp/iso_contents7z x suspicious.iso -o/tmp/iso_contents/ # extractfind /tmp/iso_contents/ -type f -exec file {} \;
Option B — read-only loop mount (Linux):
sudo mkdir /mnt/suspicious_isosudo mount -o loop,ro suspicious.iso /mnt/suspicious_isols -la /mnt/suspicious_iso/find /mnt/suspicious_iso/ -type f -exec file {} \;sudo umount /mnt/suspicious_iso
Option C — read-only mount (Windows analysis VM only):
archive.iso/
Invoice.lnk <- victim double-clicks this
document.pdf <- decoy shown to victim
payload.dll <- hidden attribute set; LNK runs it via rundll32
Always check for hidden files (ls -la, Get-ChildItem -Force). Parse every LNK with lnkinfo (Linux) or LECmd.exe (Windows) — record target path, arguments, working directory, icon location.
Decoy documents — a benign-looking PDF / DOCX displayed to the victim while the payload runs in the background. Analyze them separately via §6.2 / §6.3.
Filename tricks — double extensions (invoice.pdf.exe) and Right-To-Left Override (U+202E) which can flip payloadexe.doc to render as payloadcod.exe:
rule Malware_Family_Emotet_Variant_A { meta: description = "Detects Emotet variant A based on strings and imports" author = "Analyst Name" date = "2025-10-05" reference = "CASE-2025-1005-001" hash = "a1b2c3d4e5f6..." strings: $s1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii $s2 = "C:\\Windows\\SysWOW64\\rundll32.exe" wide $s3 = { 4D 5A 90 00 03 00 00 00 } // MZ header $mutex = "Global\\M12345" wide nocase $api1 = "VirtualAlloc" ascii $api2 = "CreateRemoteThread" ascii $api3 = "WriteProcessMemory" ascii condition: uint16(0) == 0x5A4D and // PE file filesize < 500KB and 2 of ($s*) and all of ($api*)}
Test YARA rule:
# Test against sampleyara malware_rule.yar sample.exe# Scan directoryyara -r malware_rule.yar /path/to/samples/# Save matches to fileyara -r malware_rule.yar /path/to/samples/ > matches.txt
Sigma rule for malicious behavior (Sysmon Event ID 1 - Process Creation):
Generate a real UUID4 per rule — never copy a placeholder. Use python3 -c "import uuid; print(uuid.uuid4())" or uuidgen. Reusing example UUIDs in production rules causes silent merge collisions in SigmaHQ and downstream SIEMs.
Convert Sigma to SIEM queries (sigma-cli, modern replacement for legacy sigmac):
# Install sigma-cli (PyPI package: sigma-cli; legacy `sigmac` is deprecated)pip install sigma-cli# Convert to Splunksigma convert -t splunk rule.yml# Convert to Elastic (Elasticsearch Lucene / EQL backends)sigma convert -t elasticsearch rule.yml# Convert to QRadarsigma convert -t qradar rule.yml# Convert to Microsoft Sentinel (KQL)sigma convert -t sentinel rule.yml
8.5 Suricata Rule Creation
Network IDS rule for C2 traffic (Suricata 5+ sticky-buffer syntax):
Legacy modifier-style syntax (content:"POST"; http_method;) was deprecated in Suricata 5. Modern rules use sticky buffers (http.method; content:"POST";) — keyword first, then content matches that follow apply to that buffer until another sticky buffer or pkt_data; is set.
Use SID range 1000000–1999999 for site-local custom rules; 2000000+ is reserved for Emerging Threats. Reusing ET SIDs causes merge conflicts on rule update.
DNS-based detection:
alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Suspicious DGA Domain Query"; dns.query; content:".tk"; nocase; sid:1234568; rev:1;)
Test Suricata rules:
# Test rule syntaxsuricata -T -c /etc/suricata/suricata.yaml -S custom.rules# Run Suricata on PCAPsuricata -r sample_traffic.pcapng -S custom.rules -l /var/log/suricata/
9. Reporting & Documentation
9.1 Malware Analysis Report Template
# Malware Analysis Report## Executive Summary- **Malware Family:** Emotet (Variant A)- **Threat Level:** High- **Initial Vector:** Phishing email with malicious attachment- **Primary Capability:** Banking trojan, credential theft, lateral movement- **Recommended Action:** Block all network IOCs, hunt for persistence mechanisms---## Case Metadata| Field | Value ||--------------------|------------------------------------------|| Case ID | CASE-2025-1005-001 || Sample ID | SAM-20251005-1430-001 || Analyst | Analyst Name || Analysis Date | 2025-10-05 || Filename (original)| invoice_2025.exe || SHA256 | a1b2c3d4e5f6... || File Size | 245 KB || File Type | PE32 executable (GUI) x86, for MS Windows|---## Technical Analysis### Static Analysis**File Properties:**- Compiler: Microsoft Visual C++ 8.0- Timestamp: 2025-09-28 14:23:11 UTC (possibly forged)- Digital Signature: None- Packer: UPX (detected and unpacked)- Entropy: 7.2 (high - indicates encryption/packing)**Capabilities (CAPA):**- Network communication (URLDownloadToFile, InternetOpen)- Process injection (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)- Persistence via registry (RegSetValue)- Credential theft (CredEnumerate, LsaEnumerateLogonSessions)**Suspicious Strings:**- hxxp://malicious[.]com/payload[.]exe- 192[.]168[.]56[.]101- HKCU\Software\Microsoft\Windows\CurrentVersion\Run- Global\M12345 (mutex)- C:\Users\Public\svchost.exe (dropped file)### Dynamic Analysis**Execution Flow:**1. Creates mutex "Global\M12345" to prevent multiple infections2. Drops secondary payload to C:\Users\Public\svchost.exe3. Establishes persistence via registry Run key4. Injects code into explorer.exe5. Connects to C2 server at 192[.]168[.]56[.]101:4436. Exfiltrates credentials via HTTP POST**Persistence Mechanisms:**- Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender- Scheduled Task: N/A- Service: N/A**Network Behavior:**- DNS queries: malicious[.]com, c2-server[.]tk- C2 communication: HTTPS POST to 192[.]168[.]56[.]101:443- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"- Beacon interval: 60 seconds---## Indicators of Compromise (IOCs)### File Hashes| Hash Type | Value ||-----------|--------------------------------------------------------------------|| SHA256 | a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890 || SHA1 | 1234567890abcdef1234567890abcdef12345678 || MD5 | 12345678901234567890123456789012 |### Dropped Files| Filename | SHA256 | Path ||------------------------------|-------------------|-----------------------------|| svchost.exe | b2c3d4e5f6... | C:\Users\Public\svchost.exe |### Network Indicators (Medium Confidence - Dynamic)| Type | Value (Defanged) | Context ||--------|---------------------------|--------------------|| Domain | malicious[.]com | C2 server || Domain | c2-server[.]tk | Backup C2 || IP | 192[.]168[.]56[.]101 | C2 IP address || URL | hxxps://malicious[.]com/api | C2 callback URL |### Host Indicators (High Confidence - Static)| Type | Value ||--------------|---------------------------------------------------------|| Mutex | Global\M12345 || Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender || File Path | C:\Users\Public\svchost.exe |---## MITRE ATT&CK Mapping| Tactic | Technique ID | Technique Name | Evidence ||------------------|---------------|---------------------------------|-----------------------------------|| Execution | T1059.003 | Windows Command Shell | cmd.exe spawned by sample || Persistence | T1547.001 | Registry Run Keys | HKCU\...\Run key created || Defense Evasion | T1055.001 | Process Injection | Code injected into explorer.exe || Credential Access| T1003.001 | LSASS Memory Dump | LsaEnumerateLogonSessions called || Command & Control| T1071.001 | Web Protocols (HTTP/HTTPS) | HTTPS POST to C2 || Exfiltration | T1041 | Exfiltration Over C2 Channel | Credentials sent via HTTP POST |---## Detection & Hunting Guidance### YARA Rule```yararule Malware_Emotet_VariantA { meta: description = "Detects Emotet variant A" author = "Analyst Name" date = "2025-10-05" hash = "a1b2c3d4e5f6..." strings: $mutex = "Global\\M12345" wide $c2 = "malicious.com" ascii $ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii condition: uint16(0) == 0x5A4D and 2 of them}### Sigma Rule (Process Creation)```yamltitle: Emotet Registry Persistencedetection: selection: CommandLine|contains: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' condition: selection### Hunting Queries**Splunk:**index=windows EventCode=1 (CommandLine="*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR Image="*\\svchost.exe" AND Image!="C:\\Windows\\System32\\svchost.exe")**Elastic:**event.code:1 AND (process.command_line:*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR (process.executable:*svchost.exe AND NOT process.executable:C\:\\Windows\\System32\\svchost.exe))---## Recommendations### Immediate Actions1. **Block network IOCs** at firewall/proxy (malicious[.]com, c2-server[.]tk, 192.168.56.101)2. **Hunt for mutex** "Global\M12345" on endpoints3. **Check registry Run keys** for "Windows Defender" entry pointing to non-standard path4. **Search for file** C:\Users\Public\svchost.exe across environment### Remediation Steps1. Isolate infected hosts from network2. Kill malicious processes (svchost.exe in C:\Users\Public\)3. Delete dropped files and registry persistence4. Reset credentials for affected users5. Re-image compromised systems### Long-term Mitigations- Enable PowerShell logging (ScriptBlock, Module, Transcription)- Deploy endpoint detection and response (EDR) solution- Implement application whitelisting- User security awareness training on phishing---## Appendix### Evidence Files- `sample.exe` (original) - SHA256: a1b2c3d4e5f6...- `sample_unpacked.exe` - SHA256: b2c3d4e5f6...- `svchost.exe` (dropped) - SHA256: c3d4e5f6...- `procmon_output.csv` - Process Monitor logs- `traffic_capture.pcapng` - Network traffic capture- `regshot_comparison.html` - Registry changes### Analysis Tools Used- FLOSS 2.3 (string extraction)- CAPA 7.0 (capability detection)- PE-bear 0.6 (PE analysis)- Procmon 3.95 (behavioral analysis)- Wireshark 4.0 (network analysis)### References- MITRE ATT&CK: https://attack.mitre.org/- VirusTotal: https://www.virustotal.com/gui/file/<SHA256>- MalwareBazaar: https://bazaar.abuse.ch/---**Report Date:** 2025-10-05**Last Updated:** 2026-04-25
1. Upload sample to https://app.any.run
2. Select Windows version and network simulation
3. Interact with sample (click buttons, wait for execution)
4. Review process tree, network traffic, file operations
5. Download PCAP and artifacts
Joe Sandbox (cloud/on-prem):
# Submit via jbxapijbxapi submit sample.exe --systems win10x64# Wait for analysisjbxapi status <submission_id># Download reportjbxapi download <submission_id> --type html > joe_report.htmljbxapi download <submission_id> --type json > joe_report.json
10.3 Reverse Engineering Workflow
Disassembly with IDA Pro/Ghidra:
# IDA Pro workflow
1. Open sample.exe in IDA Pro
2. Auto-analysis completes
3. Navigate to Functions window
4. Find entry point (start/main function)
5. Identify interesting functions:
- Network functions (send, recv, InternetOpen)
- Crypto functions (CryptEncrypt, AES_encrypt)
- String decryption routines
6. Set breakpoints for dynamic analysis
7. Use F5 (Hex-Rays) to decompile to pseudocode
# Ghidra workflow (free alternative)
1. Create new project
2. Import sample.exe
3. Analyze with default options
4. Use Symbol Tree to find functions
5. Decompiler window shows pseudocode
6. Look for XREFs to suspicious functions
Dynamic debugging with x64dbg:
1. Open sample.exe in x64dbg
2. Set breakpoints on:
- VirtualAlloc (memory allocation)
- CreateRemoteThread (process injection)
- InternetConnect (network connection)
- RegSetValue (persistence)
3. Run until breakpoint
4. Step through code (F7 - step into, F8 - step over)
5. Dump decrypted strings or payloads from memory
6. Follow execution flow to understand behavior
Anti-analysis bypass:
Common anti-analysis techniques and bypasses:
| Technique | Detection Method | Bypass |
|------------------------|--------------------------------------|----------------------------------|
| IsDebuggerPresent | Check PEB.BeingDebugged flag | Patch return value to 0 |
| CheckRemoteDebugger | NtQueryInformationProcess | Patch return value |
| RDTSC timing check | Measure execution time | Hardware breakpoints instead |
| VM detection (CPUID) | Check hypervisor bit | Modify CPUID response |
| Sandbox sleep evasion | Sleep(300000) before execution | Patch sleep call or hook API |
10.4 Modern EDR / AV Evasion Techniques
Modern post-2022 commodity loaders and APT toolkits routinely chain the techniques below. Recognize the import-table fingerprints during static analysis (§3) and the runtime artifacts during dynamic analysis (§4) so the report’s MITRE mapping reflects the real surface.
ETW patching (T1562.006 — Indicator Blocking)
The malware locates EtwEventWrite (or NtTraceEvent) in ntdll.dll, calls VirtualProtect to make the page writable, and overwrites the function prologue with 0xC3 (a single ret). All ETW telemetry — which most modern EDRs depend on — goes silent for the process for the rest of its lifetime.
Static fingerprint:GetProcAddress resolving EtwEventWrite / NtTraceEvent followed by VirtualProtect and a tiny WriteProcessMemory / memcpy (1–8 bytes).
Dynamic fingerprint: suspicious page-protection flips on ntdll!EtwEventWrite followed by absence of expected ETW providers from the process.
AMSI bypass (T1562.001 — Disable or Modify Tools)
Patches AmsiScanBuffer (or AmsiScanString) inside amsi.dll to short-circuit the scan. Two common patch shapes:
Force S_OK (0) plus AMSI_RESULT_CLEAN (0) so the caller treats every buffer as benign.
Force E_INVALIDARG (0x80070057) so the caller’s “scan failed → fail-open” path is taken.
Static fingerprint:LoadLibrary("amsi.dll") → GetProcAddress("AmsiScanBuffer") → VirtualProtect → small write (1–8 bytes). Or, in PowerShell loaders: reflection on [System.Management.Automation.AmsiUtils] field amsiInitFailed.
Effect: malicious PowerShell, VBScript, JScript, and Office macros pass AMSI without scanning. Combine with the §6.4 / §6.7 deobfuscation idioms when triaging the dropped scripts.
Bypasses user-mode hooks placed by EDRs on ntdll.dll exports by issuing the raw syscall (x64) or sysenter (x86) instruction with the correct System Service Number (SSN) for the target Nt-API. Common targets: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, NtMapViewOfSection.
Static fingerprint:syscall / sysenter instructions inside non-system modules (find with objdump -d sample.exe | grep -E "syscall|sysenter" or IDA “Search → Text”); imports for ntdll.dll look implausibly thin given the observed behavior; runtime SSN-resolution stubs that scan ntdll for mov eax, <imm32>; syscall patterns (Hell’s Gate / Halo’s Gate signature).
Effect: EDR user-mode hooks on the corresponding ntdll exports never fire — the kernel side sees the call but the inline instrumentation does not.
PPID spoofing (T1134.004 — Parent PID Spoofing)
The malware calls OpenProcess on an unrelated, high-privilege process (explorer.exe, svchost.exe), passes that handle to UpdateProcThreadAttribute(PROC_THREAD_ATTRIBUTE_PARENT_PROCESS), then calls CreateProcess with the populated STARTUPINFOEX. The child appears to be parented by the impersonated process in every standard log source.
Dynamic fingerprint: Sysmon Event ID 1 records show implausible parent–child relationships (e.g., winword.exe → cmd.exe masked as explorer.exe → cmd.exe). Cross-check against Event ID 10 (ProcessAccess) from the spoofing process to detect the underlying OpenProcess.
Module stomping / DLL hollowing (T1055.013 — Process Doppelgänging variant)
LoadLibrary brings a legitimate, signed DLL into memory, then the malware overwrites that DLL’s .text section with shellcode and transfers execution there. EDR module-load events show only the trusted DLL; the malicious code runs under its name.
Static fingerprint:LoadLibraryEx followed by VirtualProtect(PAGE_EXECUTE_READWRITE) and WriteProcessMemory / memcpy targeting the loaded module’s base address.
Distinguish from process hollowing: in stomping, the host process is not suspended; only the loaded DLL is overwritten. In hollowing, a fresh process is spawned suspended, unmapped, and replaced.
Avoids CreateThread / CreateRemoteThread (heavily monitored) by using legitimate Windows callback APIs to dispatch shellcode. Common primitives: EnumChildWindows, EnumDesktopWindows, CreateTimerQueueTimer, TpAllocWork / TpPostWork / TpReleaseWork, SetTimer, EnumSystemLocales, EnumTimeFormatsEx. The shellcode pointer is passed as the callback argument.
Static fingerprint: the callback API is called with a target address that resolves to RWX heap or to a VirtualAlloc-returned region rather than an actual code symbol.
Tool support for the analyst:
Tool
Purpose
al-khaser
Tests 170+ anti-analysis checks; validate VM hardening before evasive-sample analysis.
pafish
Lightweight VM/sandbox detection tester; faster than al-khaser for quick checks.
pe-sieve
Scans a running PID for hollowed sections, RWX shellcode, replaced modules; dumps for static analysis.
hollows_hunter
Same family as pe-sieve, scans system-wide.
ScyllaHide
x64dbg / OllyDbg / IDA plugin that transparently patches PEB.BeingDebugged, NtGlobalFlag, NtQueryInformationProcess, GetTickCount, and exception-based detections.
TitanHide
Kernel-mode debugger-hiding driver for samples that bypass user-mode hooks via direct syscalls.
10.5 Common Pitfalls & Best Practices
❌ Common Mistakes:
Running malware on host system (always use isolated VM)
Uploading samples to public sandboxes (may alert adversary)
Not taking VM snapshots before execution (cannot reproduce)
Analyzing packed samples without unpacking (miss true behavior)
Canonical legal framework: see Legal & Ethics. Do not re-derive jurisdiction, statute, or authorization rules in this SOP — read them from the canonical source and apply.
OPSEC for the analyst (lab isolation, sample-handling discipline, network egress, attribution separation): see OPSEC Plan. Malware analysis leaks more than typical defensive work — sandbox detonation traffic, sample hashes pasted into VirusTotal, and lab VM telemetry can each tip a live adversary or burn a victim engagement.
Malware-analysis-specific guardrails:
Authorization in writing. Names the malware family, the customer / victim environment, the lab perimeter, the disposition decision (analyse-only vs share / publish), and the disclosure path (CERT, ISAC, vendor, public). Sample-sharing carve-out should be explicit if the sample originates from a customer environment.
Sample-handling discipline. Sealed transport (encrypted container with passphrase out-of-band), one-way analyst-to-lab flow, no analyst-host execution, no execution outside the isolated lab VLAN. Sample destruction policy at engagement close is documented in writing.
No live infrastructure interaction. Do not connect to live C2, do not register sinkhole domains without coordination with the relevant CERT / vendor / law-enforcement, do not interact with the operator. Even passive DNS / WHOIS pivots from analyst infrastructure can tip the adversary; route via blind pivot (WHOIS OSINT OPSEC).
CSAM / illegal-content discipline. If a sample contains or fetches child sexual abuse material, terrorism material, or other content that is per-se illegal to possess in the analyst’s jurisdiction: stop the engagement, preserve the sealed container without re-opening, do not extract / catalogue / share, and route via Sensitive Crime Intake & Escalation. Possession defences for analysts vary by jurisdiction; counsel review is mandatory before any further handling.
VirusTotal / public-sandbox discipline. Public submission of a customer’s sample exposes the engagement and can tip the adversary; treat as a customer-authorization decision, not an analyst-default action. Where authorized, submit hashes (SHA-256) before submitting the binary; use private-tier sandboxes (Joe Sandbox private, ANY.RUN private, Tria.ge enterprise) where analyst attribution / customer disclosure is the concern.
PII minimization (GDPR / UK DPA / CCPA / sectoral). Sample artefacts (config files, captured credentials, victim-side data fragments) may contain PII. Minimize collection to the analytical purpose; document lawful basis (legitimate interest / legal claim / regulator-mandated) per artefact class. Non-customer victim PII is the highest-risk class.
Disclosure path. Customer first, then CERT / ISAC / vendor at customer’s direction. Public publication (blog, conference talk, GitHub indicator drop) is a customer decision with a documented timeline; even after “approval,” scrub for victim-identifying detail and rotate IOCs that would tip an active adversary.
Court-admissibility tradecraft. Pin tool versions; capture raw artefacts; cross-corroborate vendor classifications with at least one independent method (per §11 QA & Peer Review). Provenance chain (intake → sealed container → lab artefact → IOC → report) per Collection Log.
Mandatory reporting. If operating inside a regulated entity, route findings via the CISO / SOC manager / counsel chain. Outside, route serious findings (active CSAM distribution, terrorism funding, threat-to-life payloads, critical-infrastructure malware) via the appropriate national authority — see Sensitive Crime Intake & Escalation.
Log every action. Sample hash, intake timestamp UTC, lab VM ID, tool versions, action, hash of saved artefact — per Collection Log format. Admissibility depends on the unbroken chain.
📦 This SOP is designed for Obsidian vault integration. Link from incident case folders or use as standalone reference for malware analysis workflows.