Adjustments to the environment
Before you open the first file - about iron and insulation. The error at this stage is worth the compromise of the worktation.
Hardware requirements:
Software stack - two VM:
• Windows (FlareVM, Mandiant project, is actively supported on GitHub: IDA Pro or Ghidra, x64dbg, Detect It (DIE), Pestudio, Process Monitor, Process Hacker, Wireshark, FakeNet-NG, Regshot, HxD, Scylla (plugs x64dgg for the iPad and IAT recovery).
• Linux (REMnus): radare2 (current version 6.1.5, active development), YARA, oletools, utility strings, FLOSS.
Network insulation: virtual network host-only. To simulate The Internet is a FakeNet-NG on Windows or INetSim on EMnnux. The sample receive answers to DNS and HTTP requests, and traffic do not leave the host. A snapshot of a clean system is created before the first contact with the sample - without it is no retroducibility and pure rollback.
Static Analysis of malware: from hash to structure
Static analysis - file examination without startup. Safe, give the primary picture in 15-30 minutes. Solutions here determine the further strategy: whether unpacking is good, what hypotheses to test in the dynamics, on what functions to the focus of the reverse.
Hashing and Exploration on Open Bases
The first step is to calculate the hashes. In PowerShell: Get-FileHash -Algorithm SHA256 .\sample.exe. SHA256 is the primary identifier for all databases and reports. MD5 and SHA1 are used to be compatible with old bases, but both are susceptible to collisions - it is not comfortable for verification.
SHA256 is sent to VirusTotal. If the sample is the known study of the tabs Detection, Behavior, Relations. The number of detectives said little: 3/72 do not mean a “clean file”, and 60/72 do not guarantee that the analysis is no longer needed. Useful names of detects - they are often coded family: Trojan.GenericKD, Stealer.MSIL, Packed.Win32. This is the Start Point for attribution.
If VirusTotal returns 0/72 - the sample is either fresh or modified. For the analyst, this is a signal for a Full manual analysis.
Decision point: the sample is Description in detail in the reports → Compare the IOC, confirm the presence in the infrastructure. The sample is unknown or fresh move on to full analysis.
Analysis of PE-heads and Packing Inventions
Download the sample in Detect It Easy (DIES) What to Look At:
TimeDateStamp - the date of the preparation The value of 1970-01-01-01 or the date of the future is the timestamp Really reset or forged, a typical technique for diva attribution.
Entropy of sections. Normal section .textantropy 5.5-6.5. above Value 7.0 is a compression or encryption marker. Section UPX1or a non-standard section with entropy 7.8+ - sample is almost packed reallyeded. This Software Packing (T1027.002, Defense Evasion by MITRE AT&CK): the sproters of the malware pack code to bypass the signature detectors.
Discrecy of the size. If VirtualSizeSections are much larger SizeOfRawData- the packed code is unpacked in overseas, more space than on the disk. Eloquent sign.
Imports. Import chart of 5-10 functions (LoadLibraryA, GetProcAddress, VirtualAlloc) - in front of us a packer that import real in renttime. Developed table with CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtUnmapViewOfSection- direct indication of code injection, future process Hollowing (T1055.012, Defense Evasion / Privelge Escalation). Combination InternetOpenA, InternetConnectA, HttpSendRequestA- network potential activity, C2 through Web Protocols (T1071.001, Command and Control).
Lines, FLOSS and the first performances
Utility stringsRemoves ASCII and Unicode lines from a binary. On an unpackaged PE result is rich: C2 URLs, path forcentence, muxx names, User-Agent strings. On the packd - garbage.
Forostecasted line take FLOSS (FireEye Labs Obfuscated String Solver): floss sample.exe. FLOSSEX exact try to debfusion XOR-, stack- and Base64-lines. The result is often IOCs that stringsJust can't see it.
What to Look for in the Convent:
• IP addresses and domains - candidates for C2 servers
• Ways of the species %APPDATA%\Microsoft\- typical location forcentation
• Lines Mozilla/5.0- User-Agent for HTTP communications
• Registry paths with CurrentVersion\Run- autoloading
• Meutes Names - a unique identifier to prevent double start
Limitation: Static analysis does not see the lines that are in the way in the runtime. If the sample deciphers the configuration of C2 only after launch, this IOC will remain to the dynamic Stage. And there's nothing you can do about it, you'll have to run It.
Unpacking and debfusion: Removing the Protective Layers
If DIE show the packer - the importation of and lines is useless before unpacking. In Russian-language, unpacking is generally mentioned in one line. In practice, this is a separate stage, which is taken from 5 minutes to hours.
UPX is a trivial case. DIE has identified UPX upx -d sample.exe- and it's ready. Result: pure PE with IAT. After unpacking, repeat the full cycle of static analysis malware - import, strings, entropy sections.
Castoma packer - manual unpacking in x64dbg. Most real samples use non-standard packers. Algorithm:
1. Download the sample in x64dbg. Breakpoint on VirtualAllocor VirtualProtect- the points where packer emits the memory under the unpacked code.
2. Launch (F9). When Trained, We check the arguments: if a block with rights is allocated PAGE_EXECUTE_READWRITE(0x40) is the target region.
3. Hardware breakpoint for a record in a dedicated region. When the packer finishes unpacking, Breakpoint will work for the last time.
4. Looking for the transition a to Original Entry Point (OEP): jmpor push/retto the address outside the package section.
5. On the OEP dumping process through Scylla: Fix Dump IAT Autosearch → Get Imports → Fix Dump.
Recovering Import Address Table through Scylla is a key moment. Without the correct IAT, the damn PE will not boot to IDA Pro with the correct function names. Sometimes remains unresolved: the packer used GetProcAddresswith hash pictures of lines - then you have to rule your hand, and this is a separate pleasure.
All this is the implementation of Deobfuscate/Decode Files or Information (T1140, Defense Evasion): the sample stands for its own code in the rent term to bypass the signature detectors.
When manual unpacking does not work: Multi-layer packaging or virtualizing fences (Themida, VMProtect) convert the code into a custom VM bytecode. Here it is more effective to go to dynamic analysis and dumbly remove the unpacked code from the memory of the work process through process Hacker or Volatility.
Dynamic Analysis of the Malt in an Exsolute Environment
The article gave structure and hypotheses. Dynamic Analysis Checks The Start of the Simple and the Observation of the Real behavior. The most informative stage is and the most dependent on the quality of sandbox training.
Sandbox the Configuration and Anti-Analysing Detection
Before Run: Rollback to a Cleansn snapshot, Launch of Overview tools, start FakeNet-NG.
Modern malware checks 3.1 is in VM or under the debugger. System Checks (T1497.001, Defense Evasion / Discovery) is implemented by:
• Resity: Keys HKLM\SOFTWARE\VMware, Inc.\VMware Tools, HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
• CPUID: leaf 0x40000000 - Hypervisor returns the string-identifier
• MAC address: first three octets 00:0C:29 (VMware), 08:00:27 (VirtualBox)
• Systems: Sovereigns One nucleus and 2 GB RAM - a sign of sandbox
• Launched processes: wireshark.exe, procmon.exe, x64dbg.exe
• API-checks: IsDebuggerPresent(), flag BeingDebuggedin PEB, NtQueryInformationProcess
How to deal with this:
The Scyllahide plugin in x64dbg hides the debugger from most standard checks (PEB flags, check timings). The MAC address change in VM settings - avoid OUI Virtualization vendors. VMware Tools and VirtualBox Guest Additions Are are under the scene. Put a realistic number of cores (4+), RAM (4+ GB) and “household” software: Chrome, Office, Some documents on your desktop. Empty system without a single file - an sandbox, the malwars it.
Limitation: Some samples do not check the presence of VM, and the hsht Activity is not started before he is a change of the movement of the mouse or press the keys for a certain time. For cases such, the AutoIt script, which imitates user behavior, help.
Behavioral software analysis: processes, files, registry
Process Monitor is a filter name scheme. Process Hacker - wood processes in real time. Regshot - a picture of the Registrables before and after.
File activity. The styler copis yourself in %APPDATA%or %TEMP%, set a configuration file, collects data from browser profiles (files) Login Data, Cookies, Web Datain the directories of Chrome and Firefox. In Process Monitor filter: Operation = CreateFile, Path contains AppData.
Register. Autohodization through HKCU\Software\Microsoft\Windows\CurrentVersion\Run- the simplest persistence. Regshot show the difference: a new key with a way to a copy of the sample.
Processes - here is the Process Hollowing (T1055.012). The Sub-Sample Launches a Processing (svchost.exe, explorer.exeor notepad.exe) in suspended condition through CreateProcesswith flag CREATE_SUSPENDED, then replaces its image in memory through the sequence Native API (T1106, Execution) calls: NtUnmapViewOfSection→ → → → VirtualAllocEx→ → → WriteProcessMemory→ → → SetThreadContext→ → → ResumeThread. In Process Hacker It Look like notepad.exe, which suddenly sends HTTP requests and reads browser profile files. A notebook climb that on the Internet - agree, suspiciously.
Detection of Hollowing: in Process Hacker open the properties of a suspicious Memory tab → look for a region with RWX rights. Legitimate notepad.exeIt has no RWX-regions. We check the image path in memory with the on the disk - with hollowing, they do not coincide.
Collection of system information - System Discovery (T1082, Discovery). Semple requests a computer name (GetComputerNameA) Username (GetUserNameA), version of the OS (GetVersionExA), the list of Set software. This data goes to C2 as part of the initial bot registration.
Network Analysis and Identification of C2 Channels
FakeNet-NG intercepts DNS queries and HTTP/HTTPS traffic. Wireshark writing a pcap for a detailed analysis.
DNS query - the first IOC network. Semple resolores domain C2: often a DGA-generated name (randomic characters + .xyz/..club) or a Compromised domain. FakeNet-NG responses to the request, the sample to work - and we see the C2 protocol.
HTTP traffic. The stylers send the collection data to the POST request (T1071.001, Web Protocols). In the Body - Base64- or XOR-encoded Bros with wilt credentials. URIs often contain the campaign identifier: /gate.php, /panel/upload.php, /api/submit. Exfiltration Over C2 Channel (T1041, Exfiltation stolen): data and command traffic through one channel - for the defenders, this simizingpl detection.
Domains, IP, addresses URI-patterns, User-Agent - all these networks IOCs for firewall and proxy rules.
Formation of IOC and Mapping on MITRE ATT&CK
Analysis of malware is not an end in myself. Its output is actionable data for SOC, IR team and push threat.
Summary of MITRE ATT&CK techniques:
Delivery of results: SHA256-hash, network IOC (domains, IP, URI), file IOC (puts, meutes), YARA-rules, ATT&C-mapping. The package go to SIEM (correlation) firewall/proxy (blocking), in TIP (enrichment of alerts).
Place in kill chain: malware analysis - end-to-end activity. In the Disaction Response, It Starts After the Discovery of the Artifact (EDR, suspicious file on the host) and go in parallel with the containment. In the Threat - IOC from Trying One Objective expands search the infrastructure. The median time of the attacker on the network is 11 days (Mandiant M-Trends 2025) Every hours of quality analysis is shortened by this window: the IOC of the same disassemble style allows you to detect of related Compiss before the attacker dot the final goal.
Before you open the first file - about iron and insulation. The error at this stage is worth the compromise of the worktation.
Hardware requirements:
Software stack - two VM:
• Windows (FlareVM, Mandiant project, is actively supported on GitHub: IDA Pro or Ghidra, x64dbg, Detect It (DIE), Pestudio, Process Monitor, Process Hacker, Wireshark, FakeNet-NG, Regshot, HxD, Scylla (plugs x64dgg for the iPad and IAT recovery).
• Linux (REMnus): radare2 (current version 6.1.5, active development), YARA, oletools, utility strings, FLOSS.
Network insulation: virtual network host-only. To simulate The Internet is a FakeNet-NG on Windows or INetSim on EMnnux. The sample receive answers to DNS and HTTP requests, and traffic do not leave the host. A snapshot of a clean system is created before the first contact with the sample - without it is no retroducibility and pure rollback.
Static Analysis of malware: from hash to structure
Static analysis - file examination without startup. Safe, give the primary picture in 15-30 minutes. Solutions here determine the further strategy: whether unpacking is good, what hypotheses to test in the dynamics, on what functions to the focus of the reverse.
Hashing and Exploration on Open Bases
The first step is to calculate the hashes. In PowerShell: Get-FileHash -Algorithm SHA256 .\sample.exe. SHA256 is the primary identifier for all databases and reports. MD5 and SHA1 are used to be compatible with old bases, but both are susceptible to collisions - it is not comfortable for verification.
SHA256 is sent to VirusTotal. If the sample is the known study of the tabs Detection, Behavior, Relations. The number of detectives said little: 3/72 do not mean a “clean file”, and 60/72 do not guarantee that the analysis is no longer needed. Useful names of detects - they are often coded family: Trojan.GenericKD, Stealer.MSIL, Packed.Win32. This is the Start Point for attribution.
If VirusTotal returns 0/72 - the sample is either fresh or modified. For the analyst, this is a signal for a Full manual analysis.
Decision point: the sample is Description in detail in the reports → Compare the IOC, confirm the presence in the infrastructure. The sample is unknown or fresh move on to full analysis.
Analysis of PE-heads and Packing Inventions
Download the sample in Detect It Easy (DIES) What to Look At:
TimeDateStamp - the date of the preparation The value of 1970-01-01-01 or the date of the future is the timestamp Really reset or forged, a typical technique for diva attribution.
Entropy of sections. Normal section .textantropy 5.5-6.5. above Value 7.0 is a compression or encryption marker. Section UPX1or a non-standard section with entropy 7.8+ - sample is almost packed reallyeded. This Software Packing (T1027.002, Defense Evasion by MITRE AT&CK): the sproters of the malware pack code to bypass the signature detectors.
Discrecy of the size. If VirtualSizeSections are much larger SizeOfRawData- the packed code is unpacked in overseas, more space than on the disk. Eloquent sign.
Imports. Import chart of 5-10 functions (LoadLibraryA, GetProcAddress, VirtualAlloc) - in front of us a packer that import real in renttime. Developed table with CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtUnmapViewOfSection- direct indication of code injection, future process Hollowing (T1055.012, Defense Evasion / Privelge Escalation). Combination InternetOpenA, InternetConnectA, HttpSendRequestA- network potential activity, C2 through Web Protocols (T1071.001, Command and Control).
Lines, FLOSS and the first performances
Utility stringsRemoves ASCII and Unicode lines from a binary. On an unpackaged PE result is rich: C2 URLs, path forcentence, muxx names, User-Agent strings. On the packd - garbage.
Forostecasted line take FLOSS (FireEye Labs Obfuscated String Solver): floss sample.exe. FLOSSEX exact try to debfusion XOR-, stack- and Base64-lines. The result is often IOCs that stringsJust can't see it.
What to Look for in the Convent:
• IP addresses and domains - candidates for C2 servers
• Ways of the species %APPDATA%\Microsoft\- typical location forcentation
• Lines Mozilla/5.0- User-Agent for HTTP communications
• Registry paths with CurrentVersion\Run- autoloading
• Meutes Names - a unique identifier to prevent double start
Limitation: Static analysis does not see the lines that are in the way in the runtime. If the sample deciphers the configuration of C2 only after launch, this IOC will remain to the dynamic Stage. And there's nothing you can do about it, you'll have to run It.
Unpacking and debfusion: Removing the Protective Layers
If DIE show the packer - the importation of and lines is useless before unpacking. In Russian-language, unpacking is generally mentioned in one line. In practice, this is a separate stage, which is taken from 5 minutes to hours.
UPX is a trivial case. DIE has identified UPX upx -d sample.exe- and it's ready. Result: pure PE with IAT. After unpacking, repeat the full cycle of static analysis malware - import, strings, entropy sections.
Castoma packer - manual unpacking in x64dbg. Most real samples use non-standard packers. Algorithm:
1. Download the sample in x64dbg. Breakpoint on VirtualAllocor VirtualProtect- the points where packer emits the memory under the unpacked code.
2. Launch (F9). When Trained, We check the arguments: if a block with rights is allocated PAGE_EXECUTE_READWRITE(0x40) is the target region.
3. Hardware breakpoint for a record in a dedicated region. When the packer finishes unpacking, Breakpoint will work for the last time.
4. Looking for the transition a to Original Entry Point (OEP): jmpor push/retto the address outside the package section.
5. On the OEP dumping process through Scylla: Fix Dump IAT Autosearch → Get Imports → Fix Dump.
Recovering Import Address Table through Scylla is a key moment. Without the correct IAT, the damn PE will not boot to IDA Pro with the correct function names. Sometimes remains unresolved: the packer used GetProcAddresswith hash pictures of lines - then you have to rule your hand, and this is a separate pleasure.
All this is the implementation of Deobfuscate/Decode Files or Information (T1140, Defense Evasion): the sample stands for its own code in the rent term to bypass the signature detectors.
When manual unpacking does not work: Multi-layer packaging or virtualizing fences (Themida, VMProtect) convert the code into a custom VM bytecode. Here it is more effective to go to dynamic analysis and dumbly remove the unpacked code from the memory of the work process through process Hacker or Volatility.
Dynamic Analysis of the Malt in an Exsolute Environment
The article gave structure and hypotheses. Dynamic Analysis Checks The Start of the Simple and the Observation of the Real behavior. The most informative stage is and the most dependent on the quality of sandbox training.
Sandbox the Configuration and Anti-Analysing Detection
Before Run: Rollback to a Cleansn snapshot, Launch of Overview tools, start FakeNet-NG.
Modern malware checks 3.1 is in VM or under the debugger. System Checks (T1497.001, Defense Evasion / Discovery) is implemented by:
• Resity: Keys HKLM\SOFTWARE\VMware, Inc.\VMware Tools, HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
• CPUID: leaf 0x40000000 - Hypervisor returns the string-identifier
• MAC address: first three octets 00:0C:29 (VMware), 08:00:27 (VirtualBox)
• Systems: Sovereigns One nucleus and 2 GB RAM - a sign of sandbox
• Launched processes: wireshark.exe, procmon.exe, x64dbg.exe
• API-checks: IsDebuggerPresent(), flag BeingDebuggedin PEB, NtQueryInformationProcess
How to deal with this:
The Scyllahide plugin in x64dbg hides the debugger from most standard checks (PEB flags, check timings). The MAC address change in VM settings - avoid OUI Virtualization vendors. VMware Tools and VirtualBox Guest Additions Are are under the scene. Put a realistic number of cores (4+), RAM (4+ GB) and “household” software: Chrome, Office, Some documents on your desktop. Empty system without a single file - an sandbox, the malwars it.
Limitation: Some samples do not check the presence of VM, and the hsht Activity is not started before he is a change of the movement of the mouse or press the keys for a certain time. For cases such, the AutoIt script, which imitates user behavior, help.
Behavioral software analysis: processes, files, registry
Process Monitor is a filter name scheme. Process Hacker - wood processes in real time. Regshot - a picture of the Registrables before and after.
File activity. The styler copis yourself in %APPDATA%or %TEMP%, set a configuration file, collects data from browser profiles (files) Login Data, Cookies, Web Datain the directories of Chrome and Firefox. In Process Monitor filter: Operation = CreateFile, Path contains AppData.
Register. Autohodization through HKCU\Software\Microsoft\Windows\CurrentVersion\Run- the simplest persistence. Regshot show the difference: a new key with a way to a copy of the sample.
Processes - here is the Process Hollowing (T1055.012). The Sub-Sample Launches a Processing (svchost.exe, explorer.exeor notepad.exe) in suspended condition through CreateProcesswith flag CREATE_SUSPENDED, then replaces its image in memory through the sequence Native API (T1106, Execution) calls: NtUnmapViewOfSection→ → → → VirtualAllocEx→ → → WriteProcessMemory→ → → SetThreadContext→ → → ResumeThread. In Process Hacker It Look like notepad.exe, which suddenly sends HTTP requests and reads browser profile files. A notebook climb that on the Internet - agree, suspiciously.
Detection of Hollowing: in Process Hacker open the properties of a suspicious Memory tab → look for a region with RWX rights. Legitimate notepad.exeIt has no RWX-regions. We check the image path in memory with the on the disk - with hollowing, they do not coincide.
Collection of system information - System Discovery (T1082, Discovery). Semple requests a computer name (GetComputerNameA) Username (GetUserNameA), version of the OS (GetVersionExA), the list of Set software. This data goes to C2 as part of the initial bot registration.
Network Analysis and Identification of C2 Channels
FakeNet-NG intercepts DNS queries and HTTP/HTTPS traffic. Wireshark writing a pcap for a detailed analysis.
DNS query - the first IOC network. Semple resolores domain C2: often a DGA-generated name (randomic characters + .xyz/..club) or a Compromised domain. FakeNet-NG responses to the request, the sample to work - and we see the C2 protocol.
HTTP traffic. The stylers send the collection data to the POST request (T1071.001, Web Protocols). In the Body - Base64- or XOR-encoded Bros with wilt credentials. URIs often contain the campaign identifier: /gate.php, /panel/upload.php, /api/submit. Exfiltration Over C2 Channel (T1041, Exfiltation stolen): data and command traffic through one channel - for the defenders, this simizingpl detection.
Domains, IP, addresses URI-patterns, User-Agent - all these networks IOCs for firewall and proxy rules.
Formation of IOC and Mapping on MITRE ATT&CK
Analysis of malware is not an end in myself. Its output is actionable data for SOC, IR team and push threat.
Summary of MITRE ATT&CK techniques:
The rules rules string IOCs (Mutex, URI) and byte guns (XOR cycle) CreateProcess with a SUSPENDED flag). The threshold is 2 of 4 - reduces falses vips during detection of sample variants.
Delivery of results: SHA256-hash, network IOC (domains, IP, URI), file IOC (puts, meutes), YARA-rules, ATT&C-mapping. The package go to SIEM (correlation) firewall/proxy (blocking), in TIP (enrichment of alerts).
Place in kill chain: malware analysis - end-to-end activity. In the Disaction Response, It Starts After the Discovery of the Artifact (EDR, suspicious file on the host) and go in parallel with the containment. In the Threat - IOC from Trying One Objective expands search the infrastructure. The median time of the attacker on the network is 11 days (Mandiant M-Trends 2025) Every hours of quality analysis is shortened by this window: the IOC of the same disassemble style allows you to detect of related Compiss before the attacker dot the final goal.
