Opening Framing
When malware is discovered during an investigation, understanding what it does becomes critical. Does it steal credentials? Does it provide remote access? Does it spread laterally? Does it encrypt files? The answers determine incident scope, remediation steps, and whether the organization faces a minor infection or a catastrophic breach.
Malware forensics bridges digital forensics and malware analysis. While full reverse engineering requires specialized skills and tools, forensic examiners need enough capability to triage samples, extract indicators of compromise (IOCs), understand basic behavior, and determine impact. This knowledge informs the investigation and enables detection across other systems.
This week covers malware triage methodology, static analysis fundamentals, dynamic analysis concepts, indicator extraction, persistence mechanisms, and C2 communication patterns. You'll learn to analyze suspicious files safely and extract actionable intelligence for your investigations.
Key insight: You don't need to fully reverse engineer malware to understand its impact. Triage and indicator extraction provide 80% of the value with 20% of the effort.
1) Malware Triage Process
Effective malware analysis starts with systematic triage to quickly assess what you're dealing with:
Malware Triage Workflow:
┌─────────────────────────────────────────────────────────────┐
│ 1. SAFE HANDLING │
│ - Isolate sample │
│ - Work in dedicated analysis environment │
│ - Never execute on production systems │
├─────────────────────────────────────────────────────────────┤
│ 2. INITIAL IDENTIFICATION │
│ - File type verification │
│ - Hash calculation (MD5, SHA256) │
│ - VirusTotal / threat intelligence lookup │
├─────────────────────────────────────────────────────────────┤
│ 3. STATIC ANALYSIS │
│ - Strings extraction │
│ - PE header analysis (Windows) │
│ - Import/export examination │
│ - Metadata extraction │
├─────────────────────────────────────────────────────────────┤
│ 4. DYNAMIC ANALYSIS (if needed) │
│ - Sandbox execution │
│ - Behavior monitoring │
│ - Network capture │
├─────────────────────────────────────────────────────────────┤
│ 5. INDICATOR EXTRACTION │
│ - Network IOCs (IPs, domains, URLs) │
│ - Host IOCs (files, registry, processes) │
│ - Behavioral patterns │
└─────────────────────────────────────────────────────────────┘Safe Handling Fundamentals:
Analysis Environment Options:
Dedicated VM:
- Isolated network (host-only or no network)
- Snapshot before analysis
- Revert after each sample
- Recommended: REMnux, FlareVM
Cloud Sandboxes:
- Any.Run (interactive)
- Hybrid Analysis
- Joe Sandbox
- Triage (Hatching)
- VirusTotal behavior
Physical Isolation:
- Air-gapped system
- Dedicated hardware
- For highly sensitive samples
Safety Rules:
1. NEVER analyze on production systems
2. NEVER connect analysis VM to production network
3. ALWAYS snapshot before execution
4. ALWAYS revert after analysis
5. RENAME executables during transfer (.exe → .exe_)
6. Password-protect malware archives (infected/infected)Initial Identification:
File Type Verification:
Linux file command:
$ file suspicious.exe
suspicious.exe: PE32 executable (GUI) Intel 80386, for MS Windows
$ file document.pdf
document.pdf: PDF document, version 1.4
Magic bytes verification:
$ xxd suspicious.exe | head -1
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
Common Magic Bytes:
MZ (4D 5A) - Windows executable
PK (50 4B) - ZIP archive (also DOCX, XLSX, JAR)
%PDF (25 50 44 46) - PDF document
ELF (7F 45 4C 46) - Linux executable
Rar! (52 61 72 21) - RAR archive
Hash Calculation:
$ md5sum suspicious.exe
a1b2c3d4e5f6789012345678abcdef01 suspicious.exe
$ sha256sum suspicious.exe
1234567890abcdef... suspicious.exe
$ sha1sum suspicious.exe
abcdef1234567890... suspicious.exe
Windows PowerShell:
> Get-FileHash -Algorithm SHA256 suspicious.exeThreat Intelligence Lookup:
VirusTotal Analysis:
Web Interface:
- Upload sample or search by hash
- View detection results
- Check behavior analysis
- Review community comments
API Usage:
$ curl --request GET \
--url 'https://www.virustotal.com/api/v3/files/{hash}' \
--header 'x-apikey: YOUR_API_KEY'
Key Information:
- Detection ratio (e.g., 45/70)
- Malware family identification
- First/last seen dates
- Behavioral indicators
- Network IOCs
Other Threat Intel Sources:
- Hybrid Analysis (free sandbox)
- MalwareBazaar (samples database)
- URLhaus (malicious URLs)
- ThreatFox (IOC database)
- AlienVault OTX (threat intelligence)
- MISP (threat sharing platform)
Caution:
- Uploading samples may alert attackers
- Consider hash lookup first
- Sensitive samples: use private analysisKey insight: Always check VirusTotal by hash before uploading. Someone may have already analyzed your sample, saving time and avoiding tipping off attackers.
2) Static Analysis Fundamentals
Static analysis examines malware without executing it, extracting information from the file's structure and content:
Strings Analysis:
strings Command:
$ strings -a suspicious.exe | less
$ strings -n 10 suspicious.exe # Minimum 10 characters
$ strings -e l suspicious.exe # Unicode (little-endian)
Useful String Patterns:
- URLs: http://, https://, ftp://
- IPs: Regular expression \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
- Domains: .com, .net, .ru, .cn
- File paths: C:\, \\, /tmp/
- Registry: HKEY_, SOFTWARE\
- Commands: cmd, powershell, /bin/sh
- Encoding: base64, PGh0bWw (base64 for html)
- Credentials: password, login, user, admin
- Error messages: Failed, Error, Exception
Focused String Searches:
$ strings suspicious.exe | grep -iE "http|https|ftp"
$ strings suspicious.exe | grep -iE "password|login|credential"
$ strings suspicious.exe | grep -E "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
$ strings suspicious.exe | grep -iE "\.exe|\.dll|\.bat|\.ps1"
FLOSS (FireEye Labs Obfuscated String Solver):
$ floss suspicious.exe
- Extracts obfuscated strings
- Decodes stack strings
- Finds encrypted stringsPE File Analysis:
PE (Portable Executable) Structure:
┌─────────────────────────────────────────────────────────────┐
│ DOS Header (MZ) │
├─────────────────────────────────────────────────────────────┤
│ DOS Stub ("This program cannot be run in DOS mode") │
├─────────────────────────────────────────────────────────────┤
│ PE Signature ("PE\0\0") │
├─────────────────────────────────────────────────────────────┤
│ COFF File Header │
│ - Machine type, number of sections, timestamp │
├─────────────────────────────────────────────────────────────┤
│ Optional Header │
│ - Entry point, image base, subsystem │
├─────────────────────────────────────────────────────────────┤
│ Section Headers │
│ - .text, .data, .rdata, .rsrc, etc. │
├─────────────────────────────────────────────────────────────┤
│ Sections (actual code and data) │
└─────────────────────────────────────────────────────────────┘
Key PE Analysis Points:
Compilation Timestamp:
- When was this compiled?
- Future dates = tampered
- Old dates may indicate known malware
Sections:
.text - Executable code
.data - Initialized data
.rdata - Read-only data, imports
.rsrc - Resources (icons, strings)
.reloc - Relocation information
Suspicious Section Names:
- UPX0, UPX1 (packed)
- .aspack, .adata (packed)
- Random names
- High entropy sectionsPEStudio Analysis:
PEStudio (Windows Tool):
Key Indicators Tab:
- Highlights suspicious characteristics
- Flags known malicious patterns
- Shows risk score
Imports Analysis:
Suspicious API imports indicate capability:
Process Manipulation:
- CreateRemoteThread (injection)
- VirtualAllocEx (remote allocation)
- WriteProcessMemory (injection)
- OpenProcess (process access)
File Operations:
- CreateFile, WriteFile, DeleteFile
- CopyFile, MoveFile
Registry Operations:
- RegCreateKey, RegSetValue
- RegOpenKey, RegDeleteKey
Network Operations:
- WSAStartup, socket, connect
- InternetOpen, HttpSendRequest
- URLDownloadToFile
Crypto Operations:
- CryptEncrypt, CryptDecrypt
- CryptAcquireContext
Anti-Analysis:
- IsDebuggerPresent
- CheckRemoteDebuggerPresent
- GetTickCount (timing checks)
- QueryPerformanceCounter
Exports Analysis:
- DLLs export functions
- Look for suspicious export names
- ServiceMain (service installation)Packing and Obfuscation Detection:
Detecting Packed Executables:
Indicators of Packing:
- High entropy sections (>7.0)
- Few readable strings
- Small import table
- Known packer signatures
- Unusual section names
Common Packers:
- UPX (legitimate, easily unpacked)
- ASPack
- Themida (anti-analysis)
- VMProtect (virtualization)
- Custom packers
Entropy Analysis:
- Random data has high entropy (~8.0)
- Normal code: 5.0-6.5
- Packed/encrypted: 7.0-8.0
Tools:
$ upx -d packed.exe # Unpack UPX
$ python pe_entropy.py sample.exe
DIE (Detect It Easy):
- Identifies packers and compilers
- Shows file structure
- Entropy visualization
Unpacking Strategy:
1. Identify packer
2. Try automatic unpacking tools
3. Manual unpacking if needed
4. Analyze unpacked sampleKey insight: Imports reveal capability. A file that imports CreateRemoteThread and WriteProcessMemory likely performs process injection—you know this without running it.
3) Dynamic Analysis Concepts
Dynamic analysis executes malware in a controlled environment to observe its behavior:
Dynamic Analysis Environment:
Sandbox Requirements:
- Isolated network
- Snapshot capability
- Monitoring tools installed
- Realistic environment (files, browser history)
- Internet simulation or controlled access
Monitoring Categories:
┌─────────────────────────────────────────────────────────────┐
│ Process Activity │
│ - Process creation/termination │
│ - DLL loading │
│ - Thread creation │
├─────────────────────────────────────────────────────────────┤
│ File System Activity │
│ - File creation/modification/deletion │
│ - Directory operations │
├─────────────────────────────────────────────────────────────┤
│ Registry Activity │
│ - Key creation/modification │
│ - Value changes │
├─────────────────────────────────────────────────────────────┤
│ Network Activity │
│ - DNS queries │
│ - Connections (IP, port) │
│ - Data transferred │
├─────────────────────────────────────────────────────────────┤
│ API Calls │
│ - System calls made │
│ - Parameters used │
└─────────────────────────────────────────────────────────────┘Online Sandboxes:
Any.Run (Interactive):
- Real-time interaction
- Watch execution live
- Click prompts, provide input
- Free tier available
Usage:
1. Upload sample
2. Select OS environment
3. Watch execution
4. Interact if needed
5. Download report and IOCs
Hybrid Analysis:
- Automated analysis
- Detailed reports
- Free, no account required
- Falcon Sandbox backend
Joe Sandbox:
- Deep analysis
- Multiple environments
- Detailed behavioral reports
- Limited free tier
Triage (Hatching):
- Fast analysis
- Good for bulk samples
- API access
- Free tier
VirusTotal Behavior:
- Sandbox results from multiple engines
- Part of VT report
- Shows file/registry/network activity
Choosing a Sandbox:
- Interactive needed? → Any.Run
- Bulk analysis? → Triage, Hybrid Analysis
- Deep analysis? → Joe Sandbox
- Quick check? → VirusTotal behavior tabLocal Monitoring Tools:
Process Monitor (ProcMon):
- Real-time file/registry/process activity
- Filter by process name
- Capture during malware execution
ProcMon Filters:
Process Name contains malware.exe
Operation is WriteFile
Path contains \AppData\
Result is SUCCESS
Process Explorer:
- Process tree view
- DLL listing
- Handle examination
- VirusTotal integration
Regshot:
- Registry snapshot comparison
- Before/after execution
- Shows all registry changes
Wireshark/tcpdump:
- Network traffic capture
- DNS queries
- C2 communications
API Monitor:
- API call tracing
- Parameter logging
- Detailed call stacks
Sysmon:
- Enhanced Windows logging
- Process creation with hashes
- Network connections
- Persistent monitoringAnti-Analysis Evasion:
Common Anti-Analysis Techniques:
VM Detection:
- Check for VM artifacts (VMware tools, VirtualBox drivers)
- Registry keys indicating virtualization
- MAC address prefixes (VMware: 00:0C:29)
Sandbox Detection:
- Check for analysis tools (procmon, wireshark)
- Limited user activity (no documents, no browser history)
- Short uptime
- Limited resources
Debugger Detection:
- IsDebuggerPresent()
- CheckRemoteDebuggerPresent()
- Timing checks
- Hardware breakpoint detection
Time-Based Evasion:
- Sleep for extended periods
- Check system date
- Require multiple executions
- Time bomb (activate on specific date)
Environment Checks:
- Username (not "malware", "sandbox", "virus")
- Computer name
- Domain membership
- Installed software
Defeating Evasion:
- Use realistic VM environments
- Add user artifacts
- Patch sleep calls
- Adjust system time
- Use physical machines for advanced malwareKey insight: Sophisticated malware detects analysis environments. If a sample does nothing in a sandbox, it may be evading—try different environments or manual analysis.
4) Indicator Extraction
Extracting indicators of compromise (IOCs) enables detection across the enterprise and sharing with the security community:
Types of Indicators:
Network Indicators:
┌─────────────────────────────────────────────────────────────┐
│ Type │ Example │ Fidelity │
├─────────────┼────────────────────────────┼─────────────────┤
│ IP Address │ 192.168.1.100 │ Medium (can │
│ │ │ change) │
│ Domain │ evil-c2.com │ Medium-High │
│ URL │ http://evil.com/payload │ High │
│ User-Agent │ Mozilla/4.0 (compatible) │ Medium │
│ JA3 Hash │ a0e9f5d64349fb13... │ High │
│ Certificate │ SHA1 of certificate │ High │
└─────────────┴────────────────────────────┴─────────────────┘
Host Indicators:
┌─────────────────────────────────────────────────────────────┐
│ Type │ Example │ Fidelity │
├───────────────┼──────────────────────────┼─────────────────┤
│ File Hash │ SHA256 of malware │ Very High │
│ File Name │ svchost32.exe │ Low (common) │
│ File Path │ C:\Windows\Temp\mal.exe │ Medium │
│ Registry Key │ HKCU\Software\Malware │ High │
│ Mutex │ Global\EvilMutex123 │ High │
│ Service Name │ WindowsUpdateHelper │ Medium │
│ Scheduled Task│ SystemHealthCheck │ Medium │
└───────────────┴──────────────────────────┴─────────────────┘Extraction Techniques:
From Static Analysis:
Strings for Network IOCs:
$ strings malware.exe | grep -iE "^https?://"
$ strings malware.exe | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}"
$ strings malware.exe | grep -iE "\.(com|net|org|ru|cn|tk)$"
File Hashes:
$ sha256sum malware.exe
$ md5sum malware.exe
YARA Rule Creation:
rule Malware_Family_X {
meta:
description = "Detects Malware Family X"
author = "Analyst"
date = "2024-03-15"
strings:
$s1 = "EvilMutex123" ascii
$s2 = "http://evil-c2.com/beacon" ascii
$s3 = { 4D 5A 90 00 03 00 00 00 }
condition:
uint16(0) == 0x5A4D and
filesize < 500KB and
2 of ($s*)
}
From Dynamic Analysis:
Network IOCs (from PCAP):
$ tshark -r capture.pcap -T fields -e dns.qry.name | sort -u
$ tshark -r capture.pcap -T fields -e ip.dst | sort -u
Registry IOCs (from Regshot):
Keys Added:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Updater
Files Created (from ProcMon):
C:\Users\Public\malware.dll
C:\Windows\Temp\config.datIOC Formats:
OpenIOC Format (XML):
<IndicatorItem>
<Context document="FileItem" search="FileItem/Md5sum"/>
<Content type="md5">a1b2c3d4e5f6...</Content>
</IndicatorItem>
STIX 2.1 Format (JSON):
{
"type": "indicator",
"spec_version": "2.1",
"pattern": "[file:hashes.'SHA-256' = 'a1b2c3d4...']",
"pattern_type": "stix",
"valid_from": "2024-03-15T00:00:00Z"
}
Simple CSV:
type,indicator,description
sha256,a1b2c3d4...,Malware payload
domain,evil-c2.com,C2 server
ip,10.0.0.50,Secondary C2
Sharing Platforms:
- MISP (Malware Information Sharing Platform)
- AlienVault OTX
- ThreatConnect
- VirusTotal
- Abuse.ch platformsYARA Rules:
YARA Rule Structure:
rule RuleName {
meta:
// Metadata about the rule
description = "What this detects"
author = "Your name"
date = "2024-03-15"
reference = "https://..."
strings:
// Patterns to match
$string1 = "text string" ascii
$string2 = "unicode" wide
$hex = { 4D 5A 90 00 }
$regex = /https?:\/\/[a-z0-9\.]+/
condition:
// Logic for matching
all of them
// or: any of them
// or: 2 of ($string*)
// or: $string1 and $hex
}
Running YARA:
$ yara rules.yar suspicious.exe
$ yara -r rules.yar /path/to/directory
$ yara -s rules.yar suspicious.exe # Show matching strings
YARA in Memory Analysis:
$ vol -f memory.raw windows.yarascan --yara-rules rules.yar
Public YARA Rules:
- Yara-Rules Project (GitHub)
- Signature-Base (Neo23x0)
- ReversingLabs YARA rules
- CISA Malware Analysis ReportsKey insight: Good IOCs are specific enough to detect the threat without false positives. A SHA256 hash is high fidelity but easily evaded; behavioral patterns are lower fidelity but more resilient.
5) Persistence and C2 Analysis
Understanding how malware maintains access and communicates with attackers is essential for complete remediation:
Common Persistence Mechanisms:
Registry Run Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
Scheduled Tasks:
C:\Windows\System32\Tasks\
schtasks /query /fo LIST /v
Services:
HKLM\SYSTEM\CurrentControlSet\Services\
sc query type= all
Startup Folders:
C:\Users\{user}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
WMI Event Subscriptions:
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
DLL Hijacking:
- Placing malicious DLL in application directory
- DLL search order abuse
COM Hijacking:
HKCU\Software\Classes\CLSID\
Boot/Logon Autostart:
- Winlogon keys
- AppInit_DLLs
- Browser Helper ObjectsPersistence Detection:
Autoruns (Sysinternals):
- Comprehensive persistence enumeration
- Shows all autostart locations
- VirusTotal integration
- Compare snapshots
Usage:
> autorunsc.exe -a * -c -h > autoruns.csv
> autorunsc.exe -accepteula -a * -vt
Key Locations to Check:
□ Run/RunOnce registry keys
□ Scheduled tasks
□ Services
□ Startup folders
□ WMI subscriptions
□ Browser extensions
□ Office add-ins
□ Boot execute
□ Winlogon entries
Linux Persistence:
- /etc/rc.local
- Cron jobs (/etc/cron.*, /var/spool/cron)
- Systemd services (/etc/systemd/system/)
- .bashrc, .profile modifications
- SSH authorized_keys
- LD_PRELOAD
- Kernel modules
macOS Persistence:
- LaunchAgents/LaunchDaemons
- Login Items
- Cron jobs
- Startup scriptsC2 Communication Patterns:
C2 Channel Types:
HTTP/HTTPS:
- Most common (blends with traffic)
- GET/POST requests
- Data in parameters, headers, or body
- Often uses legitimate services
DNS:
- Queries encode commands/data
- TXT records for responses
- Hard to block completely
- Low bandwidth
ICMP:
- Data in ping payloads
- Often overlooked
- Limited bandwidth
Custom Protocols:
- Proprietary binary protocols
- May use non-standard ports
- Easier to detect if known
Cloud Services:
- Dropbox, Google Drive, OneDrive
- Twitter, Telegram
- Pastebin, GitHub
- Difficult to blockC2 Analysis Techniques:
Identifying C2 in Network Traffic:
Beaconing Detection:
- Regular connection intervals
- Consistent packet sizes
- Jitter patterns (randomized delays)
HTTP C2 Indicators:
- Unusual User-Agent strings
- Base64 in URL parameters
- POST with encoded bodies
- Requests to IP addresses
- Suspicious URI patterns
DNS C2 Indicators:
- Long subdomain names
- High query frequency
- TXT record queries
- Unusual domain patterns
Traffic Analysis:
$ tshark -r capture.pcap -Y "http" -T fields \
-e ip.dst -e http.host -e http.request.uri
$ tshark -r capture.pcap -Y "dns" -T fields \
-e dns.qry.name | sort | uniq -c | sort -rn
C2 Framework Signatures:
- Cobalt Strike: Malleable C2 profiles, beacon patterns
- Metasploit: Default URI patterns, staging
- Empire: PowerShell patterns
- Covenant: .NET patterns
JA3/JA3S Fingerprinting:
- TLS client fingerprint
- Identifies C2 frameworks
- Database of known-bad JA3 hashesMalware Families and Attribution:
Identifying Malware Families:
Characteristics to Compare:
- String patterns
- Code structure
- C2 protocol
- Persistence methods
- Mutex names
- Encryption algorithms
- Compilation artifacts
Resources for Attribution:
- Malpedia (malware encyclopedia)
- MITRE ATT&CK (technique mapping)
- Threat reports (vendor blogs)
- Academic research
Common Malware Categories:
RAT (Remote Access Trojan):
- Full system control
- Examples: njRAT, DarkComet, Quasar
Stealer:
- Credential theft
- Examples: RedLine, Raccoon, Vidar
Ransomware:
- File encryption, extortion
- Examples: LockBit, BlackCat, Conti
Loader/Dropper:
- Downloads additional malware
- Examples: Emotet, QakBot, IcedID
Banking Trojan:
- Financial fraud
- Examples: TrickBot, Dridex, Zeus
Cryptominer:
- Cryptocurrency mining
- Examples: XMRig-based miners
Botnet:
- Part of larger network
- Examples: Mirai, NecursKey insight: Understanding persistence and C2 enables complete remediation. Missing a persistence mechanism means reinfection; missing C2 channels means ongoing compromise.
Real-World Context
Case Study: Emotet Analysis
Emotet, one of the most prolific malware families, demonstrates comprehensive malware forensics: Initial delivery via malicious Word documents with macros. Static analysis of the macro reveals obfuscated PowerShell downloading the payload. The payload is a packed DLL that unpacks in memory. Dynamic analysis shows process injection into legitimate Windows processes. Network analysis reveals encrypted C2 traffic with distinctive patterns. Persistence via services and scheduled tasks. IOC extraction provides hashes, C2 IPs, and behavioral signatures for enterprise-wide detection.
Case Study: Ransomware Incident
During a ransomware investigation, malware forensics revealed the full attack chain: Initial access via Cobalt Strike beacon delivered through phishing. Static analysis of the beacon revealed its malleable C2 profile. Dynamic analysis showed credential dumping using Mimikatz patterns. The ransomware executable showed anti-VM checks, encrypted strings, and specific file extension targeting. IOC extraction enabled identification of other infected systems. Persistence analysis revealed the attacker's backup access methods, ensuring complete remediation.
MITRE ATT&CK Alignment:
Malware Forensics Maps to ATT&CK:
Execution Analysis:
- T1059.001: PowerShell → Script analysis
- T1059.003: Windows Command Shell → Command analysis
- T1204.002: Malicious File → Document analysis
Persistence Identification:
- T1547.001: Registry Run Keys → Registry analysis
- T1053.005: Scheduled Task → Task enumeration
- T1543.003: Windows Service → Service analysis
- T1546.003: WMI Event Subscription → WMI analysis
Defense Evasion:
- T1027: Obfuscated Files → Packing analysis
- T1055: Process Injection → Memory analysis
- T1140: Deobfuscate/Decode → String analysis
Command and Control:
- T1071.001: Web Protocols → HTTP C2 analysis
- T1071.004: DNS → DNS C2 analysis
- T1573: Encrypted Channel → TLS analysis
Discovery/Collection:
- T1082: System Information Discovery → API analysis
- T1005: Data from Local System → File access analysisMalware forensics provides the technical details needed to map incidents to ATT&CK and understand attacker capabilities.
Guided Lab: Malware Sample Analysis
In this lab, you'll perform triage analysis on a malware sample to extract indicators and understand its capabilities.
Lab Environment:
- Isolated analysis VM (REMnux or FlareVM)
- PEStudio, strings, YARA
- Online sandbox access (Any.Run or Hybrid Analysis)
- Practice samples from MalwareBazaar or TheZoo
Exercise Steps:
- Calculate file hashes and check VirusTotal
- Verify file type and examine with PEStudio
- Extract and analyze strings for IOCs
- Review imports for capability assessment
- Submit to online sandbox for behavior analysis
- Extract network and host IOCs from sandbox report
- Create a YARA rule based on unique characteristics
Reflection Questions:
- What capabilities does the malware have based on imports?
- What IOCs would you use for enterprise detection?
- What persistence mechanisms does it use?
Week Outcome Check
By the end of this week, you should be able to:
- Safely handle and triage malware samples
- Perform basic static analysis using strings and PE tools
- Understand dynamic analysis concepts and sandbox usage
- Extract network and host indicators of compromise
- Create basic YARA rules for detection
- Identify common persistence mechanisms
- Recognize C2 communication patterns
- Map malware capabilities to MITRE ATT&CK
🎯 Hands-On Labs (Free & Essential)
Practice malware triage before moving to reading resources.
🎮 TryHackMe: Malware Intro
What you'll do: Perform safe malware triage and extract basic indicators.
Why it matters: Triage quickly tells you scope and impact.
Time estimate: 2-3 hours
🎮 TryHackMe: YARA
What you'll do: Write detection rules and hunt for malware indicators.
Why it matters: YARA rules scale detection across systems.
Time estimate: 1.5-2 hours
🏁 PicoCTF Practice: Reverse Engineering (Malware)
What you'll do: Solve beginner RE challenges to inspect suspicious binaries.
Why it matters: Basic RE skills accelerate malware triage.
Time estimate: 1-2 hours
🛡️ CyberDefenders: Forensics Challenge
What you'll do: Solve an advanced DFIR case with malware artifacts.
Deliverable: Challenge write-up with evidence and findings.
Why it matters: Realistic cases sharpen triage and reporting skills.
Time estimate: 2-3 hours
💡 Lab Tip: Hash and label every sample before analysis so evidence stays traceable.
🛡️ Advanced DFIR Casework
Malware forensics in enterprise incidents requires repeatable methods, clear documentation, and evidence preservation.
Casework focus:
- Triage scope and impact quickly
- Extract IOCs and behaviors consistently
- Validate findings across multiple tools
- Package evidence for stakeholders📚 Building on CSY201: Incident workflows and evidence escalation.
Resources
Lab
Complete the following lab exercises to practice malware forensics techniques. Use isolated analysis environments only.