Malware Analysis Deep Dive — CIPHER Training Module
Malware Analysis Deep Dive — CIPHER Training Module
Classification: [MODE: RED] + [MODE: BLUE] — Offense-informed defense Scope: Static analysis, dynamic analysis, YARA rules, capa rules, unpacking, family identification Last updated: 2026-03-14
Table of Contents
- Analysis Philosophy
- Lab Environment Setup
- Static Analysis Workflow
- Dynamic Analysis Workflow
- YARA Rule Writing — Patterns and Examples
- Capa Rule Format
- Unpacking Methodology
- Malware Family Identification
- Tool Reference Matrix
1. Analysis Philosophy
Principle: Never execute first. Static analysis establishes hypotheses; dynamic analysis validates them. Every sample gets the same disciplined triage regardless of urgency.
Workflow order:
TRIAGE → STATIC → BEHAVIORAL → DYNAMIC → CODE → REPORT
│ │ │ │ │ │
│ │ │ │ │ └─ IOCs, YARA, family ID
│ │ │ │ └─ Disassembly, decompilation
│ │ │ └─ Sandbox, debugger, API trace
│ │ └─ Sandbox report review
│ └─ PE parse, strings, imports, YARA scan, capa
└─ Hash check, AV scan, filetype, first-pass triage
Core rules:
- Isolate analysis environment from production networks — host-only or no networking
- Hash everything before and after — SHA256 minimum, keep chain of custody
- Document every finding as you go — timestamps matter for IR timelines
- Assume anti-analysis — packers, VM detection, anti-debug are default, not exceptional
2. Lab Environment Setup
2.1 Linux Analysis (REMnux)
REMnux is a purpose-built Ubuntu distribution for malware analysis. Core tool categories:
| Category | Tools | Phase |
|---|---|---|
| Static Properties | file, ssdeep, pehash, peframe, pescanner, exiftool |
Triage |
| PE Analysis | pedump, pev, PE-bear, AnalyzePE, Manalyze |
Static |
| ELF Analysis | readelf, elfparser, pyelftools |
Static |
| .NET Analysis | dnSpy, monodis, de4dot |
Static |
| String Extraction | strings, FLOSS, bstrings |
Static |
| Deobfuscation | xortool, NoMoreXOR, uncompyle6 |
Static |
| Unpacking | upx, un{i}packer |
Static |
| Disassembly | Ghidra, radare2, objdump, Cutter |
Code |
| Shellcode | scdbg, speakeasy, unicorn |
Dynamic |
| Network | tcpdump, Wireshark, mitmproxy, INetSim, FakeDNS |
Dynamic |
| Memory Forensics | Volatility 3, rekall |
Forensics |
| Document Analysis | olevba, oletools, peepdf, pdfparser, pdfid |
Static |
| YARA | yara, yara-python, yarGen, Loki |
Detection |
| Capability Detection | capa |
Static |
2.2 Windows Analysis (FLARE-VM)
FLARE-VM automates Windows reverse engineering environment setup via Chocolatey/Boxstarter.
Setup procedure:
# Prerequisites: Windows 10+, 60GB disk, 2GB RAM
# MUST disable: Windows Defender, Windows Update, tamper protection
# Snapshot VM BEFORE installation
# Install
Set-ExecutionPolicy Unrestricted -Force
Unblock-File .\install.ps1
.\install.ps1 -password <password> -noWait -noGui
# Reboot → switch to host-only networking
Key Windows tools: IDA Pro/Free, x64dbg, OllyDbg, PEiD, PE-bear, Process Monitor, Process Explorer, API Monitor, Wireshark, Fakenet-NG, Detect It Easy, dnSpy, HxD, CFF Explorer, Autoruns, Regshot.
2.3 Network Isolation Architecture
┌──────────────────────────────────────────┐
│ HOST (Type-1 or Type-2 HV) │
│ ┌──────────┐ ┌──────────────────┐ │
│ │ REMnux │◄────│ INetSim/FakeDNS │ │
│ │ (analyst)│ │ (network sim) │ │
│ └────┬─────┘ └────────┬─────────┘ │
│ │ host-only vnet │ │
│ ┌────┴────────────────────┴─────────┐ │
│ │ Guest (FLARE-VM) │ │
│ │ sample execution here │ │
│ └───────────────────────────────────┘ │
│ │
│ *** NO route to internet *** │
└──────────────────────────────────────────┘
3. Static Analysis Workflow
3.1 Phase 1 — Triage
# 1. Compute hashes
sha256sum sample.bin
md5sum sample.bin
ssdeep sample.bin # fuzzy hash for similarity
# 2. Check reputation
# Query VT, MalwareBazaar, Hybrid Analysis via API or malwoverview
malwoverview -f sample.bin # multi-source triage
# 3. Identify file type
file sample.bin
diec sample.bin # Detect It Easy — packer/compiler/linker ID
trid sample.bin # secondary file type identification
# 4. Quick AV scan
clamscan sample.bin
Decision point: If DiE reports a known packer (UPX, Themida, VMProtect, ASPack) — proceed to Unpacking Methodology before continuing static analysis.
3.2 Phase 2 — PE Parsing
For Windows PE files, extract structural metadata:
# PE header analysis
peframe sample.exe # imports, sections, suspicious indicators
pev sample.exe # multi-tool PE suite (readpe, pedis, pescan)
pescanner sample.exe # anomaly detection
# PE-bear (GUI)
pe-bear sample.exe # visual PE structure inspection
Key indicators to extract:
| PE Field | What to Look For |
|---|---|
| Compile timestamp | Future dates, epoch 0, dates before 2000 — likely tampered |
| Section names | Non-standard (.text → .cod3), high entropy sections |
| Section entropy | > 7.0 suggests encryption/packing |
| Import table | Small import count with LoadLibrary/GetProcAddress = dynamic resolution |
| Export table | DLL with suspicious export names (ServiceMain, DllRegisterServer) |
| Resources | Embedded PE files, encrypted blobs, anomalous sizes |
| Digital signature | Invalid, expired, self-signed, stolen certificate |
| Checksum | Mismatch between header and actual — post-build modification |
| Subsystem | Console vs GUI mismatch with behavior |
| TLS callbacks | Code execution before entry point — anti-debug / unpacking |
| Debug directory | PDB path leaks build environment info |
Import analysis — red-flag API clusters:
PROCESS INJECTION:
VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
NtMapViewOfSection + NtUnmapViewOfSection
QueueUserAPC + NtTestAlert
KEYLOGGING:
SetWindowsHookExA(WH_KEYBOARD_LL) + GetAsyncKeyState + GetKeyState
CREDENTIAL THEFT:
CredEnumerateA + CryptUnprotectData
LsaEnumerateLogonSessions + LsaGetLogonSessionData
EVASION:
IsDebuggerPresent + CheckRemoteDebuggerPresent
NtQueryInformationProcess(ProcessDebugPort)
GetTickCount + QueryPerformanceCounter (timing checks)
CreateToolhelp32Snapshot (process enumeration for VM detection)
PERSISTENCE:
RegSetValueExA (Run keys) + CreateServiceA
SchRpcRegisterTask (scheduled tasks)
NETWORK:
InternetOpenA + InternetConnectA + HttpSendRequestA
WSAStartup + socket + connect + send + recv
URLDownloadToFileA
3.3 Phase 3 — String Extraction
# Standard strings
strings -a -n 6 sample.exe # ASCII, min length 6
strings -a -n 6 -el sample.exe # UTF-16LE (wide strings)
# Obfuscated string recovery
floss sample.exe # stack strings + decoded strings
floss --only stack tight -- sample.exe # targeted extraction
# XOR key bruteforce
xortool sample.exe # identify XOR key length and value
String categories to hunt:
| Category | Examples |
|---|---|
| URLs/IPs | http://, https://, IPv4 addresses, domain names |
| File paths | C:\Windows\, %TEMP%\, %APPDATA%\ |
| Registry keys | SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Mutex names | Unique strings used for single-instance enforcement |
| Commands | cmd.exe /c, powershell -enc, whoami, net user |
| Debug/error messages | Build artifacts, error strings revealing functionality |
| PDB paths | C:\Users\developer\source\repos\... — attribution signal |
| Base64 blobs | Long alphanumeric strings — decode and analyze content |
| Crypto constants | AES S-box (63 7C 77 7B), RSA headers (-----BEGIN) |
3.4 Phase 4 — YARA Scanning and Capability Detection
# Scan with rule collections
yara -r /path/to/rules/ sample.exe
yara -s -r signature-base/yara/ sample.exe # show matching strings
# Capability detection
capa sample.exe # identify capabilities
capa -vv sample.exe # verbose — show evidence addresses
capa -j sample.exe | jq . # JSON output for automation
3.5 Phase 5 — Disassembly / Decompilation
# Ghidra headless analysis
analyzeHeadless /tmp/project Project1 -import sample.exe \
-postScript ExportDecompilation.java /tmp/decomp_output
# radare2 quick analysis
r2 -A sample.exe
> afl # list functions
> axt sym.imp.CreateRemoteThread # xrefs to suspicious imports
> pdf @ main # disassemble main
> izz # all strings with addresses
Ghidra workflow:
- Auto-analyze → review warnings for anti-analysis indicators
- Check entry point and TLS callbacks
- Trace from imports of interest (VirtualAlloc, CreateThread)
- Identify decryption routines — look for XOR loops, AES init
- Rename functions and variables as understanding develops
- Extract C2 configuration if reachable through static analysis
4. Dynamic Analysis Workflow
4.1 Sandbox Analysis (Automated)
CAPEv2 (Recommended Self-Hosted)
CAPEv2 extends Cuckoo Sandbox with automated unpacking and config extraction.
Architecture: Ubuntu 24.04 host + KVM + Windows 10/11 guest
Key capabilities:
- API hooking and behavioral logging
- Network capture (PCAP)
- Dropped file collection
- Memory dumps
- YARA scanning of unpacked payloads
- Suricata network signature matching
- Config extraction for 100+ malware families
- Custom debugger programmable via YARA signatures
- Anti-evasion countermeasures
Unpacking mechanisms:
- Process injection capture (hollowing, DLL injection, shellcode)
- Memory extraction on write+execute transitions
- Module dumping for simple packers
- Breakpoint-triggered memory region dumps
Submission:
# API submission
curl -F "file=@sample.exe" http://cape-host:8000/apiv2/tasks/create/file/
# With options
curl -F "file=@sample.exe" -F "options=procmemdump=1,CAPE=1" \
http://cape-host:8000/apiv2/tasks/create/file/
Cloud Sandboxes
| Service | Strengths | Limitations |
|---|---|---|
| Hybrid Analysis | Free, CrowdStrike ML, 1.4B+ IOCs, YARA hunting | 250MB upload limit, community file sharing |
| ANY.RUN | Interactive — click through install wizards, real browser | Free tier limited to Windows 7, public submissions |
| Joe Sandbox | Deep analysis, evasion resistance, multi-platform | Paid, queue times |
| MalwareBazaar | Sample sharing, API, hunting alerts, YARA matching | Repository, not analysis — pair with sandbox |
| VirusTotal | 70+ AV engines, behavioral analysis, YARA retrohunt | Samples shared with AV vendors — OPSEC risk |
OPSEC warning: Uploading samples to public sandboxes alerts threat actors via VT monitoring. For sensitive IR work, use self-hosted CAPEv2 or DRAKVUF.
4.2 Manual Dynamic Analysis
Pre-Execution Setup
# Snapshot the VM — ALWAYS before execution
# Start network simulation
inetsim # simulate DNS, HTTP, HTTPS, SMTP, etc.
fakedns # lightweight DNS sinkhole alternative
# Start captures
tcpdump -i eth0 -w /tmp/capture.pcap &
procmon /BackingFile /tmp/procmon.pml & # Windows: Process Monitor
# Baseline
# Regshot — first snapshot
# Autoruns — baseline persistence points
Execution and Monitoring
Windows monitoring stack:
| Tool | What It Captures |
|---|---|
| Process Monitor (procmon) | File, registry, network, process events — filtered |
| Process Explorer | Process tree, DLLs, handles, memory strings |
| API Monitor | Win32/NT API calls with parameters |
| Fakenet-NG | Network simulation + DNS/HTTP/SSL interception |
| Wireshark | Raw packet capture |
| Regshot | Registry diff pre/post execution |
| Autoruns | Persistence mechanism changes |
| TCPView | Active connections in real-time |
Linux monitoring:
strace -f -e trace=network,process,file -o /tmp/strace.log ./sample
ltrace -f -o /tmp/ltrace.log ./sample
Debugger Analysis (x64dbg / GDB)
# x64dbg — set breakpoints on key APIs
bp VirtualAlloc # memory allocation — unpacking
bp VirtualProtect # permission changes — code injection
bp CreateRemoteThread # injection into other processes
bp InternetConnectA # C2 communication
bp WriteFile # dropped files
bp RegSetValueExA # persistence
# Run until breakpoint, inspect:
# - Stack for parameters
# - Return values for allocated addresses
# - Memory map for new RWX regions
Anti-debug bypass checklist:
IsDebuggerPresent— patch PEB.BeingDebugged to 0NtQueryInformationProcess(ProcessDebugPort)— hook to return 0- Timing checks (
GetTickCount,rdtsc) — ScyllaHide plugin - Hardware breakpoint detection (
GetThreadContext) — use software BPs NtSetInformationThread(ThreadHideFromDebugger)— hook and NOP- INT 2D / INT 3 traps — step over, don't step into
- Process enumeration (checking for debugger processes) — rename debugger
Speakeasy Emulation
For quick triage without full VM execution:
# Emulate PE
speakeasy -t sample.exe -o report.json
# Emulate shellcode
speakeasy -t shellcode.bin -a x86 -o report.json
# Emulate DLL with specific export
speakeasy -t sample.dll -e DllRegisterServer -o report.json
Speakeasy emulates Windows APIs at user and kernel level, capturing:
- API call sequences with arguments
- Network connection attempts
- File system operations
- Registry access
- Process/thread creation
4.3 Network Analysis
# Extract IOCs from PCAP
tcpdump -r capture.pcap -n | grep -E 'SYN|DNS'
tshark -r capture.pcap -Y 'dns' -T fields -e dns.qry.name | sort -u
tshark -r capture.pcap -Y 'http.request' -T fields -e http.host -e http.request.uri
tshark -r capture.pcap -Y 'tls.handshake.extensions_server_name' \
-T fields -e tls.handshake.extensions_server_name | sort -u
# Extract files from traffic
foremost -i capture.pcap -o /tmp/carved/
binwalk capture.pcap
# Suricata IDS
suricata -r capture.pcap -l /tmp/suricata/ -S emerging-all.rules
C2 protocol indicators:
- Beaconing: regular interval connections (jitter < 20%)
- DNS tunneling: high-entropy subdomain queries, TXT record responses
- HTTP C2: POST to static URI paths, base64 in cookies/headers, non-standard User-Agent
- Domain fronting: SNI mismatch with Host header
- Custom protocols: non-standard ports, binary protocols on port 443/80
5. YARA Rule Writing
5.1 Rule Structure
rule RuleName : tag1 tag2
{
meta:
author = "analyst"
description = "What this rule detects and why"
date = "2026-03-14"
hash = "sha256_of_known_sample"
reference = "https://..."
tlp = "white"
strings:
$text = "plain text string"
$hex = { E2 34 A1 C8 23 FB }
$regex = /pattern[0-9]{2}/
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 5MB and
2 of ($text, $hex, $regex)
}
5.2 String Types and Modifiers
Text strings:
$s1 = "Firefox" // exact match
$s2 = "firefox" nocase // case-insensitive
$s3 = "Borland" wide // UTF-16LE
$s4 = "Borland" wide ascii // match both encodings
$s5 = "domain" fullword // word boundaries required
$s6 = "This program cannot" xor // all single-byte XOR variants
$s7 = "secret" xor(0x01-0xff) // XOR range (exclude null key)
$s8 = "payload" base64 // 3 base64 permutations
$s9 = "payload" base64wide // base64 then wide encoding
$s10 = "internal" private // match but don't report
Modifier constraints:
nocasecannot combine withxor,base64,base64widexorcannot combine withnocase,base64,base64widebase64/base64widecannot combine withnocase,xor,fullword
Hex strings:
$h1 = { E2 34 A1 C8 } // exact bytes
$h2 = { E2 34 ?? C8 } // wildcard byte
$h3 = { E2 3? A1 ?8 } // wildcard nibbles
$h4 = { E2 ~00 A1 C8 } // NOT byte (any except 0x00)
$h5 = { E2 34 [4-6] C8 } // 4-6 byte jump
$h6 = { E2 34 [4] C8 } // exact 4 byte jump
$h7 = { E2 ( 34 | 35 | 36 ) C8 } // alternatives
Regular expressions:
$r1 = /md5: [0-9a-fA-F]{32}/
$r2 = /https?:\/\/[^\s\/]{4,}/
$r3 = /[A-Za-z0-9+\/]{40,}={0,2}/ // base64 blobs
$r4 = /cmd\.exe\s+\/[ck]\s+/i // case-insensitive
5.3 Condition Patterns
// PE file validation
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550
// ELF file validation
uint32(0) == 0x464C457F // \x7fELF
// File size constraints
filesize > 50KB and filesize < 10MB
// String counting
#suspicious_string > 3 // more than 3 occurrences
// String at specific offset
$mz at 0
// String in range
$marker in (0..1024)
// N-of-M matching
2 of ($s1, $s2, $s3, $s4)
any of ($config_*)
all of them
// Referencing other rules
Rule1 and Rule2
any of (Ransomware_*)
// PE module conditions
import "pe"
pe.imports("kernel32.dll", "VirtualAlloc")
pe.exports("ServiceMain")
pe.number_of_sections > 5
pe.entry_point == 0x1000
// Hash module
import "hash"
hash.md5(0, filesize) == "known_hash"
// Math module (entropy)
import "math"
math.entropy(0, filesize) > 7.0
// For loops
for any section in pe.sections : (
section.name == ".text" and
math.entropy(section.offset, section.size) > 7.5
)
5.4 Example Rules (12 Rules)
Rule 1 — Generic PE Packer Detection (Entropy)
import "pe"
import "math"
rule Suspicious_High_Entropy_Section
{
meta:
author = "CIPHER"
description = "Detects PE files with high-entropy sections indicating packing or encryption"
date = "2026-03-14"
severity = "medium"
condition:
uint16(0) == 0x5A4D and
for any section in pe.sections : (
math.entropy(section.offset, section.size) > 7.5 and
section.size > 1024
)
}
Rule 2 — Process Injection via Classic Technique
import "pe"
rule ProcessInjection_CreateRemoteThread
{
meta:
author = "CIPHER"
description = "Detects PE importing classic process injection API chain"
date = "2026-03-14"
att_ck = "T1055.001"
severity = "high"
condition:
uint16(0) == 0x5A4D and
pe.imports("kernel32.dll", "VirtualAllocEx") and
pe.imports("kernel32.dll", "WriteProcessMemory") and
pe.imports("kernel32.dll", "CreateRemoteThread")
}
Rule 3 — Cobalt Strike Beacon Strings
rule CobaltStrike_Beacon_Strings
{
meta:
author = "CIPHER"
description = "Detects Cobalt Strike beacon based on configuration strings"
date = "2026-03-14"
att_ck = "S0154"
severity = "critical"
strings:
$s1 = "%s.4444"
$s2 = "beacon.dll" wide ascii
$s3 = "beacon.x64.dll" wide ascii
$s4 = "%s (admin)" wide ascii
$s5 = "ReflectiveLoader"
$s6 = { 2E 2F 2E 2F 2E 2C 2F } // default sleep mask
$s7 = "%02d/%02d/%02d %02d:%02d:%02d"
$s8 = "could not connect to pipe"
$cfg1 = { 00 01 00 01 00 02 ?? ?? 00 02 00 01 00 02 ?? ?? }
$cfg2 = { 00 01 00 01 00 02 ?? ?? 00 02 00 02 00 04 ?? ?? ?? ?? }
condition:
filesize < 1MB and
(
4 of ($s*) or
any of ($cfg*)
)
}
Rule 4 — Ransomware Note Indicators
rule Ransomware_Note_Indicators
{
meta:
author = "CIPHER"
description = "Detects executables containing ransomware payment/note strings"
date = "2026-03-14"
att_ck = "T1486"
severity = "critical"
strings:
$note1 = "Your files have been encrypted" nocase
$note2 = "bitcoin" nocase fullword
$note3 = "decrypt" nocase fullword
$note4 = "ransom" nocase fullword
$note5 = "payment" nocase fullword
$note6 = /[13][a-km-zA-HJ-NP-Z1-9]{25,34}/ // BTC address
$note7 = "tor browser" nocase
$note8 = ".onion" nocase
$note9 = "wallet" nocase fullword
$note10 = "private key" nocase
$ext1 = ".encrypted" nocase
$ext2 = ".locked" nocase
$ext3 = ".crypt" nocase
condition:
uint16(0) == 0x5A4D and
3 of ($note*) and
any of ($ext*)
}
Rule 5 — Emotet Document Dropper
rule Emotet_Maldoc_Macro
{
meta:
author = "CIPHER"
description = "Detects Office documents with Emotet-style obfuscated macros"
date = "2026-03-14"
att_ck = "T1566.001"
severity = "high"
strings:
$ole = { D0 CF 11 E0 A1 B1 1A E1 } // OLE header
$vba1 = "AutoOpen" nocase
$vba2 = "Document_Open" nocase
$cmd1 = "Shell" nocase fullword
$cmd2 = "WScript.Shell" nocase
$cmd3 = "powershell" nocase
$obf1 = "Chr(" nocase // char-by-char obfuscation
$obf2 = "ChrW(" nocase
$obf3 = "Replace(" nocase
$dl1 = "URLDownloadToFile" nocase
$dl2 = "XMLHTTP" nocase
$dl3 = "WinHttp" nocase
condition:
$ole at 0 and
any of ($vba*) and
2 of ($cmd*, $obf*) and
any of ($dl*)
}
Rule 6 — Mimikatz Memory Indicators
rule Mimikatz_Memory_Indicators
{
meta:
author = "CIPHER"
description = "Detects Mimikatz in memory or on disk via unique strings"
date = "2026-03-14"
att_ck = "T1003.001"
severity = "critical"
strings:
$s1 = "mimikatz" wide ascii nocase
$s2 = "gentilkiwi" wide ascii
$s3 = "sekurlsa" wide ascii
$s4 = "kerberos" wide ascii fullword
$s5 = "wdigest" wide ascii
$s6 = "credman" wide ascii
$s7 = "dpapi" wide ascii fullword
$s8 = "kuhl_m" ascii
$s9 = "Benjamin DELPY" wide ascii
$s10 = "mimilib" wide ascii
$func1 = "sekurlsa::logonpasswords" wide ascii nocase
$func2 = "sekurlsa::wdigest" wide ascii nocase
$func3 = "lsadump::sam" wide ascii nocase
$func4 = "lsadump::dcsync" wide ascii nocase
$func5 = "kerberos::golden" wide ascii nocase
condition:
6 of ($s*) or
2 of ($func*)
}
Rule 7 — Shellcode Stub Detection
rule Shellcode_Common_Stubs
{
meta:
author = "CIPHER"
description = "Detects common shellcode stubs for API hashing and PEB walking"
date = "2026-03-14"
att_ck = "T1059.006"
severity = "high"
strings:
// PEB walk: mov eax, fs:[0x30] (32-bit)
$peb32 = { 64 A1 30 00 00 00 }
// PEB walk: mov rax, gs:[0x60] (64-bit)
$peb64 = { 65 48 8B 04 25 60 00 00 00 }
// ROR13 hash loop (common API resolver)
$ror13 = { C1 CF 0D } // ror edi, 0xd
// Block API hash: kernel32.dll LoadLibraryA = 0x0726774C
$hash_ll = { 4C 77 26 07 }
// Block API hash: kernel32.dll GetProcAddress = 0x7C0DFCAA
$hash_gpa = { AA FC 0D 7C }
// call $+5 (get EIP)
$get_eip = { E8 00 00 00 00 }
// jmp/call to register after decode loop
$jmp_reg = { FF (D0 | D1 | D2 | D3 | D4 | D5 | D6 | D7 | E0 | E1 | E2 | E3 | E4 | E5 | E6 | E7) }
condition:
($peb32 or $peb64) and
($ror13 or $hash_ll or $hash_gpa) and
$get_eip
}
Rule 8 — Anti-Debug / Anti-VM Techniques
import "pe"
rule AntiAnalysis_Techniques
{
meta:
author = "CIPHER"
description = "Detects binaries using anti-debug and anti-VM techniques"
date = "2026-03-14"
att_ck = "T1497, T1622"
severity = "medium"
strings:
// Anti-debug strings
$dbg1 = "IsDebuggerPresent" ascii
$dbg2 = "CheckRemoteDebuggerPresent" ascii
$dbg3 = "NtQueryInformationProcess" ascii
$dbg4 = "OutputDebugStringA" ascii
$dbg5 = "NtSetInformationThread" ascii
// VM detection strings
$vm1 = "VMware" ascii nocase
$vm2 = "VirtualBox" ascii nocase
$vm3 = "VBOX" ascii nocase
$vm4 = "qemu" ascii nocase
$vm5 = "Xen" ascii nocase fullword
$vm6 = "Hyper-V" ascii nocase
$vm7 = "sbiedll.dll" ascii nocase // Sandboxie
$vm8 = "dbghelp.dll" ascii nocase
// Hardware fingerprinting
$hw1 = "CPUID" ascii
$hw2 = { 0F 31 } // rdtsc
$hw3 = { 0F A2 } // cpuid
// Sandbox evasion
$sand1 = "SbieDll" ascii
$sand2 = "cuckoomon" ascii
$sand3 = "sample" ascii fullword // filename check
$sand4 = "sandbox" ascii nocase fullword
$sand5 = "GetCursorPos" ascii // mouse movement check
$sand6 = "GetForegroundWindow" ascii
condition:
uint16(0) == 0x5A4D and
(
3 of ($dbg*) or
3 of ($vm*) or
(any of ($dbg*) and any of ($vm*) and any of ($hw*)) or
2 of ($sand*)
)
}
Rule 9 — Reverse Shell Detection
rule ReverseShell_Indicators
{
meta:
author = "CIPHER"
description = "Detects reverse shell payloads across platforms"
date = "2026-03-14"
att_ck = "T1059"
severity = "critical"
strings:
// Bash reverse shells
$bash1 = "/bin/bash -i >& /dev/tcp/" ascii
$bash2 = "bash -c 'bash -i" ascii
$bash3 = "/bin/sh -i" ascii
// Python reverse shells
$py1 = "socket.SOCK_STREAM" ascii
$py2 = "subprocess.call" ascii
$py3 = "pty.spawn" ascii
// PowerShell reverse shells
$ps1 = "Net.Sockets.TCPClient" nocase
$ps2 = "System.Net.Sockets" nocase
$ps3 = "Invoke-PowerShellTcp" nocase
$ps4 = "New-Object System.Net.Sockets.TCPClient" nocase
// Netcat indicators
$nc1 = "ncat" ascii fullword
$nc2 = "nc.exe" ascii
$nc3 = "-e /bin/" ascii
$nc4 = "-e cmd.exe" ascii nocase
// Socket + exec pattern
$sock1 = "WSASocketA" ascii
$sock2 = "cmd.exe" ascii nocase wide
condition:
any of ($bash*) or
($py1 and ($py2 or $py3)) or
2 of ($ps*) or
(any of ($nc1, $nc2) and any of ($nc3, $nc4)) or
($sock1 and $sock2)
}
Rule 10 — Webshell Detection (PHP/ASP/JSP)
rule Webshell_Generic
{
meta:
author = "CIPHER"
description = "Detects common webshell patterns in PHP, ASP, and JSP files"
date = "2026-03-14"
att_ck = "T1505.003"
severity = "critical"
strings:
// PHP webshells
$php1 = "eval(base64_decode(" nocase
$php2 = "eval(gzinflate(" nocase
$php3 = "eval(gzuncompress(" nocase
$php4 = "eval(str_rot13(" nocase
$php5 = "assert(base64_decode(" nocase
$php6 = "system($_" nocase
$php7 = "passthru($_" nocase
$php8 = "shell_exec($_" nocase
$php9 = "exec($_" nocase
$php10 = "preg_replace" nocase
// ASP webshells
$asp1 = "eval(Request" nocase
$asp2 = "Execute(Request" nocase
$asp3 = "CreateObject(\"Wscript.Shell\")" nocase
$asp4 = "cmd.exe /c" nocase
// JSP webshells
$jsp1 = "Runtime.getRuntime().exec(" nocase
$jsp2 = "ProcessBuilder" nocase
// Generic indicators
$gen1 = "uname -a" nocase
$gen2 = "whoami" nocase fullword
$gen3 = "/etc/passwd" nocase
$gen4 = "net user" nocase fullword
condition:
filesize < 500KB and
(
3 of ($php*) or
2 of ($asp*) or
($jsp1 and $jsp2) or
(any of ($php*, $asp*, $jsp*) and 2 of ($gen*))
)
}
Rule 11 — XOR-Encoded PE in Resource Section
rule XOR_Encoded_PE_Payload
{
meta:
author = "CIPHER"
description = "Detects single-byte XOR-encoded PE files embedded in binaries"
date = "2026-03-14"
att_ck = "T1027.002"
severity = "high"
strings:
// MZ header XOR-encoded with common keys
$mz_xor = { (4D 5A) | (4C 5B) | (4F 58) | (4B 5C) | (0D 1A) | (8D 9A) | (CD DA) | (2D 3A) }
// "This program" XOR-encoded
$tp_xor = "This program cannot" xor(0x01-0xff)
// PE signature XOR-encoded
$pe_xor = "PE\x00\x00" xor(0x01-0xff)
condition:
uint16(0) == 0x5A4D and
filesize < 10MB and
(
for any i in (1..#mz_xor) : (
@mz_xor[i] > 1024 // not at file start — embedded
) or
$tp_xor or
(
#pe_xor > 1 and // more than just the real PE sig
for any i in (1..#pe_xor) : ( @pe_xor[i] > 1024 )
)
)
}
Rule 12 — DNS Tunneling Tool Detection
rule DNS_Tunneling_Tool
{
meta:
author = "CIPHER"
description = "Detects DNS tunneling tools (iodine, dnscat2, dns2tcp)"
date = "2026-03-14"
att_ck = "T1071.004"
severity = "high"
strings:
// iodine
$iod1 = "iodine" ascii fullword
$iod2 = "topdomain" ascii
$iod3 = ".t1." ascii
// dnscat2
$dc1 = "dnscat" ascii
$dc2 = "DNSCAT" ascii
$dc3 = "dns_driver" ascii
$dc4 = "command_packet" ascii
// dns2tcp
$dt1 = "dns2tcp" ascii
$dt2 = "dns2tcpd" ascii
// Generic DNS tunnel indicators
$dns1 = "TXT" ascii fullword
$dns2 = "CNAME" ascii fullword
$dns3 = "dns_query" ascii
$dns4 = "tunnel" ascii fullword
$dns5 = "encode" ascii fullword
// Long subdomain construction
$sub1 = /[a-z0-9]{60,}\.[a-z]{2,}/
condition:
(2 of ($iod*)) or
(2 of ($dc*)) or
(any of ($dt*)) or
(3 of ($dns*) and $sub1)
}
5.5 YARA Performance Guidelines
- Anchor strings to offset when possible:
$mz at 0is faster than$mz - Use
filesizeconstraints: Eliminates non-candidates early - Avoid
.*in regex: Use bounded quantifiers{1,100}instead - Use
fullword: Reduces false positives and speeds matching - Hex strings over regex:
{ 4D 5A }is faster than/MZ/ - Condition short-circuiting: Put cheapest checks first (
uint16(0) == 0x5A4D and ...) - Avoid unbounded jumps:
{ AA [0-] BB }scans entire file — use bounded jumps - Private strings for intermediate patterns: Mark helper strings
privateto reduce noise - Test on corpora: Validate against clean file sets (Windows system32) for false positives
- Use
strings -n 8: Minimum string length of 8+ reduces coincidental matches
5.6 YARA Rule Development Workflow
1. COLLECT — Gather 3+ confirmed samples of the target family
2. EXTRACT — Run strings, FLOSS, hex editor on all samples
3. IDENTIFY — Find unique, stable strings/byte sequences across samples
4. ELIMINATE — Remove strings that appear in legitimate software
5. DRAFT — Write rule with meta, strings, condition
6. VALIDATE — Test against known-good samples (expect match)
7. FP-CHECK — Scan against clean corpus (Windows dir, Linux /usr/bin)
8. TUNE — Adjust string count thresholds and conditions
9. DOCUMENT — Add hash references, ATT&CK tags, description
10. DEPLOY — Push to scanner (Loki, YARA on endpoints, SIEM integration)
Tool support:
yarGen— automatic rule generation from sample sets (generates rules from unique strings)yaradbg— web-based rule debuggerYARI— interactive debuggeryarAnalyzer— rule coverage analysisYARA-CI— GitHub Actions integration for rule validation
6. Capa Rule Format
6.1 Structure
Capa rules are YAML files combining OpenIOC, YARA, and YAML syntax. They identify program capabilities by matching against API calls, strings, byte patterns, and code characteristics.
rule:
meta:
name: <capability name>
namespace: <hierarchical.category>
authors:
- analyst@org.com
scopes:
static: function # instruction | basic block | function | file
dynamic: call # call | span of calls | thread | process | file
att&ck:
- Technique Name [TXXXX.XXX]
mbc:
- Objective::Behavior [B00XX.XXX]
references:
- https://...
examples:
- sample_hash:0xADDRESS
features:
- and:
- <feature statements>
6.2 Feature Types
| Feature | Syntax | Scope |
|---|---|---|
| API call | api: kernel32.CreateFile |
instruction/call |
| String | string: "config.ini" |
function/process |
| Substring | substring: "Version" |
function/process |
| Bytes | bytes: 00 01 02 03 |
function/process |
| Number | number: 0x40 = PAGE_EXECUTE_READWRITE |
instruction/call |
| Offset | offset: 0x14 = PEB.BeingDebugged |
instruction/call |
| Mnemonic | mnemonic: xor |
instruction |
| Operand | operand[0].number: 0x10 |
instruction |
| Property | property/read: System.Environment::OSVersion |
instruction/call |
| Namespace | namespace: System.IO |
function/process |
| Class | class: System.Net.WebClient |
function/process |
| Import | import: kernel32.VirtualAlloc |
file |
| Export | export: DllRegisterServer |
file |
| Section | section: .rsrc |
file |
| COM class | com/class: InternetExplorer |
instruction/call |
| COM interface | com/interface: IWebBrowser2 |
instruction/call |
| OS | os: windows |
file |
| Arch | arch: i386 |
file |
| Format | format: pe |
file |
| Characteristic | characteristic: nzxor |
varies |
| Match (rule dep) | match: create TCP socket |
function/process |
6.3 Operators
# All conditions must match
- and:
- api: CreateFileA
- api: WriteFile
# At least one must match
- or:
- api: CreateFileA
- api: CreateFileW
# Condition must NOT match
- not:
- api: IsDebuggerPresent
# At least N must match
- 2 or more:
- api: VirtualAlloc
- api: VirtualProtect
- api: WriteProcessMemory
# Zero or more (non-required enrichment)
- optional:
- api: CloseHandle
6.4 Counting
count(mnemonic(xor)): 2 or more
count(characteristic(nzxor)): (2, 10) # range
count(basic blocks): 4 or more
count(string("error")): 3 or fewer
6.5 Characteristics Reference
| Characteristic | Description |
|---|---|
nzxor |
Non-zeroing XOR instruction (XOR with different operands) |
peb access |
Access to Process Environment Block |
fs access / gs access |
Segment register memory access |
cross section flow |
Call/jump crossing PE section boundaries |
tight loop |
Basic block that branches to itself |
stack string |
String built on stack character by character |
indirect call |
Call through register or memory |
call $+5 |
Get-EIP technique |
embedded pe |
XOR-encoded PE file detected |
loop |
Function contains a loop |
recursive call |
Function calls itself |
6.6 Namespace Hierarchy
anti-analysis/
├── anti-debugging/
├── anti-disassembly/
├── anti-vm/
└── packer/
communication/
├── dns/
├── ftp/
├── http/
├── socket/tcp/
└── socket/udp/
data-manipulation/
├── encryption/
├── hashing/
└── encoding/
host-interaction/
├── file-system/
├── registry/
├── process/
└── os/
load-code/
├── shellcode/
└── pe/
persistence/
├── registry/
└── service/
executable/
├── pe/
└── elf/
6.7 Example Capa Rules
Detect process injection via VirtualAllocEx:
rule:
meta:
name: allocate memory in another process
namespace: host-interaction/process/inject
authors:
- cipher@training
scopes:
static: function
dynamic: call
att&ck:
- Defense Evasion::Process Injection [T1055]
examples:
- abcdef1234567890:0x401000
features:
- and:
- or:
- api: kernel32.VirtualAllocEx
- api: NtAllocateVirtualMemory
- number: 0x40 = PAGE_EXECUTE_READWRITE
Detect HTTP communication:
rule:
meta:
name: send HTTP request
namespace: communication/http
authors:
- cipher@training
scopes:
static: function
dynamic: call
att&ck:
- Command and Control::Application Layer Protocol::Web Protocols [T1071.001]
features:
- or:
- and:
- api: wininet.InternetOpenA
- api: wininet.HttpSendRequestA
- and:
- api: winhttp.WinHttpOpen
- api: winhttp.WinHttpSendRequest
- string: "User-Agent:"
7. Unpacking Methodology
7.1 Identification
# Detect packer/protector
diec sample.exe # Detect It Easy — best first choice
peframe sample.exe # reports packer indicators
yara -r packer_rules/ sample.exe
# Entropy analysis
python3 -c "
import math, sys
data = open(sys.argv[1], 'rb').read()
freq = [0]*256
for b in data: freq[b] += 1
ent = -sum(f/len(data) * math.log2(f/len(data)) for f in freq if f)
print(f'Entropy: {ent:.4f}')
" sample.exe
# Section entropy (per-section tells you WHERE the packed data is)
peframe sample.exe | grep -A 20 "Sections"
Packer identification signals:
| Indicator | Suggests |
|---|---|
| Overall entropy > 7.0 | Packed/encrypted |
| Single high-entropy section + small .text | Packed stub + compressed payload |
| Few imports (LoadLibrary, GetProcAddress only) | Dynamic API resolution after unpack |
| Section names: UPX0, .packed, .MPRESS | Known packer |
| TLS callbacks present | Unpacking or anti-debug before entry |
| Entry point in non-.text section | Packer stub in custom section |
| Large .rsrc section with high entropy | Payload stored as resource |
7.2 Common Packers and Approaches
UPX (trivial)
upx -d sample.exe -o unpacked.exe
# If modified UPX headers — fix section names back to UPX0/UPX1, then decompress
Generic Unpack via Debugger (x64dbg)
1. Load sample in x64dbg
2. Set breakpoints:
bp VirtualAlloc # catch memory allocation for unpacked code
bp VirtualProtect # catch RWX permission setting
3. Run → hit VirtualAlloc
4. Note returned address (EAX/RAX) — this is where unpacked code lands
5. Set hardware breakpoint on write at that address
6. Continue → break when packer writes unpacked code
7. Follow in dump → look for MZ/PE header
8. Set breakpoint on VirtualProtect with PAGE_EXECUTE_READWRITE (0x40)
9. Continue → permission change signals unpacking complete
10. Step to jump/call to unpacked entry point
11. Dump process: Scylla plugin → IAT Autosearch → Get Imports → Dump
CAPEv2 Automated Unpacking
# Submit with CAPE extraction enabled
curl -F "file=@packed.exe" -F "options=CAPE=1" \
http://cape:8000/apiv2/tasks/create/file/
# Results include:
# - Unpacked payloads in "CAPE" tab
# - Extracted configs for supported families
# - Memory dumps with decrypted strings
Speakeasy Emulation Unpacking
speakeasy -t packed.exe -o unpack_trace.json
# Review API trace for:
# - VirtualAlloc calls with RWX
# - Memory write patterns
# - Final execution transfer
un{i}packer (Automated)
# Emulation-based unpacking — handles UPX, ASPack, PEtite, FSG, etc.
unipacker sample.exe
# Outputs unpacked PE when successful
7.3 Advanced Unpacking Patterns
Multi-layer packing (common in modern malware):
Layer 1: Custom packer stub
└─ Decrypts Layer 2 in memory
└─ Layer 2: Shellcode loader
└─ Resolves APIs, allocates memory
└─ Layer 3: Final payload (DLL/EXE)
└─ Reflectively loaded, never touches disk
Approach for multi-layer:
- Break on each
VirtualAlloc+VirtualProtectcycle - Dump memory at each stage
- Analyze each layer independently
- Track API resolution (hash-based imports → resolve and annotate)
Process hollowing unpack:
- Break on
CreateProcessA/W(suspended flagCREATE_SUSPENDED = 0x4) - Break on
NtUnmapViewOfSectionorZwUnmapViewOfSection - Break on
WriteProcessMemory— dump the buffer being written - Break on
ResumeThread— the written buffer IS the unpacked payload - Dump the buffer from step 3 — this is the real malware
7.4 PE Reconstruction After Dump
After dumping from memory, the PE needs fixing:
# Fix PE alignment and imports
# Scylla (x64dbg plugin):
# 1. IAT Autosearch → Get Imports → Fix Dump
# 2. Produces working PE with rebuilt import table
# PE-bear: manually fix
# 1. Load dumped PE
# 2. Fix section alignments (file alignment vs virtual alignment)
# 3. Fix entry point to OEP (Original Entry Point)
# 4. Fix SizeOfImage, SizeOfHeaders
# Imports reconstruction (if IAT destroyed):
# Use ImpRec (Import Reconstructor)
# Or manually resolve via GetProcAddress patterns in dump
8. Malware Family Identification
8.1 Methodology
HASH LOOKUP
│ VirusTotal, MalwareBazaar, Malpedia
│ If known → pull existing analysis, skip to verification
▼
BEHAVIORAL CLUSTERING
│ Import hash (imphash) — same imports = likely same family/builder
│ Fuzzy hash (ssdeep) — content similarity scoring
│ Section hash — similar packing or compilation
│ TLSH — Trend Micro Locality Sensitive Hash
▼
SIGNATURE MATCHING
│ YARA rule scan against community rule sets
│ capa capability detection → namespace matches family behavior
│ Suricata/Snort network signatures on captured traffic
▼
CODE-LEVEL ANALYSIS
│ String artifacts (mutex names, PDB paths, unique error messages)
│ C2 protocol structure (URI patterns, encoding schemes)
│ Encryption implementation (custom vs standard, key derivation)
│ Code reuse detection (BinDiff, Diaphora, Intezer)
▼
CONFIG EXTRACTION
│ CAPEv2 automated extraction
│ Manual: find encrypted config blob → identify decryption routine → extract
│ Compare config structure to known family formats
▼
CLASSIFICATION
Assign family name, variant, and confidence level
8.2 Key Identification Artifacts
| Artifact | Where to Find It | What It Tells You |
|---|---|---|
| Imphash | pefile Python, peframe |
Builder/family fingerprint — same imphash = same build toolchain |
| Rich header hash | PE rich header | Compiler/linker version — links samples to same dev environment |
| PDB path | Debug directory in PE | Developer username, project name, build path |
| Mutex name | CreateMutexA/W argument |
Family identifier — many families use unique mutex patterns |
| User-Agent string | HTTP traffic, strings | C2 framework identifier |
| C2 URI pattern | Network capture | /gate.php, /submit.php, /panel/ — family specific |
| Config structure | Memory dump, decrypted blob | Key/value layout unique to family |
| Encryption constants | Disassembly, hex patterns | Custom algorithms fingerprint the dev team |
| String table | FLOSS, strings | Error messages, command names — developer artifacts |
| Code signing cert | PE signature | Stolen cert reuse links campaigns |
8.3 Intelligence Platforms for Classification
| Platform | Capability |
|---|---|
| Malpedia | Authoritative family taxonomy, YARA rules per family, actor attribution |
| MalwareBazaar | Community samples, tags, family labels, YARA hunting |
| VirusTotal | Multi-AV labels (use vt-grep for behavioral search), YARA retrohunt |
| Hybrid Analysis | CrowdStrike ML classification, behavioral reports |
| Intezer | Code reuse analysis — "genetic" similarity to known families |
| MISP | Threat sharing with family/campaign correlation |
| malwoverview | Unified CLI for querying VT, HA, Bazaar, OTX, Malpedia, ThreatFox |
8.4 Common Malware Family Indicators
RATs (Remote Access Trojans):
- Persistent C2 beaconing (HTTP/HTTPS/DNS/custom protocol)
- Keylogging, screenshot, file exfiltration capabilities
- Plugin/module architecture
- Families: Cobalt Strike, AsyncRAT, QuasarRAT, NjRAT, DarkComet, Remcos
Ransomware:
- File enumeration + encryption loops
- Crypto API usage (CryptEncrypt, BCrypt*, AES/RSA imports)
- Shadow copy deletion (
vssadmin delete shadows) - Note file creation (README.txt, DECRYPT.html)
- Families: LockBit, BlackCat/ALPHV, Royal, Clop, Conti, REvil
Infostealers:
- Browser credential database access (Login Data, cookies.sqlite)
- Crypto wallet file targeting
- Clipboard monitoring
- SMTP/Telegram exfiltration
- Families: RedLine, Raccoon, Vidar, Agent Tesla, FormBook
Loaders/Droppers:
- Minimal initial functionality
- Download + execute pattern
- Heavy obfuscation/packing
- Anti-analysis focus (priority is survival to deliver payload)
- Families: Emotet, QakBot, IcedID, BatLoader, Gootloader
Botnet Agents:
- DGA (Domain Generation Algorithm) for resilient C2
- Modular command processing
- Self-propagation capabilities
- Families: Mirai, TrickBot, Dridex, Necurs
8.5 Malwoverview for Rapid Triage
# Install
pip install -U malwoverview
# Configure API keys in ~/.malwapi.conf
# Triage a sample against multiple engines
malwoverview -f sample.exe
# Search by hash
malwoverview -H sha256_hash
# Directory scan with imphash clustering
malwoverview -d /path/to/samples/
# Query MalwareBazaar for family
malwoverview -b sha256_hash
# Check ThreatFox IOCs
malwoverview -T ioc_value
9. Tool Reference Matrix
9.1 By Analysis Phase
| Phase | Linux Tools | Windows Tools | Online Services |
|---|---|---|---|
| Triage | file, ssdeep, diec, malwoverview |
DiE, PEiD, PEstudio | VirusTotal, MalwareBazaar |
| PE Parse | peframe, pev, readpe |
PE-bear, CFF Explorer, PEstudio | — |
| Strings | strings, floss, xortool |
FLOSS, BinText | — |
| YARA | yara, yarGen, Loki |
YARA, Loki | YARA-CI, VT Retrohunt |
| Capabilities | capa |
capa | — |
| Disassembly | Ghidra, radare2, Cutter | IDA Pro/Free, Ghidra, Binary Ninja | — |
| Debugging | GDB + GEF/PEDA | x64dbg, WinDbg | — |
| Emulation | speakeasy, unicorn, qiling |
Speakeasy | — |
| Sandbox | CAPEv2, DRAKVUF | CAPEv2 (guest) | ANY.RUN, Hybrid Analysis, Joe Sandbox |
| Network | tcpdump, Wireshark, mitmproxy, INetSim |
Wireshark, Fakenet-NG | PacketTotal |
| Memory | Volatility 3, rekall |
Volatility 3 | — |
| Unpacking | upx -d, un{i}packer |
x64dbg + Scylla, UPX | — |
| Documents | olevba, peepdf, pdfid |
OfficeMalScanner | — |
| Threat Intel | malwoverview, MISP |
— | VT, HA, Bazaar, OTX, Malpedia |
9.2 YARA Rule Sources
| Source | Description |
|---|---|
| signature-base | Florian Roth's frequently updated IOC + YARA collection |
| YARA Forge | Curated high-quality rule packages |
| Elastic YARA Rules | 1000+ rules for Linux/Windows/macOS |
| ReversingLabs Rules | Exploit, infostealer, ransomware, trojan rules |
| CAPE Rules | Sandbox-paired detection rules |
| Malpedia Rules | Auto-generated rules from malware corpus |
| awesome-yara | Meta-list of all YARA resources |
9.3 Detection Opportunities (BLUE layer)
Every technique in this document has a defensive detection surface:
| Malware Behavior | Detection Point |
|---|---|
| Process injection | Sysmon Event 8 (CreateRemoteThread), Event 10 (ProcessAccess) |
| API hooking evasion | EDR telemetry gaps — correlate with ETW providers |
| Packed binary execution | High-entropy PE alert, unsigned code in %TEMP% |
| C2 beaconing | Network flow analysis — regular interval detection |
| DNS tunneling | Query length > 50 chars, high unique subdomain count |
| Credential dumping | LSASS access (Sysmon Event 10), SAM registry hive access |
| Persistence (Run key) | Sysmon Event 13 (RegistryValueSet) on Run/RunOnce keys |
| Lateral movement | Event 4624 Type 3, PsExec service creation (Event 7045) |
| Ransomware | Rapid file rename/write patterns, volume shadow deletion |
| Webshell | New file in web-accessible directory, w3wp.exe spawning cmd.exe |
References
- REMnux Distribution: https://remnux.org/
- FLARE-VM: https://github.com/mandiant/flare-vm
- Mandiant capa: https://github.com/mandiant/capa
- capa-rules: https://github.com/mandiant/capa-rules
- YARA: https://github.com/VirusTotal/yara
- YARA Rule Writing: https://yara.readthedocs.io/en/stable/writingrules.html
- awesome-yara: https://github.com/InQuest/awesome-yara
- awesome-malware-analysis: https://github.com/rshipp/awesome-malware-analysis
- CAPEv2: https://github.com/kevoreilly/CAPEv2
- FLOSS: https://github.com/mandiant/flare-floss
- Speakeasy: https://github.com/mandiant/speakeasy
- PE-bear: https://github.com/hasherezade/pe-bear
- Detect It Easy: https://github.com/horsicq/Detect-It-Easy
- malwoverview: https://github.com/alexandreborges/malwoverview
- MalwareBazaar: https://bazaar.abuse.ch/
- Hybrid Analysis: https://www.hybrid-analysis.com/
- ANY.RUN: https://any.run/