Malware Analysis CheatSheet (2025) - CyberDudeBivash | Cybersecurity, AI & Threat Intel

18 Mar

18Mar

Malware Analysis Cheat Sheet (2025)

Static Analysis
- Purpose: Examine code without execution to identify indicators of compromise (IoCs).
- Key Steps:
  - Extract embedded strings, headers, and metadata (e.g., strings, PEiD).
  - Analyze binary structure (e.g., PE sections, entropy checks).
  - Identify encryption/obfuscation patterns.
- Tools:
  - PE Studio (PE file analysis)
  - IDA Pro/Ghidra (disassembly)
  - ExifTool (metadata extraction)
Dynamic Analysis
- Purpose: Observe behavior in a controlled environment.
- Key Steps:
  - Monitor system interactions (registry, files, processes) with Process Monitor/ProcDOT.
  - Capture network traffic using Wireshark/Fiddler.
  - Simulate services (e.g., INetSim for DNS/HTTP).
- Tools:
  - Cuckoo Sandbox (automated behavioral analysis)
  - Noriben (Python-based monitoring)
  - FakeDNS (redirect malicious traffic)
Automated Analysis
- Purpose: Rapid triage and scalable processing.
- Tools:
  - VirusTotal (multiscanner for IoCs)
  - ANY.RUN/Hybrid Analysis (interactive sandboxes)
  - Joe Sandbox (AI-driven reports)
Manual Code Reversing
- Purpose: Decode hidden logic and persistence mechanisms.
- Key Steps:
  - Use debuggers (x64dbg, WinDbg) to trace execution flow.
  - Deobfuscate strings with FLARE-FLOSS.
  - Unpack samples via memory dumping (OllyDump).

Memory Forensics:
- Use Volatility/Rekall to detect fileless malware, rootkits, and decrypted payloads.
- Commands: volatility -f memdump.mem pslist (process listing).
Network Forensics:
- Analyze C2 traffic patterns with Zeek/Suricata.
- Redirect traffic via accept-all-ips to capture staged payloads.
Anti-Evasion Tactics:
- Bypass sandbox detection by simulating user activity (e.g., mouse movements via Python scripts).
- Use Cape Framework for advanced environment emulation.

Category	Tools
Static Analysis	PEiD, Detect It Easy (DIE), Ghidra, Radare2
Dynamic Analysis	Process Hacker, RegShot, ProcMon, Fiddler, INetSim
Sandboxes	ANY.RUN, Cuckoo, Hybrid Analysis, Joe Sandbox
Reverse Engineering	IDA Pro, Binary Ninja, Ghidra, x64dbg
Memory Analysis	Volatility, Rekall, Magnet RAM Capture

Lab Setup:
- Isolate environments using virtualization (VMware/VirtualBox) or bare-metal systems.
- Use Clonezilla/FOG for quick system restoration.
Documentation:
- Record findings in STIX/TAXII formats for threat intel sharing.
- Generate YARA rules for future detection (e.g., yara-generator).
Threat Intel Integration:
- Cross-reference IoCs with MITRE ATT&CK (e.g., TTPs like Credential Dumping).
- Share hashes/signatures via MISP/OpenCTI.

Step	Action	Tool Example
Initial Triage	Check file hashes/strings	`PE Studio`, `HashCalc`
Behavior Capture	Monitor registry/filesystem	`Process Monitor`, `ProcDOT`
Network Analysis	Inspect HTTP/DNS requests	`Wireshark`, `Zeek`
Code Reversing	Disassemble packed binaries	`Ghidra`, `UnpacMe`

AI-Driven Threats: Use ML models (e.g., Darktrace) to detect adversarial malware.
Quantum-Resistant Analysis: Prepare for post-quantum encryption in C2 channels.

🔗 Resources:

Comments