Skip to content

Lab 7: Malware Triage

Lab Overview

Estimated Duration: 2-3 hours Difficulty: Intermediate-Advanced Environment: REMnux (Linux) + FlareVM (Windows) Learning Objectives: Perform static and dynamic analysis on a provided malware sample; extract IOCs; write a YARA rule

Safety Warning

This lab uses simulated/safe sample files. Never analyze real malware outside of an isolated, snapshot-based virtual machine environment with no network connectivity to production systems.

Prerequisites

  • REMnux VM downloaded from remnux.org
  • Completed Chapter 18 (Malware Analysis)
  • Familiarity with basic Linux commands

Lab Environment Setup

# REMnux — malware analysis Linux distribution
# Download OVA from: https://remnux.org
# Import into VirtualBox or VMware
# Snapshot BEFORE importing any sample — revert after each sample

# Isolate network:
# VirtualBox: Settings → Network → Host-Only Adapter
# VMware: Settings → Network → Custom (VMnet1 - Host-only)
# INetSim for fake internet: sudo inetsim &

# Verify INetSim is running
sudo inetsim --report-dir /tmp/inetsim_reports/
# INetSim will respond to HTTP, DNS, SMTP, FTP with fake responses
# Direct malware's DNS/HTTP to 127.0.0.1 (INetSim binds here by default)

Sample Files (Simulated — Safe for Analysis)

The lab includes three sample files in /labs/samples/:

  1. sample_a.exe — Packed PE, XOR-encoded payload
  2. sample_b.ps1 — Obfuscated PowerShell dropper
  3. sample_c.pcap — Network capture from malware execution

Download from the course lab materials directory. SHA256 hashes provided for verification.

Part 1: Triage (5 minutes per sample)

1.1 File Identification and Hashing

# Always start with identification
file sample_a.exe
sha256sum sample_a.exe | tee sample_a.sha256

# Check VirusTotal (hash only — never upload sensitive samples)
# Manual: go to virustotal.com → Search tab → paste SHA256
# Or via API:
VT_API_KEY="your_api_key_here"
SHA256=$(sha256sum sample_a.exe | cut -d' ' -f1)
curl -s "https://www.virustotal.com/api/v3/files/$SHA256" \
  -H "x-apikey: $VT_API_KEY" | python3 -m json.tool | \
  python3 -c "
import sys,json
d=json.load(sys.stdin)
attrs=d.get('data',{}).get('attributes',{})
stats=attrs.get('last_analysis_stats',{})
print(f'Malicious: {stats.get(\"malicious\",0)}/{sum(stats.values())}')
print('Names:', attrs.get('names',['unknown'])[:3])
print('Type:', attrs.get('type_tag','unknown'))
"

1.2 DIE (Detect-It-Easy) Analysis

# Detect packer/obfuscation
die sample_a.exe

# Expected output for packed sample:
# PE64
# Packer: UPX(3.96)[NRV,brute]
# Linker: Microsoft Linker(14.27)[EXE64]

1.3 Quick String Extraction

# Extract printable strings (minimum 8 chars)
strings -n 8 sample_a.exe | grep -iE "(http|https|cmd|powershell|reg|taskkill|vssadmin|CreateProcess|WriteFile|socket)" | head -20

# Unicode strings
strings -el sample_a.exe | head -20

# FLOSS — extract obfuscated/stack strings (takes longer)
floss --no-static-strings sample_a.exe 2>/dev/null | head -30

Lab Question 1: What strings suggest this sample's capabilities?

Part 2: Static PE Analysis

2.1 PE Header Analysis

# pefile Python analysis
python3 << 'EOF'
import pefile, datetime, math

pe = pefile.PE("sample_a.exe")

# Compilation timestamp
ts = pe.FILE_HEADER.TimeDateStamp
print(f"Compiled: {datetime.datetime.utcfromtimestamp(ts)} UTC")

# Sections and entropy
print("\nSections:")
for section in pe.sections:
    name = section.Name.decode('utf-8', errors='replace').strip('\x00')
    entropy = section.get_entropy()
    print(f"  {name:<10} VSize:{section.Misc_VirtualSize:>8} RawSize:{section.SizeOfRawData:>8} Entropy:{entropy:.2f} {'[PACKED?]' if entropy > 7.0 else ''}")

# Imports
print("\nImport Table:")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    for entry in pe.DIRECTORY_ENTRY_IMPORT:
        print(f"  {entry.dll.decode()}")
        for imp in entry.imports[:5]:  # First 5 imports per DLL
            name = imp.name.decode() if imp.name else f"Ordinal {imp.ordinal}"
            print(f"    {name}")
else:
    print("  No import table — possibly packed")
EOF

2.2 Ghidra Analysis (FlareVM or GUI available)

Ghidra Quick Analysis Steps:
1. File → New Project → Add File (sample_a.exe)
2. Double-click to open in CodeBrowser
3. Auto-analyze → check all analyzers → OK
4. Wait for analysis to complete (2-5 minutes for small file)

Key Locations to Examine:
├── Symbol Tree → Functions → Look for suspicious function names
├── Search → For Strings → filter for: http, CreateProcess, WinExec
├── Window → Decompiler → view pseudo-C for selected function
└── Navigation → Go To → entry (main entry point)

Focus Areas:
- Main function: What does the program do first?
- Network functions: WSAStartup, connect, recv, send
- File operations: CreateFile, WriteFile (dropper indicator)
- Decryption loops: XOR with counter variable = encoding indicator

Lab Question 2: Identify the three most suspicious API calls in sample_a.exe and explain what they indicate.

Part 3: Dynamic Analysis

3.1 Process Monitor Setup

FlareVM Setup (Windows Analysis VM):
1. Start INetSim on REMnux before executing sample
   (Route sample VM traffic to REMnux for fake internet)

2. Open Process Monitor (ProcMon)
   Filter: Process Name | is | sample_a.exe
   Start capture (Ctrl+E to enable)

3. Open Wireshark
   Capture on the interface connected to analysis network

4. Execute sample (in Administrator CMD or PowerShell):
   C:\Labs\sample_a.exe

5. Wait 60 seconds for initial behavior
6. Stop ProcMon capture
7. Stop Wireshark capture

3.2 Analyze Process Monitor Output

ProcMon Analysis — Look For:

File System:
├── WRITETEXT → Files dropped (payload staging)
├── Path contains: \Temp\, \AppData\, \Windows\System32\
└── DELETEPATH → Cleanup / anti-forensics

Registry:
├── RegSetValue → Persistence (Run keys, services)
├── HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
├── HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
└── HKLM\SYSTEM\CurrentControlSet\Services

Network:
├── Use Wireshark for this (ProcMon shows connections, not content)
└── Any external IP connections after INetSim responds?

Process:
└── Process Tree → Did sample_a.exe spawn child processes?

3.3 Wireshark Analysis

# From REMnux, review captured traffic from sample
# (Wireshark + INetSim logs in /var/log/inetsim/)

# Check INetSim report for all connections
cat /var/log/inetsim/report/report-$(date +%Y%m%d)*.txt | grep -E "HTTP|DNS|TCP"

# Wireshark filters for analysis
# HTTP POST (possible data exfiltration or C2 beacon)
# dns.qry.name (check for DGA patterns — random-looking names)
# tcp.flags.syn==1 (all new connections)

Lab Question 3: What IP addresses and domains did the sample attempt to contact?

Part 4: Memory Forensics (sample_c.pcap pre-analysis)

4.1 Volatility Analysis

# A memory dump is provided alongside sample_c.pcap
# Analysis with Volatility 3

cd /labs/
python3 vol.py -f memory_sample.raw windows.info

# Process listing
python3 vol.py -f memory_sample.raw windows.pslist

# Find injected code
python3 vol.py -f memory_sample.raw windows.malfind

# Network connections at time of dump
python3 vol.py -f memory_sample.raw windows.netscan

# Command line history
python3 vol.py -f memory_sample.raw windows.cmdline

Lab Question 4: Identify any processes showing signs of process injection (malfind results). What indicators suggest injection?

Part 5: IOC Extraction and YARA Rule Development

5.1 Compile IOCs

Based on your analysis, compile a structured IOC list:

## IOC Report — sample_a.exe

**File Hash**: SHA256: [VALUE]
**File Type**: PE32+ Windows executable, packed UPX

**Network Indicators**:
- C2 Domain: [FROM ANALYSIS]
- C2 IP: [FROM ANALYSIS]
- HTTP URI pattern: [FROM ANALYSIS]
- User-Agent: [FROM ANALYSIS]

**Host Indicators**:
- Mutex name: [FROM ANALYSIS]
- Registry key: [FROM ANALYSIS]
- Files dropped: [FROM ANALYSIS]
- Process name: [FROM ANALYSIS]

**Behavioral Indicators**:
- MITRE ATT&CK: T1059.001 (PowerShell), T1547.001 (Run Key), T1071.001 (HTTP C2)
- Actions: [FROM ANALYSIS]

5.2 Write a YARA Rule

/*
Lab Exercise: Write a YARA rule detecting sample_a.exe based on your analysis.
Requirements:
1. Rule must match sample_a.exe
2. Rule must NOT match clean Windows binaries
3. Include at least 3 string indicators
4. Include file size or PE header conditions
*/

rule Lab07_Sample_A {
    meta:
        description = "Detects sample_a malware from Lab 07"
        author = "Your Name"
        date = "2026-MM-DD"
        hash = "SHA256_FROM_YOUR_ANALYSIS"
        lab = "Nexus SecOps Lab 07"

    strings:
        // TODO: Replace with strings found in your analysis
        $string1 = "REPLACE_WITH_UNIQUE_STRING_1" nocase
        $string2 = "REPLACE_WITH_UNIQUE_STRING_2"
        $string3 = { XX XX XX XX XX XX XX XX }  // Hex pattern from decoder stub

    condition:
        uint16(0) == 0x5A4D and  // MZ header
        filesize < 1MB and
        2 of ($string*)
}

5.3 Test Your YARA Rule

# Test against sample
yara -r lab07_rule.yar /labs/samples/

# Verify no false positives on clean files
yara -r lab07_rule.yar /usr/bin/ 2>/dev/null | head -5
# Should produce no output (no matches on clean system binaries)

Lab Deliverables

  1. Triage Report (1 page): File metadata, initial assessment, recommended priority
  2. IOC List: All extracted indicators with confidence ratings
  3. YARA Rule: Working rule with documentation
  4. ATT&CK Mapping: At minimum 3 techniques with evidence

Lab Questions (Submit for Grading)

  1. What packer/protector was used on sample_a.exe? How did you determine this?
  2. Name three imports that indicate malicious capability and explain each.
  3. What persistence mechanism was used? What registry key?
  4. Describe one network indicator and explain how it could be used for detection.
  5. How would you tune your YARA rule to reduce false positives?