Malware Analysis Sandbox Simulator

MicroSim 41 Interactive 100% Synthetic Data Learn static & dynamic analysis, IOC extraction, and detection engineering

No sample loaded

Load a synthetic malware sample to begin analysis. All data is 100% fabricated for educational purposes.

📄 Load a sample to begin static analysis

Suspicious APIs

C2 Indicators

Packed Sections

PE Anomalies

🗃 PE Header Information

DOS Header
e_magic	`0x5A4D` (MZ)
e_lfanew	`0x000000F0`
PE Signature
Signature	`0x00004550` (PE\0\0)
Machine	`0x014C` (i386)
TimeDateStamp	`0x65A3B1C2` (2025-01-14 08:33:22 UTC)
Characteristics	`0x010F` (EXECUTABLE_IMAGE \| 32BIT)

Optional Header
Magic	`0x010B` (PE32)
AddressOfEntryPoint	`0x00012A40`
ImageBase	`0x00400000`
SectionAlignment	`0x1000`
Subsystem	`0x0003` (WINDOWS_CUI)
DllCharacteristics	`0x0000` No ASLR/DEP
Checksum	`0x00000000` Invalid

📜 Section Table

Name	Virtual Size	Virtual Addr	Raw Size	Entropy	Flags
`.text`	0x00018200	0x00001000	0x00018400	6.24	`0x60000020` RX
`.rdata`	0x00006800	0x0001A000	0x00006A00	4.67	`0x40000040` R
`.data`	0x00002400	0x00021000	0x00000800	3.31	`0xC0000040` RW
`.rsrc`	0x00001200	0x00024000	0x00001400	7.52	`0x40000040` R ⚠ High Entropy
`.reloc`	0x00003600	0x00026000	0x00003800	7.14	`0x42000040` R ⚠ High Entropy
`UPX0`	0x0000C000	0x0002A000	0x00000000	7.81	`0xE0000080` RWX ⚠ Packer

⚠ Sections .rsrc, .reloc, and UPX0 show high entropy (>7.0), indicating packed or encrypted content. UPX0 section name is consistent with UPX packer.

🔗 Import Table — Suspicious APIs

DLL	Function	Risk	Description
`kernel32.dll`	`VirtualAlloc`	HIGH	Allocates RWX memory — common in shellcode injection
`kernel32.dll`	`VirtualProtect`	HIGH	Changes memory protection to executable — DEP bypass
`kernel32.dll`	`CreateRemoteThread`	HIGH	Creates thread in another process — process injection
`kernel32.dll`	`WriteProcessMemory`	HIGH	Writes to another process memory — code injection
`kernel32.dll`	`OpenProcess`	MED	Opens handle to target process for injection
`wininet.dll`	`InternetOpenA`	MED	Initializes WinINet — C2 communication
`wininet.dll`	`InternetOpenUrlA`	MED	Opens URL for data download/exfiltration
`wininet.dll`	`HttpSendRequestA`	MED	Sends HTTP request to C2 server
`advapi32.dll`	`CryptEncrypt`	MED	Encrypts data — could be ransomware or C2 encryption
`advapi32.dll`	`RegSetValueExA`	MED	Modifies registry — persistence mechanism
`ntdll.dll`	`NtUnmapViewOfSection`	HIGH	Hollows target process memory — process hollowing

🔏 Extracted Strings (Suspicious)

0x00041A20URL hxxp://c2[.]example[.]com/beacon

0x00041A50URL hxxps://staging[.]example[.]com/update

0x00041A88URL hxxp://exfil[.]example[.]com/upload?id=

0x00041AC0URL hxxp://fallback[.]example[.]com:8443/gate

0x00042100REG HKCU\Software\Microsoft\Windows\CurrentVersion\Run

0x00042160REG HKLM\SYSTEM\CurrentControlSet\Services\SyntheticSvc

0x000421B0FILE C:\Users\Public\Documents\svchost_helper.exe

0x000421F0FILE %APPDATA%\Microsoft\config.dat

0x00042230FILE %TEMP%\~df4829.tmp

0x00042260API IsDebuggerPresent

0x00042280API CheckRemoteDebuggerPresent

0x000422B0API GetTickCount (anti-sandbox timing check)

0x000422E0STR Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)

0x00042330STR cmd.exe /c whoami & ipconfig /all

0x00042370STR powershell.exe -nop -w hidden -enc

0x000423A0STR SyntheticMalware_v2.3_BUILD_20250114

▶ Load a sample and run dynamic analysis

Sandbox Execution Report

Runtime: 120s Risk Score: 92/100

🌳 Process Tree

PID 4 System
- PID 812 csrss.exe
- PID 1204 explorer.exe
  - PID 3284 sample_invoice.exe ⚠
    - PID 3440 cmd.exe ⚠
      - PID 3612 powershell.exe -nop -w hidden ⚠
      - PID 3720 whoami.exe
      - PID 3744 ipconfig.exe
    - PID 4012 svchost_helper.exe ⚠

🔴 Red-bordered nodes indicate suspicious processes spawned by the sample.

🕐 Execution Timeline

T+0.000s

Process Created: sample_invoice.exe (PID 3284) spawned by explorer.exe

T+0.120s

Anti-Debug Check: IsDebuggerPresent() called — returned FALSE

T+0.250s

Memory Allocation: VirtualAlloc(0, 0xC000, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE)

T+0.800s

File Created: C:\Users\Public\Documents\svchost_helper.exe (92,160 bytes)

T+1.100s

File Created: %APPDATA%\Microsoft\config.dat (encrypted configuration)

T+1.350s

Registry Modified: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SvcHelper = "C:\Users\Public\Documents\svchost_helper.exe"

T+1.400s

Registry Created: HKLM\SYSTEM\CurrentControlSet\Services\SyntheticSvc (service persistence)

T+1.800s

Process Created: cmd.exe /c whoami & ipconfig /all (PID 3440) — host reconnaissance

T+2.200s

Process Created: powershell.exe -nop -w hidden -enc [base64] (PID 3612) — encoded command execution

T+3.000s

DNS Query: c2.example.com → 192.0.2.50

T+3.200s

HTTP POST: hxxp://192.0.2.50/beacon — User-Agent: Mozilla/5.0 (compatible; MSIE 10.0)

T+5.500s

HTTP GET: hxxps://staging.example.com/update — Downloaded 2nd stage payload (48,640 bytes)

T+6.000s

Process Injection: WriteProcessMemory + CreateRemoteThread into svchost_helper.exe (PID 4012)

T+10.000s

HTTP POST: hxxp://exfil.example.com/upload?id=A3F2 — Encrypted data exfiltration (12,288 bytes)

T+60.000s

C2 Beacon: Periodic callback to 192.0.2.50:443 every ~60 seconds

🌐 Network Activity

Time	Protocol	Source	Destination	Info
T+3.0s	DNS	10.0.0.15:54821	10.0.0.2:53	A c2.example.com → 192.0.2.50
T+3.1s	DNS	10.0.0.15:54822	10.0.0.2:53	A staging.example.com → 198.51.100.20
T+3.2s	HTTP	10.0.0.15:49201	192.0.2.50:80	POST /beacon (beacon registration, 256 bytes)
T+5.5s	HTTPS	10.0.0.15:49210	198.51.100.20:443	GET /update (stage 2 download, 48,640 bytes)
T+9.8s	DNS	10.0.0.15:54830	10.0.0.2:53	A exfil.example.com → 203.0.113.100
T+10.0s	HTTP	10.0.0.15:49220	203.0.113.100:80	POST /upload?id=A3F2 (data exfiltration, 12,288 bytes)
T+10.1s	DNS	10.0.0.15:54835	10.0.0.2:53	A fallback.example.com → 192.0.2.75
T+60.0s	HTTPS	10.0.0.15:49250	192.0.2.50:443	POST /beacon (heartbeat, 128 bytes — recurring)

📁 File System Changes

Action	Path	Details
CREATED	`C:\Users\Public\Documents\svchost_helper.exe`	92,160 bytes — persistence payload (dropped binary)
CREATED	`%APPDATA%\Microsoft\config.dat`	4,096 bytes — encrypted C2 configuration
CREATED	`%TEMP%\~df4829.tmp`	48,640 bytes — temporary 2nd stage payload
MODIFIED	`%TEMP%\~df4829.tmp`	File read then deleted after injection
DELETED	`%TEMP%\~df4829.tmp`	Cleaned up to avoid forensic detection

📑 Registry Modifications

Action	Key	Value	Purpose
SET	`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`	`SvcHelper = "C:\Users\Public\Documents\svchost_helper.exe"`	Boot persistence (current user)
CREATE	`HKLM\SYSTEM\CurrentControlSet\Services\SyntheticSvc`	`ImagePath = "C:\Users\Public\Documents\svchost_helper.exe"`	Service persistence (requires elevation)
SET	`HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced`	`Hidden = 2`	Hide hidden files in Explorer
SET	`HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System`	`EnableLUA = 0`	Disable UAC prompt (defense evasion)

🎯 Load a sample to extract IOCs

Extracted Indicators of Compromise

🔐 File Hashes

Primary Sample: sample_invoice.exe

MD5 a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6

SHA1 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b

SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SSDEEP 1536:a8B2kMF3qLR7UXj6Yb5g3x1H9nZ:a8Bm3qp7UXjm5g3x1dn

Dropped Binary: svchost_helper.exe

MD5 f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2

SHA256 4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b

🌐 Network Indicators

IP Addresses

IPv4 192.0.2.50 C2 Server

IPv4 198.51.100.20 Staging

IPv4 203.0.113.100 Exfiltration

IPv4 192.0.2.75 Fallback C2

Domains

DOMAIN c2[.]example[.]com Primary C2

DOMAIN staging[.]example[.]com Staging

DOMAIN exfil[.]example[.]com Exfil

DOMAIN fallback[.]example[.]com Fallback

URLs

URL hxxp://c2[.]example[.]com/beacon

URL hxxps://staging[.]example[.]com/update

URL hxxp://exfil[.]example[.]com/upload?id=

URL hxxp://fallback[.]example[.]com:8443/gate

💻 Host-Based Indicators

File Paths

FILE C:\Users\Public\Documents\svchost_helper.exe

FILE %APPDATA%\Microsoft\config.dat

FILE %TEMP%\~df4829.tmp

Registry Keys

REG HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SvcHelper

REG HKLM\SYSTEM\CurrentControlSet\Services\SyntheticSvc

Mutex / Named Objects

MUTEX Global\SynMtx_A3F2B1C4

🛡 YARA Rule Template (from IOCs)

rule Trojan_SyntheticAgent_IOCs { meta: description = "Detects SyntheticAgent trojan based on extracted IOCs" author = "Nexus SecOps MicroSim 41" date = "2025-01-14" reference = "Synthetic analysis - educational only" hash = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" strings: $c2_1 = "c2.example.com" ascii wide $c2_2 = "staging.example.com" ascii wide $c2_3 = "exfil.example.com" ascii wide $c2_4 = "fallback.example.com" ascii wide $path_1 = "beacon" ascii $path_2 = "/update" ascii $path_3 = "/upload?id=" ascii $path_4 = "/gate" ascii $ua = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)" ascii $mutex = "SynMtx_A3F2B1C4" ascii wide $drop = "svchost_helper.exe" ascii wide $build = "SyntheticMalware_v2.3" ascii condition: uint16(0) == 0x5A4D and filesize < 500KB and ( (2 of ($c2_*) and 1 of ($path_*)) or ($mutex and $drop) or ($build) ) }

🚀 MITRE ATT&CK Technique Mapping

T1059.001PowerShell

T1059.003Windows Command Shell

T1055.012Process Hollowing

T1055.003Thread Execution Hijacking

T1547.001Registry Run Keys

T1543.003Windows Service

T1071.001Web Protocols (HTTP/S)

T1041Exfiltration Over C2

T1082System Information Discovery

T1033System Owner/User Discovery

T1027Obfuscated Files or Info

T1140Deobfuscate/Decode Files

T1562.001Disable or Modify Tools

T1497.001System Checks (Anti-Sandbox)

T1573.001Encrypted Channel (Symmetric)

T1105Ingress Tool Transfer

🛡 Load a sample to generate detection rules

Auto-Generated Detection Rules

What this detects: This KQL rule for Microsoft Sentinel correlates process creation events showing the malware execution chain (suspicious parent-child process relationships, encoded PowerShell, and C2 beacon traffic). It combines DeviceProcessEvents and DeviceNetworkEvents to detect both the execution and network indicators in a single analytic rule.

// Nexus SecOps - SyntheticAgent Trojan Detection // Platform: Microsoft Sentinel (KQL) // Description: Detects SyntheticAgent trojan execution chain and C2 comms // Rule 1: Suspicious process chain detection let SuspiciousProcessChain = DeviceProcessEvents | where Timestamp > ago(24h) | where InitiatingProcessFileName =~ "explorer.exe" | where FileName has_any ("cmd.exe", "powershell.exe") | where ProcessCommandLine has_any ( "-nop -w hidden", "-enc", "whoami", "ipconfig /all" ) | project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, ProcessCommandLine, ProcessId; // Rule 2: Dropped file detection let DroppedFiles = DeviceFileEvents | where Timestamp > ago(24h) | where ActionType == "FileCreated" | where FolderPath has_any ( @"C:\Users\Public\Documents\svchost_helper.exe", @"config.dat", @"~df4829.tmp" ) | project Timestamp, DeviceName, FolderPath, SHA256; // Rule 3: C2 network communication let C2Traffic = DeviceNetworkEvents | where Timestamp > ago(24h) | where RemoteIP in ("192.0.2.50", "198.51.100.20", "203.0.113.100", "192.0.2.75") or RemoteUrl has_any ( "c2.example.com", "staging.example.com", "exfil.example.com", "fallback.example.com" ) | project Timestamp, DeviceName, RemoteIP, RemoteUrl, RemotePort; // Rule 4: Registry persistence detection let RegPersistence = DeviceRegistryEvents | where Timestamp > ago(24h) | where ActionType == "RegistryValueSet" | where RegistryKey has_any ( @"CurrentVersion\Run", @"CurrentControlSet\Services\SyntheticSvc" ) | where RegistryValueData has "svchost_helper" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData; // Correlate: union all indicators by device SuspiciousProcessChain | join kind=inner DroppedFiles on DeviceName | join kind=inner C2Traffic on DeviceName | project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, RemoteIP, RemoteUrl | sort by Timestamp asc

What this detects: This Splunk SPL query searches Windows Security and Sysmon logs for the multi-stage attack chain. It combines process creation (Event ID 1), file creation (Event ID 11), registry modification (Event ID 13), and network connection (Event ID 3) events to identify the SyntheticAgent trojan behavior pattern across your Splunk deployment.

`comment("Nexus SecOps - SyntheticAgent Trojan Detection")` `comment("Platform: Splunk (SPL)")` `comment("Searches: Sysmon + Windows Security")` | tstats summariesonly=t count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="explorer.exe" (Processes.process_name="cmd.exe" OR Processes.process_name="powershell.exe") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id | `drop_dm_object_name(Processes)` | search (process="*-nop*" OR process="*-enc*" OR process="*whoami*" OR process="*ipconfig*") | rename dest as src_host `comment("--- File creation: dropped payloads ---")` | append [ search index=sysmon EventCode=11 (TargetFilename="*svchost_helper.exe" OR TargetFilename="*config.dat" OR TargetFilename="*~df4829.tmp") | stats count by Computer TargetFilename | rename Computer as src_host ] `comment("--- Registry persistence ---")` | append [ search index=sysmon EventCode=13 (TargetObject="*CurrentVersion\\Run*" OR TargetObject="*SyntheticSvc*") Details="*svchost_helper*" | stats count by Computer TargetObject Details | rename Computer as src_host ] `comment("--- Network C2 indicators ---")` | append [ search index=sysmon EventCode=3 (DestinationIp="192.0.2.50" OR DestinationIp="198.51.100.20" OR DestinationIp="203.0.113.100" OR DestinationIp="192.0.2.75") | stats count by Computer DestinationIp DestinationPort | rename Computer as src_host ] | stats values(*) as * by src_host | where isnotnull(process_name) AND isnotnull(TargetFilename) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`

What this detects: These Sigma rules provide vendor-agnostic detection logic that can be converted to KQL, SPL, or other query languages using sigma-cli or uncoder.io. The rules cover the three main behavioral phases: suspicious process execution chain, persistence via registry, and C2 network communication. Sigma rules are the recommended format for sharing detection logic across teams and platforms.

# Nexus SecOps - SyntheticAgent Trojan Detection # Platform: Sigma (vendor-agnostic) # Converts to: KQL, SPL, EQL, Lucene, etc. title: SyntheticAgent Trojan - Process Execution Chain id: 8a3f7c21-4b6e-4d9a-b5c2-1e8f3a7d6b4c status: experimental description: | Detects suspicious process chain characteristic of SyntheticAgent trojan execution. Educational rule - Nexus SecOps MicroSim 41. author: Nexus SecOps date: 2025/01/14 references: - https://nexus-secops.pages.dev/microsims/sim41 tags: - attack.execution - attack.t1059.001 - attack.t1059.003 - attack.defense_evasion logsource: category: process_creation product: windows detection: selection_parent: ParentImage|endswith: '\explorer.exe' selection_child: Image|endswith: - '\cmd.exe' - '\powershell.exe' selection_cmdline: CommandLine|contains: - '-nop -w hidden' - '-enc' - 'whoami' - 'ipconfig /all' condition: selection_parent and selection_child and selection_cmdline falsepositives: - Legitimate admin scripts - Software deployment tools level: high --- title: SyntheticAgent Trojan - Registry Persistence id: 9b4e8d32-5c7f-4e0b-a6d3-2f9e4b8c7d5e status: experimental description: | Detects registry persistence mechanism used by SyntheticAgent trojan. author: Nexus SecOps date: 2025/01/14 tags: - attack.persistence - attack.t1547.001 - attack.t1543.003 logsource: category: registry_set product: windows detection: selection_run_key: TargetObject|contains: - 'CurrentVersion\Run' Details|contains: - 'svchost_helper' selection_service: TargetObject|contains: - 'Services\SyntheticSvc' condition: selection_run_key or selection_service falsepositives: - Legitimate service installation level: high --- title: SyntheticAgent Trojan - C2 Communication id: ac5f9e43-6d80-4f1c-b7e4-3a0f5c9d8e6f status: experimental description: | Detects network communication to known SyntheticAgent C2 infrastructure. author: Nexus SecOps date: 2025/01/14 tags: - attack.command_and_control - attack.t1071.001 - attack.exfiltration - attack.t1041 logsource: category: dns_query product: windows detection: selection_domains: QueryName|endswith: - 'c2.example.com' - 'staging.example.com' - 'exfil.example.com' - 'fallback.example.com' condition: selection_domains falsepositives: - None expected (synthetic indicators) level: critical

What this detects: This YARA rule scans files on disk or in memory for signatures characteristic of the SyntheticAgent trojan family. It checks for PE format, suspicious API imports (process injection primitives), C2 infrastructure strings, anti-analysis techniques, and the build identifier. The rule uses a weighted condition to reduce false positives while maintaining detection coverage across variants.

/* * Nexus SecOps - SyntheticAgent Trojan Detection * Platform: YARA * Usage: yara -r syntheticagent.yar /path/to/scan * Educational rule - 100% synthetic indicators */ import "pe" import "math" rule Trojan_SyntheticAgent_Behavioral { meta: description = "Detects SyntheticAgent trojan family" author = "Nexus SecOps MicroSim 41" date = "2025-01-14" version = "1.0" reference = "https://nexus-secops.pages.dev" tlp = "WHITE" hash_sample = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" strings: // --- C2 Infrastructure --- $c2_domain_1 = "c2.example.com" ascii wide nocase $c2_domain_2 = "staging.example.com" ascii wide nocase $c2_domain_3 = "exfil.example.com" ascii wide nocase $c2_domain_4 = "fallback.example.com" ascii wide nocase $c2_path_1 = "/beacon" ascii $c2_path_2 = "/upload?id=" ascii $c2_path_3 = "/gate" ascii // --- Suspicious User-Agent --- $ua = "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1)" ascii // --- Persistence Indicators --- $reg_run = "CurrentVersion\\Run" ascii wide nocase $svc_name = "SyntheticSvc" ascii wide nocase $drop_name = "svchost_helper.exe" ascii wide nocase $config_file = "config.dat" ascii wide // --- Anti-Analysis --- $anti_dbg_1 = "IsDebuggerPresent" ascii $anti_dbg_2 = "CheckRemoteDebuggerPresent" ascii $anti_sb = "GetTickCount" ascii // --- Process Injection APIs --- $api_inject_1 = "VirtualAlloc" ascii $api_inject_2 = "WriteProcessMemory" ascii $api_inject_3 = "CreateRemoteThread" ascii $api_inject_4 = "NtUnmapViewOfSection" ascii // --- Reconnaissance Commands --- $recon_1 = "whoami" ascii nocase $recon_2 = "ipconfig /all" ascii nocase // --- Build ID --- $build = "SyntheticMalware_v2" ascii // --- Mutex --- $mutex = "SynMtx_" ascii wide condition: // Must be a PE file uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and filesize < 500KB and ( // High confidence: C2 + injection (2 of ($c2_domain_*) and 2 of ($api_inject_*)) or // Medium confidence: persistence + recon ($drop_name and $svc_name and 1 of ($recon_*)) or // Build string (unique to this family) ($build and $mutex) or // Behavioral combo: anti-debug + injection + C2 (1 of ($anti_dbg_*) and 2 of ($api_inject_*) and 1 of ($c2_domain_*)) ) // Additional: check for high-entropy sections // (indicates packing/encryption) and for any i in (0..pe.number_of_sections - 1) : ( math.entropy( pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size ) > 7.0 ) }

No sample loaded

Verdict: Malicious — Trojan.GenericKD / Backdoor.Agent

Sandbox Execution Report

Extracted Indicators of Compromise

Auto-Generated Detection Rules