Malware Analysis Notes & Playbook

This repository is a personal knowledge base, checklist, and playbook for conducting malware analysis. It consolidates notes on setting up a secure analysis lab, procedures for static and dynamic analysis, and key concepts for identifying and reporting on malware behavior.

Core Concepts

This collection covers the fundamental approaches to malware analysis:

• [cite_start]Static Analysis: Analyzing malicious software without executing it[cite: 29, 72]. This involves examining file properties such as:
  • P.E. (Portable Executable) [cite_start]Headers [cite: 78]
  • [cite_start]Imported and Exported DLLs [cite: 79, 80]
  • [cite_start]Strings embedded in the binary [cite: 81]
• [cite_start]Dynamic Analysis: Running the malware in a secure, isolated sandbox or virtual machine to observe its behavior[cite: 32, 84]. This focuses on monitoring:
  • [cite_start]Network connections [cite: 86]
  • [cite_start]File system and Registry modifications [cite: 87, 89]
  • [cite_start]Process activity [cite: 88]
• [cite_start]Hybrid Analysis: A combined approach using both static and dynamic methods to gain a comprehensive understanding of the threat[cite: 28].
• [cite_start]C2 (Command & Control): Notes define C2 addresses as the server locations (IPs, domains, or URLs) that malware communicates with to receive instructions or send stolen data[cite: 58, 60, 61].

🧪 Analysis Lab Setup

The notes contain detailed checklists and procedures for building and configuring a secure analysis environment.

1. VM & Environment Setup

• [cite_start]Virtualization: Using VMware Workstation with a Windows 10 ISO[cite: 129, 130].
• [cite_start]Tooling: Setting up FlareVM[cite: 132].
• Isolation:
  • [cite_start]Configuring the network to Host-Only to prevent leaks[cite: 135].
  • [cite_start]Using tools like ApateDNS to simulate internet connectivity[cite: 143].
• [cite_start]Snapshots: Taking snapshots is a critical step before [cite: 131] [cite_start]and after setup [cite: 133][cite_start], and before running any malware[cite: 142].

2. VM Hardening & Configuration

To ensure the malware runs and to prevent interference, the following steps are documented:

• [cite_start]Disable Windows Update: Using both services.msc [cite: 139] [cite_start]and gpedit.msc (Group Policy Editor)[cite: 148, 156, 157].
• [cite_start]Disable Antivirus: Disabling Microsoft Defender's real-time protection [cite: 168] [cite_start]and turning it off via Group Policy[cite: 183, 184].
• [cite_start]Advanced VM Hiding: Includes notes on using Windows 10 LTSC (which is not VM-aware) [cite: 330][cite_start], using a SCSI controller instead of IDE [cite: 332][cite_start], changing the VM's MAC address [cite: 345][cite_start], and using kernel drivers like VMWare HALoder to hide the VM[cite: 335].

📋 Dynamic Analysis Playbook

A checklist is provided for what to look for during dynamic analysis, focusing on persistence and data theft.

Things to Look For:

1. [cite_start]Process Activity: Monitoring new or suspicious processes using tools like Process Hacker and Procmon[cite: 195, 196, 197].
2. [cite_start]Network Activity: Looking for C2 server connections [cite: 199] [cite_start]using Wireshark (filtering for HTTP, DNS, etc.)[cite: 234].
3. Registry Activities (Persistence):
   • [cite_start]Using tools like regshot and Procmon to spot changes[cite: 205, 218, 236].
   • [cite_start]Common keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run [cite: 209, 239][cite_start], HKCU\...\RunOnce [cite: 211, 242][cite_start], HKLM\...\Run [cite: 212, 243][cite_start], and HKLM\...\RunOnce[cite: 213, 244].
4. File Activities (Persistence):
   • [cite_start]Using regshot and Procmon to monitor file creation/modifications[cite: 215, 218, 245, 246].
   • [cite_start]Common locations: "C:\Users\Username\AppData\Roaming\" [cite: 220, 247][cite_start], %TEMP% [cite: 224, 248][cite_start], shell:startup [cite: 225, 249][cite_start], and shell:common startup[cite: 226, 250].

Reporting

• Includes notes on mapping findings to the MITRE ATT&CK framework. For example, an outbound connection to a C2 server could be mapped to:
  • [cite_start]Tactic: Command & Control [cite: 47]
  • [cite_start]Technique (T1071): Application Layer Protocol [cite: 48, 49]

🛠️ Tools & Resources

[cite_start]The repository includes a list of 29 addresses for analyzing malware[cite: 93], as well as specific links.

Online Sandboxes & Services:

• [cite_start]Any.run [cite: 96]
• [cite_start]Cuckoo Sandbox [cite: 15, 98]
• [cite_start]Hybrid Analysis [cite: 99]
• [cite_start]VirusTotal [cite: 121]
• [cite_start]Joe Sandbox [cite: 107]

Toolkits & Links:

• [cite_start]Toolkit Repo: https://github.com/aN0mad/analysisTools [cite: 187]
• [cite_start]Static Analysis Guide: https://youtu.be/i2137T23mpl [cite: 189]