malware-analysis

# Malware Analysis Skill

Structured 6-phase malware analysis methodology. Always begin with sample triage
to establish safety before any analysis. Conclude with a structured intelligence
report suitable for both technical and executive audiences.


## sample-triage

# Sample Triage

## Purpose
Establish sample safety, verify integrity, cross-reference against known databases, and classify the threat before deep analysis.

---

## 1. Safe Handling Procedures

**NEVER execute outside a sandbox.** Transfer in password-protected ZIP (password: `infected`).

Mandatory before any analysis:
- [ ] Isolated VM with snapshot (no NAT, no shared folders)
- [ ] Hash all files on receipt — never rely on provided hashes alone
- [ ] No internet connectivity from analysis host to production networks

---

## 2. Hash Verification and Generation

```powershell
# Windows
Get-FileHash sample.exe -Algorithm MD5
Get-FileHash sample.exe -Algorithm SHA1
Get-FileHash sample.exe -Algorithm SHA256

# ssdeep fuzzy hash (similarity matching)
ssdeep.exe sample.exe

# imphash (PE import table hash)
python3 -c "import pefile; pe=pefile.PE('sample.exe'); print(pe.get_imphash())"
```

Log all hashes in analyst notes immediately. Discrepancy between provided and computed hash = tampered sample or analyst error.

---

## 3. VirusTotal Cross-Reference

```bash
# VT API v3
curl -s -H "x-apikey: <VT_API_KEY>" \
  "https://www.virustotal.com/api/v3/files/<SHA256>" | python3 -m json.tool

# Key fields from VT response:
# .data.attributes.last_analysis_stats   → detection counts
# .data.attributes.names                 → known filenames
# .data.attributes.sandbox_verdicts      → automated sandbox results
# .data.attributes.popular_threat_classification → family classification
```

| VT Score | Interpretation |
|----------|----------------|
| 0/70     | Unknown/clean or very new sample |
| 1-5/70   | Possible PUA or low-confidence detection |
| 6-20/70  | Likely malicious (AV heuristics) |
| > 20/70  | Known malicious family |

---

## 4. MalwareBazaar Cross-Reference

```bash
# Search by SHA256
curl -X POST https://mb-api.abuse.ch/api/v1/ \
  -d 'query=get_info&hash=<SHA256>'

# Key fields:
# file_type, file_size, first_seen, last_seen
# tags (malware family tags from researchers)
# vendor_intel (AV vendor hits)
# signature (family name)
```

---

## 5. Family Classification Using Signature Databases

Classification sources (in priority order):
1. VT popular_threat_classification (consensus from 70+ engines)
2. MalwareBazaar tags (researcher-curated)
3. CAPE/ANY.RUN sandbox verdict
4. MITRE ATT&CK Software entries (https://attack.mitre.org/software/) — search by family name

### MITRE ATT&CK Software Lookup
```
# Search at: https://attack.mitre.org/software/
# Returns: known TTPs, groups using the software, detection guidance
# Example: TrickBot (S0266), Emotet (S0367), Cobalt Strike (S0154)
```

---

## 6. Threat Actor Attribution Hints

Look for these indicators that may link to known actor groups:

| Indicator | Implication |
|-----------|-------------|
| TrickBot/BazarLoader sample | Likely Wizard Spider (G0102) |
| Cobalt Strike with malleable C2 | Multiple groups; check C2 profile |
| PlugX RAT | APT groups: Mustang Panda (G0129) |
| AgentTesla keylogger | Financially motivated actors |
| Custom PE with EternalBlue spreader | Sandworm (G0034) or affiliate |
| Mimikatz strings or components | Post-exploitation; various actors |

**Attribution confidence must be stated clearly.** Attribution based on tooling alone is Low confidence.

---

## 7. Initial Metadata Record

Complete this block before proceeding:

```
Sample ID:         <internal-ID>
Received:          <YYYY-MM-DD HH:MM UTC>
Source:            <email attachment / URL / endpoint / external researcher>
MD5:               <hash>
SHA1:              <hash>
SHA256:            <hash>
imphash:           <hash>
ssdeep:            <fuzzy>
File type (magic): <PE32+ / ELF / PDF / etc.>
File size:         <bytes>
VT score:          <n>/70 (accessed <date>)
Known family:      <family name or Unknown>
Threat actor:      <group or Unknown>
Priority:          <Critical / High / Medium / Low>
Analyst:           <name>
```

---

## 8. Priority Classification

| Priority | Criteria |
|----------|----------|
| Critical | Active incident; ransomware; wiper; nation-state IOC match |
| High | New unknown family; financial malware; credential stealer |
| Medium | Known commodity malware (Emotet, Qakbot); no active incident |
| Low | PUA; adware; benign false positive under investigation |



## static-analysis

# Static Analysis — Malware Analysis

## Purpose
Deep examination of the binary without execution: PE/ELF structure, entropy, imports, YARA matching, obfuscation detection, and compiler artifacts.

---

## 1. PE/ELF Deep Structure Analysis

### Section Analysis
```python
import pefile
pe = pefile.PE('sample.exe')

for section in pe.sections:
    name = section.Name.decode().rstrip('\x00')
    entropy = section.get_entropy()
    virt = section.Misc_VirtualSize
    raw = section.SizeOfRawData
    flags = section.Characteristics
    rwx = 'R' if flags & 0x40000000 else '-'
    rwx += 'W' if flags & 0x80000000 else '-'
    rwx += 'X' if flags & 0x20000000 else '-'
    print(f"{name:12} entropy={entropy:.2f} virt={virt:8d} raw={raw:8d} flags={rwx}")
```

Suspicious section patterns:
| Pattern | Implication |
|---------|-------------|
| Entropy > 7.0 in .text | Packed/encrypted code |
| .text raw << virtual (ratio > 5:1) | Loader decompresses in memory |
| Non-standard names (.xxx, .1) | Custom packer signature |
| Writable + Executable section | Self-modifying code |
| Unusually large .rsrc | Dropped payload in resources |

### Unusual Section Names by Packer
| Sections | Packer |
|----------|--------|
| UPX0, UPX1, UPX2 | UPX |
| .MPRESS1, .MPRESS2 | MPRESS |
| .enigma1, .enigma2 | Enigma |
| .aspack, .adata | ASPack |
| .nsp0, .nsp1 | NsPack |

---

## 2. Import Table Analysis — Capability Fingerprinting

```python
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
    for entry in pe.DIRECTORY_ENTRY_IMPORT:
        dll = entry.dll.decode().lower()
        funcs = [imp.name.decode() for imp in entry.imports if imp.name]
        print(f"  {dll}: {funcs}")
```

### Malware Capability Mapping

| Imports | Capability | ATT&CK |
|---------|-----------|--------|
| VirtualAllocEx, WriteProcessMemory, CreateRemoteThread | Process injection | T1055 |
| MiniDumpWriteDump, OpenProcess (on lsass) | Credential dump | T1003.001 |
| CryptAcquireContext, CryptEncrypt, CryptGenRandom | Encryption (ransomware/C2) | T1486/T1573 |
| InternetOpenA, HttpSendRequestA, WinHttpOpen | HTTP C2 | T1071.001 |
| WSASocket, connect, send, recv | Raw socket C2 | T1095 |
| RegCreateKeyEx, RegSetValueEx | Registry persistence | T1547.001 |
| CreateServiceA, OpenSCManagerA | Service installation | T1543.003 |
| SHFileOperation, CopyFileA | File staging/collection | T1005 |
| WNetOpenEnum, NetShareEnum | Network share discovery | T1135 |
| FindFirstFileA, GetFileAttributesA | File/directory enum | T1083 |
| NtQuerySystemInformation, GetComputerNameA | System discovery | T1082 |

---

## 3. YARA Rule Matching

```bash
# Community rules
yara /opt/rules/yara-rules/*.yar sample.exe

# Specific threat intel rules
yara /opt/rules/signature-base/yara/ sample.exe

# Emerging threats
yara /opt/rules/emerging-threats/ sample.exe

# Report matches
yara -s -r /opt/rules/ sample.exe   # -s shows matched strings
```

Key community rule repositories:
- github.com/Yara-Rules/rules (community maintained)
- github.com/Neo23x0/signature-base (Florian Roth)
- github.com/mandiant/red_team_tool_countermeasures
- github.com/elastic/protections-artifacts

---

## 4. Obfuscation Detection

### XOR Encoding Detection
```python
# Simple XOR key search
def find_xor_key(data, known_plaintext):
    for i in range(len(data) - len(known_plaintext)):
        key = data[i] ^ known_plaintext[0]
        if all(data[i+j] ^ known_plaintext[j] == key for j in range(len(known_plaintext))):
            return key, i
    return None

# Or use xorBrute / xortool
# xortool -l 8 -c 00 sample.bin   # try key lengths 1-8, most common char = 0x00
```

### Base64 Pattern Detection
```python
import re
b64_pattern = re.compile(r'[A-Za-z0-9+/]{40,}={0,2}')
with open('sample.exe', 'rb') as f:
    content = f.read().decode('latin-1')
matches = b64_pattern.findall(content)
```

### Custom Encoding Loops in Disassembly
Look for:
- Loop body with XOR/ADD/ROL/ROR instruction on single byte
- Counter from 0 to len(encoded_data)
- Result written to output buffer
- Loop typically 10-30 instructions

---

## 5. Rich Header Analysis

The Rich header is a pre-PE structure containing compiler build information.
Presence/absence and tool versions can fingerprint threat actor toolchains.

```python
# Extract Rich header
from richheader import RichHeader   # https://github.com/RichHeaderResearch/RichPE
rh = RichHeader.parse('sample.exe')
print(rh.entries)   # (product_id, build_id, count) tuples

# Cross-reference via: https://github.com/dishather/richprint
# richprint sample.exe
```

Zeroed Rich header = header was stripped (deliberate obfuscation indicator).

---

## 6. Static Analysis Checklist

- [ ] Section entropy analysis complete (all sections)
- [ ] Import table documented with capability mapping
- [ ] Export table documented (for DLLs)
- [ ] Strings extracted (ASCII + Unicode + FLOSS for obfuscated)
- [ ] YARA scan completed with at least 3 rule sets
- [ ] PE compile timestamp noted (and plausibility assessed)
- [ ] Rich header analysed (or noted as absent/zeroed)
- [ ] Packer/obfuscator identified (or noted as custom/unknown)
- [ ] Resources extracted from .rsrc section (binwalk, ResourceHacker)
- [ ] Overlay data checked (appended data after PE end)



## dynamic-analysis

# Dynamic Analysis — Malware Analysis

## Purpose
Execute sample in controlled sandbox environments to observe runtime behaviour: API calls, network traffic, persistence, process activity, and C2 communication patterns.

---

## 1. Automated Sandbox Platforms

### CAPE Sandbox (self-hosted)
```bash
# Submit sample
curl -X POST http://localhost:8000/tasks/create/file/ \
  -F file=@sample.exe \
  -F options="analysis-timeout=120,procmemdump=1"

# Retrieve report
curl http://localhost:8000/tasks/report/<task_id>/json
```

Key CAPE features:
- Automatic config extraction for 100+ malware families
- Unpacked payload extraction
- CAPE signatures (malware-specific behaviour patterns)
- Network PCAP per analysis

### ANY.RUN (interactive cloud sandbox)
```
1. Upload at app.any.run
2. Select OS version (Windows 10/7, 32/64 bit)
3. Enable: "Fake internet connections" for C2 interaction
4. Interact with sample in real-time if needed
5. Export: IOCs / MITRE ATT&CK report / PCAP / process tree
```

### Cuckoo Sandbox Configuration
```python
# cuckoo.conf
[cuckoo]
max_analysis_time = 120
memory_dump = yes
terminate_processes = yes

# routing.conf
[routing]
route = internet   # or "inetsim" for fake internet
```

---

## 2. Process and System Monitoring

### Sysmon Configuration (key events for malware analysis)
```xml
<RuleGroup name="MalwareAnalysis" groupRelation="or">
  <ProcessCreate onmatch="include">
    <Rule groupRelation="or">
      <ParentImage condition="contains">sample</ParentImage>
    </Rule>
  </ProcessCreate>
  <NetworkConnect onmatch="include">
    <Initiated condition="is">true</Initiated>
  </NetworkConnect>
  <CreateRemoteThread onmatch="include" />
  <RawAccessRead onmatch="include" />
</RuleGroup>
```

### Process Monitor Filters
```
Include: Process Name = sample.exe
Include: Path contains HKCU\Software
Include: Path contains HKLM\SYSTEM
Include: Operation = WriteFile
Include: Operation = TCP Connect
Exclude: Path contains Chrome  # reduce noise
```

---

## 3. API Call Capture

### API Monitor (Windows)
Key APIs to monitor:
```
Category: Registry
  RegCreateKeyEx, RegSetValueEx, RegQueryValueEx, RegDeleteKey

Category: File System  
  CreateFileA/W, WriteFile, CopyFileA, DeleteFileA, MoveFileEx

Category: Network
  WSAConnect, connect, InternetConnectA, HttpSendRequestA

Category: Process/Thread
  CreateProcessA, OpenProcess, VirtualAllocEx, WriteProcessMemory,
  CreateRemoteThread, QueueUserAPC, NtCreateThread

Category: Crypto
  CryptAcquireContext, CryptEncrypt, CryptDecrypt, CryptGenRandom
  BCryptEncrypt, BCryptDecrypt (CNG API — modern ransomware)
```

---

## 4. Network Traffic Analysis

### C2 Check-in Patterns
| Pattern | Malware Type | Detection |
|---------|-------------|-----------|
| Regular beaconing (e.g. every 60s) | RAT/botnet | Beacon interval analysis in Zeek |
| POST to /submit.php or /gate.php | Banking trojan | URI path matching |
| GET with base64 in URI | Various | URI entropy analysis |
| JA3 fingerprint matching known C2 | Cobalt Strike | JA3/JA3S blacklist |
| DNS TXT/NULL record queries | DNS C2 | Record type anomaly |
| Large DNS queries (>200 bytes) | DNS tunneling | DNS size threshold alert |

### DGA Detection
```python
# Basic DGA detector — high entropy + no WHOIS = likely DGA
import math
def entropy(s):
    probs = [s.count(c)/len(s) for c in set(s)]
    return -sum(p*math.log2(p) for p in probs)

domains = ["x7f2kd.com", "google.com", "a8fb3j.net"]
for d in domains:
    label = d.split('.')[0]
    print(f"{d}: entropy={entropy(label):.2f}")  # > 3.5 = likely DGA
```

### Protocol Identification
```bash
# tshark protocol statistics
tshark -r capture.pcap -z io,phs -q

# Follow specific stream
tshark -r capture.pcap -z follow,tcp,ascii,0 -q

# Extract files from HTTP
tshark -r capture.pcap --export-objects http,/tmp/http_objects/
```

---

## 5. Persistence Observation

### Registry Run Key Monitoring
```
# Real-time monitoring during analysis:
# ProcMon filter: Path contains "CurrentVersion\Run"

# After analysis — check these keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run          # T1547.001
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce     # T1547.001
HKLM\Software\Microsoft\Windows\CurrentVersion\Run         # T1547.001
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon # T1547.004
HKLM\SYSTEM\CurrentControlSet\Services\<name>              # T1543.003
```

### Scheduled Task Detection
```powershell
# List tasks created during analysis
Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddHours(-2)}

# Export task XML for analysis
schtasks /query /tn <task_name> /xml
```

---

## 6. Dynamic Analysis Report Template

After sandbox/manual analysis, document:
```
DYNAMIC ANALYSIS SUMMARY
=========================
Sandbox: CAPE / ANY.RUN / Manual
OS version: Windows 10 x64 / Windows 7 x86
Analysis duration: <seconds>
Network mode: INetSim / FakeNet-NG / Real internet (isolated)

Execution summary:
  - Process created: <sample.exe> (PID <n>)
  - Child processes: [list with command lines]
  - Dropped files: [list with paths and hashes]
  - Registry modifications: [list]
  - Network connections: [list host:port]
  - DNS queries: [list]

Persistence mechanism:
  Type: <Registry Run Key / Scheduled Task / Service>
  Location: <full path/key>
  Value: <name = data>

C2 communication:
  Protocol: <HTTP/HTTPS/DNS/Custom>
  Host: <domain or IP>
  Port: <port>
  Pattern: <description of beaconing/request format>
```



## memory-analysis

# Memory Analysis

## Purpose
Analyse process memory to detect injected code, extract unpacked payloads, identify C2 configurations, and detect rootkit indicators.

---

## 1. Manual Unpacking with x64dbg

### Step-by-Step Unpacking
```
1. Open sample in x64dbg
2. Right-click CPU view > Follow in Memory Map
3. Set breakpoints:
   bp VirtualAlloc
   bp VirtualProtect
   bp LoadLibraryA
4. Run (F9) → hit VirtualProtect → check protection argument
   If protection = 0x20 (PAGE_EXECUTE_READ) or 0x40 (PAGE_EXECUTE_READWRITE):
   → New executable region created = likely unpacker landing zone
5. Set hardware breakpoint on first byte of new region (HW BP on execute)
6. Run → BP hits at OEP (Original Entry Point)
7. Scylla plugin: Dump > Fix IAT > Dump
```

### OEP Identification Patterns
| Pattern | Description |
|---------|-------------|
| `push ebp; mov ebp, esp; sub esp, N` | Standard function prologue = clean OEP |
| `call <dynamic_address>` immediately | Shellcode entry |
| Series of `mov` instructions | Typical C runtime startup |
| `jmp <far_address>` | Jump to real code from unpacker stub |

---

## 2. Process Injection Detection — Manual

### Volatility 3 — Process Memory Inspection
```bash
# List all processes
vol -f memory.dmp windows.pslist

# Show process tree (orphaned processes = injection indicator)
vol -f memory.dmp windows.pstree

# Find injected code regions (VADs with RWX + PE headers)
vol -f memory.dmp windows.malfind

# List loaded DLLs per process
vol -f memory.dmp windows.dlllist --pid <pid>

# Dump specific process memory
vol -f memory.dmp windows.memmap --pid <pid> --dump

# List handles (file, registry, mutant/mutex)
vol -f memory.dmp windows.handles --pid <pid>
```

### Malfind Output Interpretation
```
PID    Process    Start    End      Protection  Reason
------------------------------------------------------
1234   explorer   0x400000 0x4fffff PAGE_EXECUTE_READWRITE  MZ header found
```
MZ header in non-standard memory region with RWX = very likely injected PE.

---

## 3. Process Injection Variants in Memory

### Process Hollowing (T1055.012) — Memory Indicators
```bash
# Hollowed process: unmapped sections from disk image
vol -f memory.dmp windows.vadinfo --pid <pid>
# Look for: VadType=VadImageMap but PEB.ImageBaseAddress != expected

# Compare in-memory PE to on-disk PE
vol -f memory.dmp windows.dlllist --pid <pid>
# Then use PE-Sieve or hollows-hunter
pe-sieve.exe /pid <pid> /out /tmp/pe_dumps/
hollows_hunter.exe /pid <pid>
```

### Reflective DLL Injection (T1055.001) — Memory Indicators
```
- DLL in private memory (not backed by file on disk)
- Malfind shows MZ header in non-image VAD
- DLL not in PEB.LdrData module list but code is executing
```

---

## 4. Volatility 3 Complete Workflow

```bash
# Step 1: Identify OS version
vol -f memory.dmp windows.info

# Step 2: Network connections at time of capture
vol -f memory.dmp windows.netscan

# Step 3: Active command lines (reveals PowerShell encoded commands etc)
vol -f memory.dmp windows.cmdline

# Step 4: Find suspicious injections
vol -f memory.dmp windows.malfind

# Step 5: Look for credential material
vol -f memory.dmp windows.lsadump   # Note: requires legal authorisation
vol -f memory.dmp windows.hashdump  # Note: requires legal authorisation

# Step 6: File system activity
vol -f memory.dmp windows.filescan | grep -i suspicious_name

# Step 7: Registry
vol -f memory.dmp windows.registry.hivelist
vol -f memory.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Step 8: SSDT hooks (rootkit indicator)
vol -f memory.dmp windows.ssdt

# Step 9: Kernel callbacks (rootkit indicator)
vol -f memory.dmp windows.callbacks
```

---

## 5. Memory-Based IOC Extraction

After identifying suspicious memory regions:

```bash
# Dump suspicious process
vol -f memory.dmp windows.dumpfiles --pid <pid> --output-dir /tmp/dumps/

# Extract strings from dump
strings -n 6 /tmp/dumps/process.<pid>.dmp
strings -n 6 -el /tmp/dumps/process.<pid>.dmp   # Unicode

# YARA scan on memory dump
yara -r /opt/rules/ /tmp/dumps/process.<pid>.dmp

# Carve PE files from dump
foremost -t exe,dll /tmp/dumps/process.<pid>.dmp -o /tmp/carved/

# Look for C2 configs (often decrypted in memory)
# Common patterns:
grep -a "https\?://" /tmp/dumps/process.<pid>.dmp
grep -a "[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}" /tmp/dumps/process.<pid>.dmp
```

---

## 6. Rootkit Detection

### User-Mode Rootkit Indicators
| Indicator | Volatility Check |
|-----------|-----------------|
| Hidden processes (visible in eprocess walk but not pslist) | windows.psscan vs windows.pslist comparison |
| SSDT hooks | windows.ssdt |
| Kernel callbacks registered | windows.callbacks |
| Driver not in module list | windows.ldrmodules vs windows.modules |
| Hidden file (DKOM) | windows.filescan |

### SSDT Hook Detection
```bash
# Clean SSDT: all entries point to ntoskrnl or win32k
vol -f memory.dmp windows.ssdt
# Red flag: entry points outside kernel modules = user-mode hook
```

---

## 7. Memory Analysis Checklist

- [ ] Memory dump acquired (from VM or with WinPmem/DumpIt)
- [ ] OS version confirmed (windows.info)
- [ ] Network connections enumerated at capture time (windows.netscan)
- [ ] Process tree reviewed for anomalies (windows.pstree)
- [ ] malfind run and all suspicious regions investigated
- [ ] Injected PE files dumped and hashed
- [ ] Strings extracted from suspicious memory regions
- [ ] YARA scan applied to memory dumps
- [ ] Credentials noted as findings (with legal caveats)
- [ ] Rootkit indicators checked (SSDT, callbacks, DKOM)



## ioc-extraction

# IOC Extraction

## Purpose
Extract structured, actionable Indicators of Compromise from all analysis phases for operationalisation in security controls and threat intelligence platforms.

---

## 1. File Indicators

### Hash Collection
```
MD5:       <32 hex chars>
SHA1:      <40 hex chars>
SHA256:    <64 hex chars>
imphash:   <32 hex chars>  (PE only — import table hash)
ssdeep:    <fuzzy hash string>  (for similarity matching)
```

### Dropped Files
Document for each dropped file:
- Full path (e.g. `C:\Users\%USERNAME%\AppData\Roaming\<name>.exe`)
- Purpose (loader, config, payload, tool)
- Hash (SHA256)
- Persistence mechanism if associated

---

## 2. Network Indicators

### Domains and IPs
For each C2 domain/IP:
```
Domain:     <fqdn>
IP:         <IPv4/IPv6>
Port:       <TCP/UDP port>
Protocol:   <HTTP/HTTPS/DNS/Custom>
First seen: <date>
WHOIS:      Registrar, registration date, registrant (if available)
Passive DNS: <other domains on same IP>
Geo:        Country, ASN, hosting provider
VT Score:   <n>/70 for the domain/IP
```

### URL Patterns
```
C2 URLs:
  POST https://<domain>/api/v1/<random>
  GET  https://<domain>/update/<base64_encoded_id>

Download URLs:
  http://<domain>/payloads/<filename>.<ext>
```

### SSL/TLS Indicators
```bash
# Extract SSL cert from PCAP
tshark -r capture.pcap -Y ssl.handshake.type==11 \
  -T fields -e x509sat.printableString \
  -e x509sat.uTF8String \
  -e pkix1explicit.serialNumber

# Get JA3 fingerprint
tshark -r capture.pcap -Y ssl.handshake.type==1 \
  -T fields -e tls.handshake.ja3

# ja3er.com lookup for known malware JA3 hashes
```

### User-Agent Strings
Extract and check against known-bad UA strings:
```bash
tshark -r capture.pcap -Y http.user_agent -T fields -e http.user_agent
```

Known malicious user-agents:
| User-Agent | Associated Malware |
|------------|-------------------|
| `Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)` | Various (IE9 never ran on Win10) |
| `Mozilla/4.0 (compatible; MSIE 7.0` on modern OS | Dridex |
| Golang `http.Client` default | Various Go-based RATs |
| `Python-urllib/3.x` | Python-based implants |

---

## 3. Host Indicators

### Registry Keys
Document the full path, value name, value type, and value data:
```
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  Value: "WindowsUpdate" = "C:\Users\...\svchost32.exe"
  Type: REG_SZ

HKLM\SYSTEM\CurrentControlSet\Services\<service_name>
  ImagePath = "C:\Windows\<malware>.exe"
```

### Mutex Names
Mutex names are often unique per malware family/campaign:
```bash
# From Volatility
vol -f memory.dmp windows.handles --pid <pid> | grep Mutant

# From API Monitor during dynamic analysis
# Object type: Mutex / CreateMutexA calls
```

### Named Pipes
```bash
# From ProcMon: Path contains \pipe\
# From Volatility
vol -f memory.dmp windows.handles | grep File | grep -i pipe

# Cobalt Strike default named pipes
\pipe\MSSE-<random>-server
\pipe\msagent_<random>
```

### File Path Patterns
```
Dropper location:    %TEMP%\<random>.exe
Persistence copy:    %APPDATA%\<legitimate-looking-name>\<exe>
Config file:         %APPDATA%\<random>.dat
Log/exfil staging:   %TEMP%\<random>.bin
```

---

## 4. Snort/Suricata Network Rules

```
# HTTP C2 rule example
alert http $HOME_NET any -> $EXTERNAL_NET any (
  msg:"ET MALWARE <Family> C2 Checkin";
  flow:established,to_server;
  content:"POST"; http_method;
  content:"/api/v1/"; http_uri;
  content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 7.0";
  http_header;
  classtype:trojan-activity;
  sid:9000001; rev:1;
)

# DNS DGA rule example  
alert dns $HOME_NET any -> any 53 (
  msg:"Possible DGA Domain Query";
  dns.query; pcre:"/^[a-z]{8,12}\.(com|net|org|info)$/";
  classtype:bad-unknown;
  sid:9000002; rev:1;
)
```

---

## 5. IOC Packaging for Distribution

### STIX 2.1 Format (JSON)
```json
{
  "type": "indicator",
  "id": "indicator--<uuid>",
  "created": "2026-06-01T00:00:00Z",
  "modified": "2026-06-01T00:00:00Z",
  "name": "<Malware Family> C2 IP",
  "pattern": "[ipv4-addr:value = '<IP>']",
  "pattern_type": "stix",
  "valid_from": "2026-06-01T00:00:00Z",
  "labels": ["malicious-activity"],
  "confidence": 85
}
```

### CSV Format for SIEM Import
```csv
type,value,confidence,description,tlp
sha256,<hash>,high,"<Family> dropper",amber
domain,<domain>,high,"<Family> C2",amber
ip,<ip>,medium,"<Family> staging server",green
mutex,<mutex_name>,high,"<Family> mutex",amber
```

---

## 6. IOC Quality Checklist

- [ ] All hashes re-verified against original file (no copy errors)
- [ ] Network IOCs checked against CDN / cloud provider ranges
- [ ] Domain IOCs checked for parking / sinkholing (already taken down)
- [ ] IP IOCs checked for shared hosting (avoid blocking legitimate services)
- [ ] Registry key IOCs checked that they don't match legitimate software
- [ ] Mutex names checked against known-clean software
- [ ] User-agents checked against legitimate browser versions
- [ ] TLP level set and documented
- [ ] Expiry date set for perishable IOCs (IPs change; domains expire)



## intelligence-report

# Intelligence Report

## Purpose
Produce a structured threat intelligence report synthesising all analysis findings, suitable for SOC, threat hunting, incident response, and executive audiences.

---

## 1. Report Structure

```
MALWARE ANALYSIS INTELLIGENCE REPORT
======================================
Report ID:        MAL-<YYYY>-<nnnn>
Date:             <YYYY-MM-DD>
TLP:              AMBER / GREEN / RED
Analyst(s):       <names>
Peer Reviewer:    <name>
Confidence:       HIGH / MEDIUM / LOW

1. EXECUTIVE SUMMARY
2. MALWARE FAMILY CLASSIFICATION
3. TECHNICAL CAPABILITIES SUMMARY
4. MITRE ATT&CK MAPPING
5. THREAT ACTOR ATTRIBUTION (if applicable)
6. IOC PACKAGE
7. DETECTION AND RESPONSE RECOMMENDATIONS
8. APPENDIX: Technical Analysis Detail
```

---

## 2. Malware Family Classification

```
Primary Classification:
  Family:       <TrickBot / Qakbot / Cobalt Strike / Unknown>
  Variant:      <version/campaign ID if known>
  Category:     Trojan / Ransomware / RAT / Infostealer / Loader / Wiper / PUA
  Confidence:   High (confirmed by signature + behaviour) / Medium / Low

Sub-classifications (if multi-stage):
  Stage 1:      <Loader family>
  Stage 2:      <Final payload family>

Known aliases:
  <Other names this family is known by>

ATT&CK Software entry:
  <Sxxx> — URL to MITRE entry (if classified family)
```

---

## 3. Technical Capabilities Summary

Presented as bulleted capability list for SOC and IR audiences:

```
CAPABILITIES IDENTIFIED
========================
Execution:
  [x] PowerShell execution (encoded command)
  [x] Process injection (process hollowing into svchost.exe)
  [ ] Script interpreter abuse

Persistence:
  [x] Registry Run Key: HKCU\...\Run\WindowsUpdate
  [ ] Scheduled Task
  [ ] Service installation

Defense Evasion:
  [x] Process hollowing (T1055.012)
  [x] Anti-debug (PEB.BeingDebugged check)
  [x] Anti-VM (VMware registry check)
  [x] String obfuscation (XOR key 0x3B)

Credential Access:
  [x] Keylogging (SetWindowsHookEx WH_KEYBOARD_LL)
  [x] Browser credential harvesting (SQLite databases)
  [ ] LSASS memory reading

C2 Communication:
  [x] HTTP POST to hardcoded C2
  [x] RC4-encrypted payload
  [x] Custom User-Agent
  [ ] Domain generation algorithm

Exfiltration:
  [x] Data staged to %TEMP%\output.bin
  [x] Exfiltrated via C2 channel
```

---

## 4. MITRE ATT&CK Full Mapping

| Tactic | Technique ID | Technique Name | Sub-technique | Evidence | Confidence |
|--------|--------------|----------------|---------------|----------|------------|
| Initial Access | T1566.001 | Phishing: Spearphishing Attachment | — | Email delivery of dropper | Medium |
| Execution | T1059.001 | PowerShell | — | Encoded PS command in sample | High |
| Persistence | T1547.001 | Boot/Logon Autostart: Registry Run Keys | — | Registry write observed in ProcMon | High |
| Defense Evasion | T1055.012 | Process Injection: Process Hollowing | — | svchost.exe hollowed (malfind) | High |
| Defense Evasion | T1027 | Obfuscated Files or Information | — | XOR-encoded strings | High |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion: System Checks | — | VMware registry query | High |
| Credential Access | T1056.001 | Input Capture: Keylogging | — | SetWindowsHookEx API call | High |
| Discovery | T1082 | System Information Discovery | — | GetComputerName, GetSystemInfo | High |
| C2 | T1071.001 | Application Layer Protocol: Web Protocols | — | HTTP POST C2 | High |
| C2 | T1573.001 | Encrypted Channel: Symmetric Cryptography | — | RC4 in C2 comms | High |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — | Data exfil via HTTP POST | Medium |

---

## 5. Threat Actor Attribution

Attribution section — only include if evidence exists:

```
ATTRIBUTION ASSESSMENT
======================
Suspected Actor:  <Group name> (<ATT&CK Group ID if known>)
Confidence:       Low / Medium / High
Evidence:
  - Tooling overlap: <tool X also used by this group>
  - Infrastructure overlap: <IP/domain also used by this group>
  - TTP overlap: <same technique combination>
  - Victimology match: <same sector/geography targeted>

Caveats:
  - Tooling attribution alone is insufficient (tools are shared/sold)
  - False flag operations exist
  - Attribution should be assessed with OPSEC caution
```

---

## 6. Detection Rules

### Sigma Rule
```yaml
title: <Malware Family> Registry Persistence
id: <uuid>
status: experimental
description: Detects registry run key persistence associated with <Family>
references:
  - <this report URL>
author: <analyst name>
date: 2026/06/01
tags:
  - attack.persistence
  - attack.t1547.001
logsource:
  category: registry_event
  product: windows
detection:
  selection:
    EventType: SetValue
    TargetObject|contains:
      - '\CurrentVersion\Run\'
    Details|contains:
      - '<suspicious_value>'
  condition: selection
falsepositives:
  - Legitimate software may set run keys
level: high
```

### YARA Rule
```yara
rule MalwareFamily_Campaign_2026 {
    meta:
        description = "Detects <Family> based on unique strings and code patterns"
        author = "<analyst>"
        date = "2026-06-01"
        hash = "<sha256>"
        reference = "MAL-2026-XXXX"
        mitre_attack = "T1055.012, T1071.001, T1547.001"
    strings:
        $str1 = "<unique_string_1>" ascii wide
        $str2 = "<unique_string_2>" ascii nocase
        $bytes1 = { <hex_pattern> }
        $mutex = "<mutex_name>" ascii
    condition:
        uint16(0) == 0x5A4D and
        filesize < 10MB and
        2 of ($str*) and $mutex
}
```

---

## 7. Recommended Defensive Actions

### Immediate (within 24h)
- [ ] Block all IOCs (hashes, IPs, domains) in security controls
- [ ] Hunt for IOCs across endpoint fleet using EDR query
- [ ] Check email gateway for delivery of similar attachments

### Short-term (within 1 week)
- [ ] Deploy Sigma/YARA detection rules to SIEM/EDR
- [ ] Brief SOC team on sample TTPs for alert prioritisation
- [ ] Update threat hunting hypotheses based on TTPs

### Long-term
- [ ] Review controls against all T-codes identified
- [ ] Conduct table-top exercise using this sample's attack chain
- [ ] Submit sample and rules to sharing communities (ISAC, VirusTotal)

---

## 8. Confidence Rating Matrix

| Component | Confidence | Basis |
|-----------|------------|-------|
| Family classification | High | YARA match + CAPE config extraction |
| TTP mapping | High | Directly observed in dynamic analysis |
| Attribution | Low | Tooling overlap only, no infrastructure correlation |
| IOC freshness | Medium | Sample first seen <date>; C2 may be sinkholed |