Stage 15: Malware Analysis and Attack Vectors
Overview
Duration: 30-35 hours Difficulty: Intermediate to Advanced Prerequisites: Stage 1-10, Stage 14 (Cryptography Fundamentals)This stage provides comprehensive coverage of malware types, analysis techniques, attack vectors, and defensive strategies. Students will learn to identify, analyze, and defend against various forms of malicious software while understanding the complete attack lifecycle.
Learning Objectives
By the end of this stage, you will be able to:
- Classify and identify different malware types and their behaviors
- Perform static and dynamic malware analysis in isolated environments
- Understand common attack vectors and exploitation techniques
- Analyze malware samples using professional tools and methodologies
- Develop detection signatures and defensive countermeasures
- Understand the malware development lifecycle (for defensive purposes)
- Implement automated malware analysis pipelines with Python
Module 15.1: Introduction to Malware (4-5 hours)
15.1.1 What is Malware?
Malware (malicious software) is any software intentionally designed to cause damage, gain unauthorized access, or perform unwanted actions on computer systems.
Malware Classification by Type
| Type | Description | Primary Goal | Example |
|------|-------------|--------------|---------|
| Virus | Self-replicating, attaches to files | Spread and damage | CIH, ILOVEYOU |
| Worm | Self-replicating, network-based | Rapid propagation | WannaCry, Conficker |
| Trojan | Disguised as legitimate software | Unauthorized access | Emotet, Zeus |
| Ransomware | Encrypts files for ransom | Financial extortion | LockBit, REvil |
| Spyware | Monitors user activity | Data theft | Pegasus, FinFisher |
| Rootkit | Hides malicious presence | Persistence | Necurs, ZeroAccess |
| Botnet | Network of compromised systems | Distributed attacks | Mirai, Emotet |
| RAT | Remote Access Trojan | Full system control | DarkComet, njRAT |
| Keylogger | Records keystrokes | Credential theft | Agent Tesla |
| Cryptominer | Unauthorized cryptocurrency mining | Financial gain | XMRig variants |
15.1.2 Malware Analysis Lab Setup
#!/usr/bin/env python3
"""
lab_setup_guide.py - Malware analysis lab configuration
Educational tool for setting up isolated analysis environments
"""
SAFETY_WARNING = """
╔════════════════════════════════════════════════════════════════╗
║ ⚠️ CRITICAL SAFETY REQUIREMENTS ⚠️ ║
╠════════════════════════════════════════════════════════════════╣
║ ║
║ 1. NEVER analyze malware on your main computer ║
║ 2. ALWAYS use isolated virtual machines ║
║ 3. DISABLE shared folders between host and VM ║
║ 4. USE host-only or isolated networking ║
║ 5. TAKE snapshots before analysis ║
║ 6. NEVER connect analysis VMs to production networks ║
║ ║
╚════════════════════════════════════════════════════════════════╝
"""
RECOMMENDED_VMS = """
RECOMMENDED VM CONFIGURATIONS:
═════════════════════════════
- Windows Analysis VM
• OS: Windows 10/11
• RAM: 8GB | Disk: 80GB
• Network: Host-only
• Tools: x64dbg, Ghidra, Process Monitor, PEStudio, Wireshark
- Linux Analysis VM (REMnux)
• OS: Ubuntu/REMnux
• RAM: 4GB | Disk: 60GB
• Network: Host-only
• Tools: Ghidra, radare2, Volatility3, YARA, oletools
- Network Monitor VM
• OS: Security Onion/REMnux
• RAM: 4GB | Disk: 100GB
• Network: Internal network (captures traffic)
• Tools: Wireshark, INetSim, FakeDNS, tcpdump
"""
NETWORK_TOPOLOGY = """
┌──────────────────────────────────────────────────────────────────┐
│ MALWARE LAB NETWORK TOPOLOGY │
├──────────────────────────────────────────────────────────────────┤
│ │
│ ┌─────────────┐ │
│ │ HOST OS │ │
│ │ (Control) │ │
│ └──────┬──────┘ │
│ │ │
│ ┌──────────┴──────────┐ │
│ │ Virtual Network │ │
│ │ (Host-Only/NAT) │ │
│ └──────────┬──────────┘ │
│ │ │
│ ┌─────────────────────┼─────────────────────┐ │
│ │ │ │ │
│ ┌─────┴─────┐ ┌─────┴─────┐ ┌─────┴─────┐ │
│ │ Windows │ │ Linux │ │ Network │ │
│ │ Analysis │◄───────▶│ Analysis │◄───────▶│ Monitor │ │
│ │ VM │ │ VM │ │ VM │ │
│ └───────────┘ └───────────┘ └───────────┘ │
│ │
│ ┌───────────────────────────────────────────────────────────┐ │
│ │ Internal Network (Isolated from Internet) │ │
│ │ INetSim provides fake internet services │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │
└──────────────────────────────────────────────────────────────────┘
"""
PYTHON_TOOLS = """
Essential Python malware analysis libraries
pip install pefile # PE file parsing
pip install yara-python # YARA rule matching
pip install capstone # Disassembly
pip install oletools # Office document analysis
pip install python-magic # File type detection
pip install volatility3 # Memory forensics
pip install scapy # Network packet analysis
pip install requests # HTTP operations
pip install networkx # Graph visualization
"""
if __name__ == "__main__":
print(SAFETY_WARNING)
print(RECOMMENDED_VMS)
print(NETWORK_TOPOLOGY)
Module 15.2: Static Malware Analysis (6-7 hours)
15.2.1 Static Analysis Workflow
Static analysis examines malware without executing it - the safest initial approach.
STATIC ANALYSIS WORKFLOW:
═════════════════════════
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ Hash │───▶│ File │───▶│ String │───▶│ Import │
│ Check │ │ Format │ │ Extract │ │ Analysis│
└─────────┘ └─────────┘ └─────────┘ └─────────┘
│ │ │ │
▼ ▼ ▼ ▼
┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐
│ VT │ │ PE/ELF │ │ IOC │ │ API │
│ Lookup │ │ Headers │ │ Extract │ │ Mapping │
└─────────┘ └─────────┘ └─────────┘ └─────────┘
15.2.2 File Hashing and Identification
#!/usr/bin/env python3
"""
static_analyzer.py - Static malware analysis toolkit
"""
import hashlib
import os
from typing import Dict, List, Optional
class FileAnalyzer:
"""Basic static file analysis"""
# Common file signatures (magic bytes)
SIGNATURES = {
b"MZ": "Windows Executable (PE)",
b"\x7fELF": "Linux Executable (ELF)",
b"PK\x03\x04": "ZIP/Office Archive",
b"%PDF": "PDF Document",
b"\xd0\xcf\x11\xe0": "OLE Document (Office)",
b"Rar!": "RAR Archive",
}
@staticmethod
def calculate_hashes(file_path: str) -> Dict[str, str]:
"""Calculate MD5, SHA1, SHA256 hashes"""
hashes = {"md5": hashlib.md5(), "sha1": hashlib.sha1(), "sha256": hashlib.sha256()}
try:
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(8192), b""):
for h in hashes.values():
h.update(chunk)
return {name: h.hexdigest() for name, h in hashes.items()}
except Exception as e:
return {"error": str(e)}
@classmethod
def identify_file_type(cls, file_path: str) -> str:
"""Identify file type by magic bytes"""
try:
with open(file_path, "rb") as f:
header = f.read(16)
for magic, file_type in cls.SIGNATURES.items():
if header.startswith(magic):
return file_type
return "Unknown"
except Exception as e:
return f"Error: {e}"
@staticmethod
def extract_strings(file_path: str, min_length: int = 4) -> Dict[str, List[str]]:
"""Extract ASCII and Unicode strings"""
try:
with open(file_path, "rb") as f:
data = f.read()
except Exception as e:
return {"error": str(e)}
# ASCII strings
ascii_strings = []
current = ""
for byte in data:
if 32 <= byte <= 126:
current += chr(byte)
else:
if len(current) >= min_length:
ascii_strings.append(current)
current = ""
# Unicode strings (UTF-16LE)
unicode_strings = []
current = ""
for i in range(0, len(data) - 1, 2):
if data[i+1] == 0 and 32 <= data[i] <= 126:
current += chr(data[i])
else:
if len(current) >= min_length:
unicode_strings.append(current)
current = ""
return {"ascii": ascii_strings, "unicode": unicode_strings}
Interesting patterns to look for in strings
INTERESTING_PATTERNS = {
"URLs": r"https?://[^\s]+",
"IP Addresses": r"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",
"Registry Paths": r"HKEY_[A-Z_]+",
"File Paths": r"C:\\[^\s]+",
"Domains": r"[a-zA-Z0-9-]+\.(com|net|org|io|ru|cn)",
"Email": r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}",
}
Suspicious API functions
SUSPICIOUS_APIS = {
"Process Injection": ["CreateRemoteThread", "VirtualAllocEx", "WriteProcessMemory"],
"Keylogging": ["SetWindowsHookEx", "GetAsyncKeyState", "GetKeyState"],
"Network": ["WSAStartup", "socket", "connect", "send", "recv"],
"Persistence": ["RegSetValueEx", "CreateService", "CopyFile"],
"Anti-Analysis": ["IsDebuggerPresent", "CheckRemoteDebuggerPresent"],
"Crypto": ["CryptAcquireContext", "CryptEncrypt", "CryptDecrypt"],
}
15.2.3 PE File Analysis
#!/usr/bin/env python3
"""
pe_analyzer.py - Windows PE file analysis
Requires: pip install pefile
"""
def analyze_pe_structure():
"""PE file structure reference"""
return """
PE FILE STRUCTURE:
══════════════════
┌────────────────────────────────────┐
│ DOS HEADER │ ← MZ signature at offset 0
│ e_magic: 0x5A4D ("MZ") │
│ e_lfanew: Offset to PE header │
├────────────────────────────────────┤
│ DOS STUB │ ← "This program cannot be run..."
├────────────────────────────────────┤
│ PE SIGNATURE │ ← "PE\\0\\0" (0x50450000)
├────────────────────────────────────┤
│ FILE HEADER (COFF) │
│ Machine type (x86/x64) │
│ Number of sections │
│ Timestamp │
│ Characteristics (DLL, EXE, etc.) │
├────────────────────────────────────┤
│ OPTIONAL HEADER │
│ Magic (PE32/PE32+) │
│ Entry Point │
│ Image Base │
│ Section/File Alignment │
│ Subsystem (GUI/Console) │
│ Data Directories │
├────────────────────────────────────┤
│ SECTION HEADERS │
│ .text - Code │
│ .data - Initialized data │
│ .rdata - Read-only data │
│ .rsrc - Resources │
│ .reloc - Relocations │
├────────────────────────────────────┤
│ SECTIONS (Raw Data) │
└────────────────────────────────────┘
SUSPICIOUS INDICATORS:
─────────────────────
• Entry point outside code section
• Unusual section names (.upx, .aspack, .vmp)
• Section with W+X permissions (writable + executable)
• Very high entropy (packed/encrypted)
• No imports (likely packed)
• Suspicious imports (injection, crypto APIs)
"""
Example PE analysis with pefile
PE_ANALYSIS_CODE = '''
import pefile
import hashlib
def analyze_pe(file_path):
"""Comprehensive PE file analysis"""
pe = pefile.PE(file_path)
analysis = {
"basic_info": {
"machine": hex(pe.FILE_HEADER.Machine),
"is_64bit": pe.FILE_HEADER.Machine == 0x8664,
"is_dll": pe.FILE_HEADER.Characteristics & 0x2000,
"timestamp": pe.FILE_HEADER.TimeDateStamp,
"entry_point": hex(pe.OPTIONAL_HEADER.AddressOfEntryPoint),
"image_base": hex(pe.OPTIONAL_HEADER.ImageBase),
},
"sections": [],
"imports": {},
"exports": [],
"imphash": pe.get_imphash(),
}
# Analyze sections
for section in pe.sections:
section_info = {
"name": section.Name.decode().rstrip("\\x00"),
"virtual_address": hex(section.VirtualAddress),
"virtual_size": section.Misc_VirtualSize,
"raw_size": section.SizeOfRawData,
"entropy": section.get_entropy(),
"characteristics": hex(section.Characteristics),
}
# Flag suspicious characteristics
if section.Characteristics & 0x20000000 and section.Characteristics & 0x80000000:
section_info["warning"] = "W+X (Writable and Executable)"
if section.get_entropy() > 7.0:
section_info["warning"] = "High entropy (possibly packed)"
analysis["sections"].append(section_info)
# Analyze imports
if hasattr(pe, "DIRECTORY_ENTRY_IMPORT"):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll_name = entry.dll.decode()
functions = [imp.name.decode() if imp.name else f"ord_{imp.ordinal}"
for imp in entry.imports]
analysis["imports"][dll_name] = functions
return analysis
'''
15.2.4 YARA Rules
#!/usr/bin/env python3
"""
yara_rules.py - YARA rule examples for malware detection
"""
YARA_EXAMPLES = '''
/*
YARA Rules for Malware Detection - Educational Examples
*/
rule Ransomware_Indicators {
meta:
description = "Detects generic ransomware indicators"
severity = "high"
strings:
$ransom1 = "Your files have been encrypted" nocase
$ransom2 = "Bitcoin" nocase
$ransom3 = "decrypt" nocase
$vss1 = "vssadmin delete shadows" nocase
$vss2 = "wmic shadowcopy delete" nocase
condition:
uint16(0) == 0x5A4D and (2 of ($ransom) or any of ($vss))
}
rule Keylogger_Indicators {
meta:
description = "Detects keylogger patterns"
severity = "medium"
strings:
$api1 = "SetWindowsHookEx" ascii wide
$api2 = "GetAsyncKeyState" ascii wide
$api3 = "GetKeyboardState" ascii wide
$key1 = "[ENTER]" nocase
$key2 = "[BACKSPACE]" nocase
condition:
uint16(0) == 0x5A4D and (2 of ($api) or 2 of ($key))
}
rule Process_Injection {
meta:
description = "Detects process injection capabilities"
severity = "high"
strings:
$inj1 = "VirtualAllocEx" ascii wide
$inj2 = "WriteProcessMemory" ascii wide
$inj3 = "CreateRemoteThread" ascii wide
$hollow = "NtUnmapViewOfSection" ascii wide
condition:
uint16(0) == 0x5A4D and (all of ($inj*) or $hollow)
}
rule Anti_Analysis {
meta:
description = "Detects anti-analysis techniques"
severity = "medium"
strings:
$dbg1 = "IsDebuggerPresent" ascii wide
$dbg2 = "CheckRemoteDebuggerPresent" ascii wide
$vm1 = "VMware" nocase
$vm2 = "VirtualBox" nocase
$vm3 = "QEMU" nocase
condition:
uint16(0) == 0x5A4D and (2 of ($dbg) or 2 of ($vm))
}
rule CryptoMiner {
meta:
description = "Detects cryptocurrency miners"
severity = "medium"
strings:
$pool1 = "stratum+tcp://" ascii wide
$pool2 = "pool." ascii wide
$algo1 = "cryptonight" nocase
$miner = "xmrig" nocase
condition:
(1 of ($pool) and 1 of ($algo)) or $miner
}
'''
YARA_SYNTAX_GUIDE = """
YARA RULE SYNTAX GUIDE:
═══════════════════════
STRUCTURE:
──────────
rule RuleName {
meta:
description = "What this rule detects"
author = "Your name"
severity = "high/medium/low"
strings:
$text = "plain text"
$hex = { 4D 5A 90 00 }
$regex = /pattern[0-9]+/
condition:
$text or $hex
}
STRING MODIFIERS:
─────────────────
• nocase - Case insensitive
• wide - UTF-16 encoded
• ascii - ASCII (default)
• fullword - Match whole word only
• xor - XOR encoded variations
COMMON CONDITIONS:
──────────────────
• uint16(0) == 0x5A4D - Check for MZ header (PE file)
• any of them - Match any string
• all of them - Match all strings
• 2 of ($str*) - Match 2 strings starting with $str
• filesize < 1MB - Size constraint
• #string > 5 - String occurs more than 5 times
"""
Module 15.3: Dynamic Malware Analysis (6-7 hours)
15.3.1 Dynamic Analysis Overview
Dynamic analysis involves executing malware in a controlled environment to observe its runtime behavior.
DYNAMIC ANALYSIS WORKFLOW:
══════════════════════════
┌─────────────┐
│ PREPARE │ • Create clean VM snapshot
│ ENVIRONMENT │ • Configure network monitoring
└──────┬──────┘ • Set up logging tools
│
▼
┌─────────────┐
│ EXECUTE │ • Run sample in isolated VM
│ SAMPLE │ • Monitor for 5-15 minutes
└──────┬──────┘ • Interact if needed
│
▼
┌─────────────────────────────────────────────────┐
│ MONITORING POINTS │
├───────────┬───────────┬───────────┬────────────┤
│ Process │ File │ Network │ Registry │
│ Activity │ Changes │ Traffic │ Changes │
└───────────┴───────────┴───────────┴────────────┘
│
▼
┌─────────────┐
│ ANALYZE │ • Correlate events
│ RESULTS │ • Extract IOCs
└──────┬──────┘ • Generate report
│
▼
┌─────────────┐
│ RESTORE │ • Revert to clean snapshot
│ SNAPSHOT │ • Preserve analysis data
└─────────────┘
15.3.2 Process Monitoring
#!/usr/bin/env python3
"""
process_monitor_guide.py - Process monitoring for malware analysis
"""
PROCESS_BEHAVIORS = """
COMMON MALWARE PROCESS BEHAVIORS:
═════════════════════════════════
- PROCESS INJECTION
─────────────────
• Parent opens another process (OpenProcess)
• Allocates memory in target (VirtualAllocEx)
• Writes to target memory (WriteProcessMemory)
• Creates remote thread (CreateRemoteThread)
Detection: Look for cross-process memory operations
- PROCESS HOLLOWING
──────────────────
• Creates suspended process (CREATE_SUSPENDED)
• Unmaps original code (NtUnmapViewOfSection)
• Writes new code to process
• Resumes execution (ResumeThread)
Detection: Suspended process creation followed by memory writes
- DLL INJECTION
──────────────
• Writes DLL path to target process memory
• Creates thread calling LoadLibrary in target
• Malicious DLL executes in target context
Detection: LoadLibrary calls from unusual contexts
- SUSPICIOUS PARENT-CHILD RELATIONSHIPS
─────────────────────────────────────
SUSPICIOUS:
• Word/Excel/Outlook → cmd.exe or powershell.exe
• Browser → script interpreters
• System processes with unusual children
NORMAL:
• explorer.exe → most user applications
• services.exe → service processes
• svchost.exe → system services
"""
PROCMON_FILTERS = """
PROCESS MONITOR ANALYSIS:
═════════════════════════
USEFUL FILTERS:
───────────────
- Process Name is [malware.exe]
- Operation is WriteFile
- Path contains AppData
- Path contains Run (for persistence)
- Result is ACCESS DENIED
PERSISTENCE LOCATIONS TO MONITOR:
─────────────────────────────────
Registry:
• HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
• HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
• HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
File System:
• %APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
• C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
Scheduled Tasks:
• C:\\Windows\\System32\\Tasks
Services:
• HKLM\\SYSTEM\\CurrentControlSet\\Services
"""
15.3.3 Network Analysis
#!/usr/bin/env python3
"""
network_analysis.py - Network traffic analysis for malware
"""
NETWORK_INDICATORS = """
NETWORK ANALYSIS GUIDE:
═══════════════════════
COMMON C2 PROTOCOLS:
────────────────────
• HTTP/HTTPS - Most common, blends with normal traffic
• DNS - Tunneling commands through DNS queries
• IRC - Legacy C2 channel
• Custom TCP - Binary protocols on unusual ports
BEACONING DETECTION:
────────────────────
Signs of C2 beaconing:
• Regular interval connections (every 60s, 5min, etc.)
• Jitter may be added (±10-30% variation)
• Small consistent packet sizes
• Connections to unusual IPs/domains
DNS TUNNELING INDICATORS:
─────────────────────────
• Very long subdomain strings (encoded data)
• Unusual query types (TXT, NULL)
• High volume of queries to single domain
• Base64/hex patterns in subdomains
SUSPICIOUS PORTS:
─────────────────
• 4444 - Metasploit default
• 5555 - Common RAT port
• 6666 - Common backdoor
• 6667 - IRC C2 channel
• 1337 - "Elite" port
• 31337 - Back Orifice
"""
WIRESHARK_FILTERS = """
USEFUL WIRESHARK FILTERS:
═════════════════════════
PROTOCOL FILTERS:
─────────────────
• http - All HTTP traffic
• dns - All DNS traffic
• tcp.port == 4444 - Specific port
• ip.addr == 192.168.1.100 - Specific IP
HTTP ANALYSIS:
──────────────
• http.request.method == POST - POST requests
• http.request.uri contains "gate.php" - Common C2 path
• http.user_agent contains "python" - Script user agent
DNS ANALYSIS:
─────────────
• dns.qry.name contains "evil" - Specific domain
• dns.qry.type == 16 - TXT records
• dns.resp.len > 100 - Large responses
CONNECTION TRACKING:
────────────────────
• tcp.flags.syn == 1 - New connections
• tcp.stream eq 5 - Follow specific stream
"""
15.3.4 Sandbox Analysis
#!/usr/bin/env python3
"""
sandbox_guide.py - Automated sandbox analysis
"""
SANDBOX_SETUP = """
CUCKOO SANDBOX SETUP:
═════════════════════
REQUIREMENTS:
─────────────
• Linux host (Ubuntu 20.04+)
• VirtualBox, KVM, or VMware
• Windows VM for sample execution
• Minimum 8GB RAM (16GB recommended)
INSTALLATION:
─────────────
- Install dependencies:
sudo apt install python3-pip virtualbox mongodb
- Install Cuckoo:
pip3 install cuckoo
- Initialize:
cuckoo init
- Configure VM in ~/.cuckoo/conf/virtualbox.conf
- Prepare Windows VM:
• Disable firewall, updates, AV
• Install Python, run cuckoo agent
• Take snapshot
- Start services:
cuckoo # Main service
cuckoo web runserver # Web interface
cuckoo api # REST API
API ENDPOINTS:
──────────────
POST /tasks/create/file - Submit sample
GET /tasks/view/{id} - Check status
GET /tasks/report/{id} - Get report
"""
ANALYSIS_PIPELINE = """
AUTOMATED ANALYSIS PIPELINE:
════════════════════════════
┌─────────────────────────────────────────────────────────────┐
│ │
│ ┌─────────┐ │
│ │ INTAKE │ • Hash calculation & VT lookup │
│ │ │ • File type identification │
│ └────┬────┘ │
│ ▼ │
│ ┌─────────┐ │
│ │ STATIC │ • PE/ELF analysis │
│ │ │ • String extraction & YARA scanning │
│ └────┬────┘ │
│ ▼ │
│ ┌─────────┐ │
│ │ DYNAMIC │ • Sandbox execution │
│ │ │ • Behavior & network monitoring │
│ └────┬────┘ │
│ ▼ │
│ ┌─────────┐ │
│ │ MEMORY │ • Memory dump analysis │
│ │ │ • Unpacking & config extraction │
│ └────┬────┘ │
│ ▼ │
│ ┌─────────┐ │
│ │ REPORT │ • IOC extraction & threat scoring │
│ │ │ • MITRE ATT&CK mapping │
│ └─────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
"""
Module 15.4: Attack Vectors (6-7 hours)
15.4.1 Attack Lifecycle (Kill Chain)
CYBER KILL CHAIN:
═════════════════
┌─────────────────────────────────────────────────────────────┐
│ │
│ 1. RECONNAISSANCE │
│ └─▶ Target research, vulnerability scanning │
│ │
│ 2. WEAPONIZATION │
│ └─▶ Create malware, exploit packages │
│ │
│ 3. DELIVERY │
│ └─▶ Phishing, drive-by, USB, supply chain │
│ │
│ 4. EXPLOITATION │
│ └─▶ Execute exploit, gain initial access │
│ │
│ 5. INSTALLATION │
│ └─▶ Install malware, establish persistence │
│ │
│ 6. COMMAND & CONTROL │
│ └─▶ Establish C2 channel, receive commands │
│ │
│ 7. ACTIONS ON OBJECTIVES │
│ └─▶ Data theft, lateral movement, destruction │
│ │
└─────────────────────────────────────────────────────────────┘
MITRE ATT&CK TACTICS:
─────────────────────
• Initial Access • Persistence • Defense Evasion
• Privilege Escalation • Credential Access • Discovery
• Lateral Movement • Collection • Exfiltration
• Command and Control • Impact
"""
15.4.2 Phishing Analysis
import re
from typing import Dict, List
class PhishingAnalyzer:
"""Analyze emails for phishing indicators"""
SUSPICIOUS_SENDER_PATTERNS = [
(r"@.*\.tk$", "Free TLD (.tk)"),
(r"microsoft.*@(?!microsoft\.com)", "Microsoft impersonation"),
(r"apple.*@(?!apple\.com)", "Apple impersonation"),
(r"paypal.*@(?!paypal\.com)", "PayPal impersonation"),
]
URGENCY_PHRASES = [
"urgent action required",
"account will be suspended",
"verify immediately",
"unauthorized activity",
"within 24 hours",
]
SUSPICIOUS_URL_PATTERNS = [
(r"https?://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}", "IP address URL"),
(r"bit\.ly|goo\.gl|tinyurl", "URL shortener"),
(r"login.-.\.", "Suspicious login domain"),
]
def analyze(self, sender: str, subject: str, body: str, urls: List[str]) -> Dict:
"""Analyze email for phishing indicators"""
risk_score = 0
findings = []
# Check sender
for pattern, desc in self.SUSPICIOUS_SENDER_PATTERNS:
if re.search(pattern, sender, re.IGNORECASE):
findings.append(f"Sender: {desc}")
risk_score += 25
# Check for urgency
body_lower = body.lower()
for phrase in self.URGENCY_PHRASES:
if phrase in body_lower:
findings.append(f"Urgency: '{phrase}'")
risk_score += 10
# Check URLs
for url in urls:
for pattern, desc in self.SUSPICIOUS_URL_PATTERNS:
if re.search(pattern, url):
findings.append(f"URL: {desc}")
risk_score += 20
# Verdict
if risk_score >= 60:
verdict = "HIGH RISK - Likely Phishing"
elif risk_score >= 30:
verdict = "MEDIUM RISK - Suspicious"
else:
verdict = "LOW RISK"
return {"risk_score": min(risk_score, 100), "verdict": verdict, "findings": findings}
PHISHING_DEFENSE = """
PHISHING DEFENSE CHECKLIST:
═══════════════════════════
BEFORE CLICKING:
────────────────
☐ Verify sender email address (not just display name)
☐ Hover over links to check actual destination
☐ Look for typos and grammatical errors
☐ Question urgency or threatening language
☐ Be suspicious of unexpected attachments
RED FLAGS:
──────────
⚠ Sender domain doesn't match organization
⚠ Generic greeting ("Dear Customer")
⚠ Requests for credentials or personal info
⚠ Pressure to act immediately
⚠ Links to IP addresses or URL shorteners
⚠ Mismatched or suspicious URLs
TECHNICAL CONTROLS:
───────────────────
• Email authentication (SPF, DKIM, DMARC)
• Link protection/sandboxing
• Attachment sandboxing
• User awareness training
• Multi-factor authentication
"""
15.4.3 Malicious Documents
OLETOOLS_GUIDE = """
OLETOOLS ANALYSIS:
══════════════════
INSTALLATION:
─────────────
pip install oletools
TOOLS:
──────
olevba - Extract and analyze VBA macros
mraptor - Detect auto-execute macros
oleid - Identify OLE file characteristics
oleobj - Extract embedded objects
rtfobj - Analyze RTF files
COMMON COMMANDS:
────────────────
olevba document.doc # Analyze macros
olevba -a document.doc # Full analysis
mraptor document.doc # Detect auto-exec
oleobj -i document.doc # Extract objects
SUSPICIOUS VBA PATTERNS:
────────────────────────
• AutoOpen / Document_Open - Auto-execution
• Shell / WScript - Command execution
• Powershell - Script execution
• CreateObject - Object creation
• DownloadFile - File download
• XMLHTTP / ADODB - Network/file access
"""
DOCUMENT_ATTACK_TYPES = """
DOCUMENT-BASED ATTACKS:
═══════════════════════
- MACRO-BASED
- OLE EMBEDDED OBJECTS
- DDE (Dynamic Data Exchange)
- CVE EXPLOITS
- RTF EXPLOITS
Module 15.5: Defense and Detection (5-6 hours)
15.5.1 Detection Strategies
DETECTION_METHODS = """
MALWARE DETECTION METHODS:
══════════════════════════
- SIGNATURE-BASED
- HEURISTIC-BASED
- BEHAVIORAL ANALYSIS
- MACHINE LEARNING
- SANDBOXING
DEFENSE_LAYERS = """
DEFENSE IN DEPTH:
═════════════════
┌─────────────────────────────────────────┐
│ PHYSICAL SECURITY │
│ (Facilities, hardware protection) │
└────────────────────┬────────────────────┘
│
┌────────────────────▼────────────────────┐
│ NETWORK SECURITY │
│ (Firewall, IDS/IPS, segmentation) │
└────────────────────┬────────────────────┘
│
┌────────────────────▼────────────────────┐
│ ENDPOINT SECURITY │
│ (AV, EDR, HIPS, application control) │
└────────────────────┬────────────────────┘
│
┌────────────────────▼────────────────────┐
│ APPLICATION SECURITY │
│ (WAF, input validation, patching) │
└────────────────────┬────────────────────┘
│
┌────────────────────▼────────────────────┐
│ DATA SECURITY │
│ (Encryption, DLP, backups) │
└─────────────────────────────────────────┘
KEY PRINCIPLES:
───────────────
• Multiple independent controls
• Failure of one layer doesn't compromise all
• Different control types at each layer
• Regular testing and validation
• Assume breach mentality
"""
15.5.2 IOC Extraction and Sharing
from dataclasses import dataclass
from typing import List, Dict
import json
@dataclass
class IOC:
"""Indicator of Compromise"""
ioc_type: str # hash, ip, domain, url, file, registry
value: str
context: str
confidence: str # high, medium, low
class IOCExtractor:
"""Extract IOCs from malware analysis results"""
def __init__(self):
self.iocs: List[IOC] = []
def add_hash(self, hash_value: str, hash_type: str = "sha256"):
"""Add file hash IOC"""
self.iocs.append(IOC(
ioc_type=f"hash_{hash_type}",
value=hash_value,
context="Malware sample hash",
confidence="high"
))
def add_network(self, value: str, ioc_type: str):
"""Add network IOC (ip, domain, url)"""
self.iocs.append(IOC(
ioc_type=ioc_type,
value=value,
context="C2 communication",
confidence="medium"
))
def export_stix(self) -> Dict:
"""Export IOCs in STIX format (simplified)"""
return {
"type": "bundle",
"objects": [
{
"type": "indicator",
"pattern": f"[file:hashes.'{ioc.ioc_type}' = '{ioc.value}']"
if "hash" in ioc.ioc_type
else f"[{ioc.ioc_type}:value = '{ioc.value}']",
"description": ioc.context,
"confidence": ioc.confidence
}
for ioc in self.iocs
]
}
def export_csv(self) -> str:
"""Export IOCs as CSV"""
lines = ["type,value,context,confidence"]
for ioc in self.iocs:
lines.append(f"{ioc.ioc_type},{ioc.value},{ioc.context},{ioc.confidence}")
return "\n".join(lines)
IOC_SHARING = """
IOC SHARING PLATFORMS:
══════════════════════
PLATFORMS:
──────────
• MISP - Open source threat intelligence platform
• OpenCTI - Cyber threat intelligence management
• VirusTotal - File/URL scanning and sharing
• AlienVault OTX - Open threat exchange
• Malware Bazaar - Malware sample sharing
FORMATS:
────────
• STIX/TAXII - Structured threat information
• OpenIOC - XML-based IOC format
• YARA - Pattern matching rules
• Snort/Suricata - Network detection rules
• CSV/JSON - Simple interchange
BEST PRACTICES:
───────────────
• Validate IOCs before sharing
• Include context and confidence levels
• Remove false positives
• Use standard formats
• Attribute sources appropriately
• Consider TLP (Traffic Light Protocol)
"""
Module 15.6: Hands-On Labs (4-5 hours)
Lab 15.1: Static Analysis Exercise
LAB_INSTRUCTIONS = """
╔══════════════════════════════════════════════════════════════════════════╗
║ LAB 15.1: STATIC ANALYSIS ║
╠══════════════════════════════════════════════════════════════════════════╣
║ ║
║ OBJECTIVE: Perform static analysis on a suspicious file ║
║ ║
║ TASKS: ║
║ ───── ║
║ 1. Calculate file hashes (MD5, SHA1, SHA256) ║
║ 2. Identify file type using magic bytes ║
║ 3. Extract and analyze strings ║
║ 4. If PE file, analyze imports and sections ║
║ 5. Create YARA rules based on findings ║
║ 6. Search VirusTotal for the hash ║
║ ║
║ TOOLS: ║
║ ───── ║
║ • Python with pefile, yara-python ║
║ • PEStudio or DIE (Detect It Easy) ║
║ • strings command or Python extraction ║
║ • VirusTotal web or API ║
║ ║
║ DELIVERABLES: ║
║ ───────────── ║
║ • File hashes and basic info ║
║ • List of suspicious strings ║
║ • Import/export analysis ║
║ • Section analysis with entropy ║
║ • Custom YARA rule for detection ║
║ ║
╚══════════════════════════════════════════════════════════════════════════╝
"""
Template for lab report
LAB_REPORT_TEMPLATE = """ STATIC ANALYSIS REPORT ══════════════════════FILE INFORMATION:
─────────────────
Filename: _______________
Size: _____ bytes
File Type: _______________
HASHES:
───────
MD5: ________________________________
SHA1: ________________________________________
SHA256: ________________________________________________________________
STRINGS ANALYSIS:
─────────────────
Suspicious URLs:
• _________________
• _________________
Suspicious IPs:
• _________________
Registry Keys:
• _________________
API Functions:
• _________________
• _________________
PE ANALYSIS (if applicable):
────────────────────────────
Entry Point: 0x________
Sections:
Name | VirtSize | RawSize | Entropy | Flags
--------|----------|---------|---------|-------
.text | ________ | _______ | _______ | _____
.data | ________ | _______ | _______ | _____
Suspicious Imports:
• _________________
• _________________
YARA RULE:
──────────
rule Sample_Detection {
// Your rule here
}
CONCLUSION:
───────────
[Your assessment of the file]
"""
print(LAB_INSTRUCTIONS)
print(LAB_REPORT_TEMPLATE)
Lab 15.2: Dynamic Analysis Exercise
LAB_DYNAMIC = """
╔══════════════════════════════════════════════════════════════════════════╗
║ LAB 15.2: DYNAMIC ANALYSIS ║
╠══════════════════════════════════════════════════════════════════════════╣
║ ║
║ OBJECTIVE: Observe malware behavior in isolated environment ║
║ ║
║ PREREQUISITES: ║
║ ────────────── ║
║ • Isolated Windows VM with snapshot ║
║ • Process Monitor installed ║
║ • Wireshark installed ║
║ • Network isolated (host-only) ║
║ ║
║ TASKS: ║
║ ───── ║
║ 1. Take clean VM snapshot ║
║ 2. Start Process Monitor and Wireshark ║
║ 3. Execute sample and monitor for 10 minutes ║
║ 4. Document all observed behaviors: ║
║ • Processes created ║
║ • Files created/modified/deleted ║
║ • Registry changes ║
║ • Network connections ║
║ 5. Extract IOCs from observations ║
║ 6. Restore VM to clean snapshot ║
║ ║
║ MONITORING CHECKLIST: ║
║ ───────────────────── ║
║ ☐ Process creation events ║
║ ☐ Child processes spawned ║
║ ☐ Files dropped to disk ║
║ ☐ Registry Run key modifications ║
║ ☐ Scheduled tasks created ║
║ ☐ DNS queries made ║
║ ☐ HTTP/HTTPS connections ║
║ ☐ Raw TCP/UDP connections ║
║ ║
╚══════════════════════════════════════════════════════════════════════════╝
"""
print(LAB_DYNAMIC)
```
Summary and Key Takeaways
Malware Analysis Methodology
- Always work in isolated environments - Never analyze malware on production systems
- Start with static analysis - Gather information without execution
- Use dynamic analysis carefully - Execute only in controlled sandboxes
- Extract and share IOCs - Help protect others with your findings
- Map to frameworks - Use MITRE ATT&CK for standardized reporting
Essential Tools
| Category | Tools |
|----------|-------|
| Static Analysis | PEStudio, DIE, pefile, strings, YARA |
| Dynamic Analysis | Process Monitor, Wireshark, Cuckoo, API Monitor |
| Memory Analysis | Volatility, Rekall |
| Document Analysis | oletools, pdfid |
| Automation | Python, YARA, ClamAV |
Defense Recommendations
- Implement defense in depth
- Keep systems patched
- Use endpoint detection and response (EDR)
- Train users on phishing awareness
- Monitor for suspicious behaviors
- Maintain offline backups
- Implement network segmentation
- Use threat intelligence feeds
Further Reading
- MITRE ATT&CK Framework: https://attack.mitre.org/
- Practical Malware Analysis (Book)
- Malware Analyst's Cookbook (Book)
- REMnux Documentation: https://docs.remnux.org/
- YARA Documentation: https://yara.readthedocs.io/
- VirusTotal Intelligence
- Any.Run Interactive Sandbox
Stage 15 Complete - Continue to Stage 11: Wireless Network Hacking