Malware Analysis For Hacking
- Biohazard

- 9 hours ago
- 5 min read

Malware Analysis For Hackers
Malware analysis is examining suspicious binaries to understand behavior, identify C2 infrastructure, extract IOCs, and assess impact. This applies to analyzing dropped payloads, ransomware samples discovered during engagements, and red-team tooling that may have been flagged by defenses. This is an article on malware analysis for hacking.
Analysis Approaches
Type | What You Learn | Time | Skill |
Static | Imports, strings, embedded data, structure | 30 min | Low |
Dynamic | Runtime behavior, network traffic, file changes | 2 hrs | Medium |
Code RE | Full decompilation, algorithm understanding | 8+ hrs | High |
Memory Forensics | Process injection, rootkits | 4 hrs | Medium |
Environment Setup (Isolated Lab)
Critical: Never analyze malware on production or connected systems. Use an isolated VM with snapshots.
# Recommended: REMnux (Linux malware analysis distro)
# Download: https://remnux.org
# Alternative: FLARE VM (Windows analysis)
# https://github.com/mandiant/flare-vm
# Snapshot BEFORE analysis
VBoxManage snapshot "Malware VM" take "clean_state"
Network Isolation (INetSim simulates internet):
sudo apt install inetsim
sudo inetsim # Fake DNS, HTTP, SMTP services
# Redirect all outbound to localhost
sudo iptables -A OUTPUT -j DROP # After captureQuick Static Analysis (First Pass)
These techniques run in seconds and reveal 80% of malware behavior.
File Identification
file ransomware_sample.exe
# PE32 executable (GUI) Intel 80386, for MS Windows
md5sum ransomware_sample.exe
# Save hash → VirusTotal check (isolated environment)
Strings Extraction
strings -n 8 ransomware_sample.exe | head -100
strings -n 8 ransomware_sample.exe | grep -iE "http|https|\.com|\.onion|bitcoin|wallet|encrypt|decrypt|C:\\|AES|RSA"
strings -n 12 ransomware_sample.exe > strings_output.txt
# Look for:
# - URLs/IPs → C2 servers
# - File extensions → .locked, .encrypted
# - Ransom note text → negotiation page
# - Registry keys → persistence
# - Mutex names → single-instance check
Import/Export Analysis
objdump -p malware.exe | grep -A 100 "DLL Name"
# Suspicious imports to watch for:
# Kernel32: CreateProcess, WriteProcessMemory, VirtualAllocEx → injection
# Advapi32: CryptEncrypt, CryptDecrypt → ransomware
# Wininet: InternetOpenUrl, HttpSendRequest → C2
# Ws2_32: socket, connect, send → network
# User32: SetWindowsHookEx → keylogging
PE Structure Analysis
# Using pefile (Python)
python3 -c "
import pefile
pe = pefile.PE('malware.exe')
print('Sections:')
for section in pe.sections:
print(f' {section.Name.decode().strip()}: {section.SizeOfRawData} bytes')
print(f'Entry point: 0x{pe.OPTIONAL_HEADER.AddressOfEntryPoint:x}')
print(f'Compilation: {pe.FILE_HEADER.TimeDateStamp}')
"In-Depth Static Analysis (Ghidra / IDA)
Load into Ghidra
Create project → Import binary.
Auto-analyze (all options checked).
Navigate to entry point → DllMain or WinMain.
What to look for:
# Function recognition
- String decryption routines (XOR loops)
- Anti-debug patterns (IsDebuggerPresent, NtQueryInformationProcess)
- Sleep calls with large values (anti-sandbox)
- CreateThread calls (payload execution)
# Network functions
- Look for references to URLs/IPs from strings
- socket → connect → send → recv pattern
Detecting Packers
# Packers hide true code
exiftool malware.exe | grep -i "packer\|compiler\|UPX\|Themida\|VMProtect"
# Entropy check (packed = high entropy)
binwalk -E malware.exe
# Unpack common packers
upx -d packed.exe -o unpacked.exe
YARA Rule Creation
rule Suspicious_Mutex_Indicator {
strings:
$m1 = "Global\\" nocase
$m2 = "Mutex" nocase
$m3 = "SingleInstance" nocase
condition:
all of them
}
# Scan with:
yara -s rule.yara malware.exeDynamic Analysis (Behavior Monitoring)
Restore clean VM snapshot first.
Process & File Monitoring
# Procmon (Windows Sysinternals): filter by malware process name
# Capture: file writes, registry changes, process creation
# Process Explorer: watch for injected threads, parent-child anomalies
# Regshot: compare registry before/after execution
Checklist during execution:
[ ] Creates files in %TEMP% or %APPDATA%
[ ] Drops files with random names
[ ] Modifies Run/RunOnce registry keys (persistence)
[ ] Creates scheduled tasks
[ ] Injects code into explorer.exe/svchost.exe
[ ] Makes DNS queries to suspicious domains
[ ] Connects to external IPs
[ ] Modifies Windows Defender/AV settings
[ ] Modifies file associations
Network Traffic Capture
# Capture with Wireshark on host (isolated vnet)
# Or tcpdump inside VM:
tcpdump -i eth0 -w malware_traffic.pcap
# After execution:
# Check DNS queries → domains contacted
# HTTP requests → User-Agent strings, POST data
# TLS handshakes → SNI reveals C2 domain
# With INetSim, all DNS resolves to your fake services
# Check /var/log/inetsim/ for logged connections
Capemon Analysis (CAPA)
# Mandiant's CAPA detects capabilities
capa malware.exe
# Output:
# - anti-analysis::anti-debugging
# - persistence::registry::run_key
# - ransomware::encrypt_files
# - communication::http::c2Memory Forensics (Volatility 3)
After malware runs and you've taken a memory dump:
# Dump memory from VM
VBoxManage debugvm "Malware VM" dumpvmcore --filename ram.raw
# Or within VM: use LiveKD or winpmem
Volatility Analysis:
# Install
pip3 install volatility3
# Identify profile
python3 vol.py -f ram.raw windows.info
# List processes
python3 vol.py -f ram.raw windows.pslist
# Look for:
# - Suspicious parent-child (e.g., svchost.exe spawning cmd.exe)
# - Hidden processes (pslist vs psscan mismatch)
# - Process with no DLL loaded
# Check for injected code
python3 vol.py -f ram.raw windows.malfind
# Extract injected region
python3 vol.py -f ram.raw windows.dumpfiles --pid 1234
# Network connections at time of dump
python3 vol.py -f ram.raw windows.netscan
# Registry modifications
python3 vol.py -f ram.raw windows.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
Ransomware Analysis Checklist
Specific to ransomware samples found during pentests:
[ ] Check strings for:
- File extensions appended (.locked, .crypt, .encrypted)
- Ransom note filename (README.txt, HOW_TO_DECRYPT.html)
- Bitcoin/Monero wallet addresses
- Email/TOX IDs for contact
- Decryption tool URL
[ ] Identify encryption algorithm:
- Look for CryptoAPI imports (CryptEncrypt, CryptGenKey)
- Or OpenSSL references
- Symmetric (AES) + Asymmetric (RSA) hybrid?
[ ] Check for:
- Shadow copy deletion (vssadmin.exe calls)
- Backup deletion (wbadmin, bcdedit)
- Safe mode boot prevention
- Self-spreading capability (SMB/WMI/Lateral movement)
[ ] Extract IOCs:
- C2 domains/IPs
- Wallet addresses
- File hashes
- YARA rulesCommon Malware Behaviors & Indicators
Behavior | Indicators | Detection |
Persistence | Run key, Startup folder, Scheduled Task | Autoruns, Regshot |
Keylogging | SetWindowsHookEx, GetAsyncKeyState | API Monitor |
Screen capture | CreateDC, BitBlt, GetDC | Procmon |
Credential theft | LSASS process access | Mimikatz detection |
C2 beaconing | Periodic HTTP/HTTPS to fixed IP | Wireshark, Zeek |
Ransomware | File enumeration, CryptEncrypt | Procmon file ops |
Injection | VirtualAllocEx, WriteProcessMemory, CreateRemoteThread | Process Hacker |
Complete Analysis Report Template
MALWARE ANALYSIS REPORT
========================
Sample: ransom_sample.exe
MD5: a1b2c3d4e5f6...
SHA256: a1b2...
Source: Found on compromised DC during internal pentest
STATIC ANALYSIS
- Packer: UPX 3.96
- Compiler: MinGW GCC
- Imports: CryptEncrypt, InternetOpenUrl, CreateProcess
- Strings: 3 C2 domains, 2 wallet addresses, ransom note text
DYNAMIC ANALYSIS
- Created persistence: HKCU\...\Run → %APPDATA%\svchost.exe
- Encrypted: .doc, .xls, .pdf, .jpg → .locked
- Dropped: README_LOCKED.html in each directory
- C2 contacted: evil-c2[.]com (resolved to 185.x.x.x)
- Anti-analysis: IsDebuggerPresent, 30min sleep if sandbox detected
DECOMPILATION HIGHLIGHTS
- AES-256 encryption with embedded key
- RSA-2048 for key encryption
- No implementation flaws → no decryption without private key
IOCS EXTRACTED
- Domains: evil-c2[.]com, paymentportal[.]onion
- Wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
- YARA rule attached
RISK ASSESSMENT
- Severity: Critical (CVSS 9.0)
- Data loss: Complete encryption of local + mapped drives
- Recoverability: None without backup or private key
RECOMMENDATIONS
- Block C2 domains at perimeter firewall
- Check for lateral movement indicators
- Restore from offline backups
- Deploy YARA rule on endpointsYara Rule Generation
Create custom detection rules from your analysis:
rule Ransomware_Indicators {
meta:
description = "Detects ransomware from internal pentest"
author = "Pentest Team"
date = "2024-01-15"
strings:
$s1 = ".locked" fullword
$s2 = "README_LOCKED.html" fullword
$s3 = "bitcoin:" nocase
$c1 = { 56 57 58 59 5A } # XOR key bytes
$c2 = "CryptEncrypt" wide
condition:
uint16(0) == 0x5A4D and // PE file
($s1 or $s2) and $c2
}
# Scan hosts:
yara -r ransomware_rule.yara C:\Pentest Integration
When you find malware during a pentest:
1. Isolate affected host immediately
2. Copy sample (forensically sound)
3. Quick static analysis → extract C2 domains
4. Block C2 at perimeter (if still active)
5. Full dynamic analysis in sandbox
6. Generate IOCs + YARA rules
7. Deploy detection across environment
8. Include in findings report
Tools Cheatsheet:
Task | Tool | Command |
File info | file | file sample.exe |
Strings | strings | strings -n 10 sample.exe |
Entropy | binwalk | binwalk -E sample.exe |
Packer | exiftool | exiftool sample.exe |
Capabilities | capa | capa sample.exe |
Unpack UPX | upx | upx -d -o unpacked.exe sample.exe |
Memory dump | volatility3 | python3 vol.py -f ram.raw windows.pslist |
Network | tcpdump | tcpdump -i eth0 -w capture.pcap |
YARA scan | yara | yara -s rules.yara sample.exe |




Comments