top of page

Malware Analysis For Hacking

Malware Analysis For Hacking | Black Hat HQ

Malware Analysis For Hackers


Malware analysis is examining suspicious binaries to understand behavior, identify C2 infrastructure, extract IOCs, and assess impact. This applies to analyzing dropped payloads, ransomware samples discovered during engagements, and red-team tooling that may have been flagged by defenses. This is an article on malware analysis for hacking.


Analysis Approaches


Type

What You Learn

Time

Skill

Static

Imports, strings, embedded data, structure

30 min

Low

Dynamic

Runtime behavior, network traffic, file changes

2 hrs

Medium

Code RE

Full decompilation, algorithm understanding

8+ hrs

High

Memory Forensics

Process injection, rootkits

4 hrs

Medium


  1. Environment Setup (Isolated Lab)


Critical: Never analyze malware on production or connected systems. Use an isolated VM with snapshots.


# Recommended: REMnux (Linux malware analysis distro)
# Download: https://remnux.org

# Alternative: FLARE VM (Windows analysis)
# https://github.com/mandiant/flare-vm

# Snapshot BEFORE analysis
VBoxManage snapshot "Malware VM" take "clean_state"

Network Isolation (INetSim simulates internet):


sudo apt install inetsim
sudo inetsim  # Fake DNS, HTTP, SMTP services
# Redirect all outbound to localhost
sudo iptables -A OUTPUT -j DROP  # After capture

  1. Quick Static Analysis (First Pass)


These techniques run in seconds and reveal 80% of malware behavior.


File Identification


file ransomware_sample.exe
# PE32 executable (GUI) Intel 80386, for MS Windows

md5sum ransomware_sample.exe
# Save hash → VirusTotal check (isolated environment)

Strings Extraction


strings -n 8 ransomware_sample.exe | head -100
strings -n 8 ransomware_sample.exe | grep -iE "http|https|\.com|\.onion|bitcoin|wallet|encrypt|decrypt|C:\\|AES|RSA"
strings -n 12 ransomware_sample.exe > strings_output.txt

# Look for:
# - URLs/IPs → C2 servers
# - File extensions → .locked, .encrypted
# - Ransom note text → negotiation page
# - Registry keys → persistence
# - Mutex names → single-instance check

Import/Export Analysis


objdump -p malware.exe | grep -A 100 "DLL Name"

# Suspicious imports to watch for:
# Kernel32: CreateProcess, WriteProcessMemory, VirtualAllocEx → injection
# Advapi32: CryptEncrypt, CryptDecrypt → ransomware
# Wininet: InternetOpenUrl, HttpSendRequest → C2
# Ws2_32: socket, connect, send → network
# User32: SetWindowsHookEx → keylogging

PE Structure Analysis


# Using pefile (Python)
python3 -c "
import pefile
pe = pefile.PE('malware.exe')
print('Sections:')
for section in pe.sections:
    print(f'  {section.Name.decode().strip()}: {section.SizeOfRawData} bytes')
print(f'Entry point: 0x{pe.OPTIONAL_HEADER.AddressOfEntryPoint:x}')
print(f'Compilation: {pe.FILE_HEADER.TimeDateStamp}')
"

  1. In-Depth Static Analysis (Ghidra / IDA)


Load into Ghidra


  1. Create project → Import binary.

  2. Auto-analyze (all options checked).

  3. Navigate to entry point → DllMain or WinMain.


What to look for:


# Function recognition
- String decryption routines (XOR loops)
- Anti-debug patterns (IsDebuggerPresent, NtQueryInformationProcess)
- Sleep calls with large values (anti-sandbox)
- CreateThread calls (payload execution)

# Network functions
- Look for references to URLs/IPs from strings
- socket → connect → send → recv pattern

Detecting Packers


# Packers hide true code
exiftool malware.exe | grep -i "packer\|compiler\|UPX\|Themida\|VMProtect"

# Entropy check (packed = high entropy)
binwalk -E malware.exe

# Unpack common packers
upx -d packed.exe -o unpacked.exe

YARA Rule Creation


rule Suspicious_Mutex_Indicator {
    strings:
        $m1 = "Global\\" nocase
        $m2 = "Mutex" nocase
        $m3 = "SingleInstance" nocase
    condition:
        all of them
}

# Scan with:
yara -s rule.yara malware.exe

  1. Dynamic Analysis (Behavior Monitoring)


Restore clean VM snapshot first.


Process & File Monitoring


# Procmon (Windows Sysinternals): filter by malware process name
# Capture: file writes, registry changes, process creation

# Process Explorer: watch for injected threads, parent-child anomalies

# Regshot: compare registry before/after execution

Checklist during execution:


[ ] Creates files in %TEMP% or %APPDATA%
[ ] Drops files with random names
[ ] Modifies Run/RunOnce registry keys (persistence)
[ ] Creates scheduled tasks
[ ] Injects code into explorer.exe/svchost.exe
[ ] Makes DNS queries to suspicious domains
[ ] Connects to external IPs
[ ] Modifies Windows Defender/AV settings
[ ] Modifies file associations

Network Traffic Capture


# Capture with Wireshark on host (isolated vnet)
# Or tcpdump inside VM:
tcpdump -i eth0 -w malware_traffic.pcap

# After execution:
# Check DNS queries → domains contacted
# HTTP requests → User-Agent strings, POST data
# TLS handshakes → SNI reveals C2 domain

# With INetSim, all DNS resolves to your fake services
# Check /var/log/inetsim/ for logged connections

Capemon Analysis (CAPA)


# Mandiant's CAPA detects capabilities
capa malware.exe
# Output:
# - anti-analysis::anti-debugging
# - persistence::registry::run_key
# - ransomware::encrypt_files
# - communication::http::c2

  1. Memory Forensics (Volatility 3)


After malware runs and you've taken a memory dump:


# Dump memory from VM
VBoxManage debugvm "Malware VM" dumpvmcore --filename ram.raw

# Or within VM: use LiveKD or winpmem

Volatility Analysis:


# Install
pip3 install volatility3

# Identify profile
python3 vol.py -f ram.raw windows.info

# List processes
python3 vol.py -f ram.raw windows.pslist

# Look for:
# - Suspicious parent-child (e.g., svchost.exe spawning cmd.exe)
# - Hidden processes (pslist vs psscan mismatch)
# - Process with no DLL loaded

# Check for injected code
python3 vol.py -f ram.raw windows.malfind

# Extract injected region
python3 vol.py -f ram.raw windows.dumpfiles --pid 1234

# Network connections at time of dump
python3 vol.py -f ram.raw windows.netscan

# Registry modifications
python3 vol.py -f ram.raw windows.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

  1. Ransomware Analysis Checklist


Specific to ransomware samples found during pentests:


[ ] Check strings for:
    - File extensions appended (.locked, .crypt, .encrypted)
    - Ransom note filename (README.txt, HOW_TO_DECRYPT.html)
    - Bitcoin/Monero wallet addresses
    - Email/TOX IDs for contact
    - Decryption tool URL

[ ] Identify encryption algorithm:
    - Look for CryptoAPI imports (CryptEncrypt, CryptGenKey)
    - Or OpenSSL references
    - Symmetric (AES) + Asymmetric (RSA) hybrid?

[ ] Check for:
    - Shadow copy deletion (vssadmin.exe calls)
    - Backup deletion (wbadmin, bcdedit)
    - Safe mode boot prevention
    - Self-spreading capability (SMB/WMI/Lateral movement)

[ ] Extract IOCs:
    - C2 domains/IPs
    - Wallet addresses
    - File hashes
    - YARA rules

  1. Common Malware Behaviors & Indicators


Behavior

Indicators

Detection

Persistence

Run key, Startup folder, Scheduled Task

Autoruns, Regshot

Keylogging

SetWindowsHookEx, GetAsyncKeyState

API Monitor

Screen capture

CreateDC, BitBlt, GetDC

Procmon

Credential theft

LSASS process access

Mimikatz detection

C2 beaconing

Periodic HTTP/HTTPS to fixed IP

Wireshark, Zeek

Ransomware

File enumeration, CryptEncrypt

Procmon file ops

Injection

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

Process Hacker


  1. Complete Analysis Report Template


MALWARE ANALYSIS REPORT
========================

Sample: ransom_sample.exe
MD5: a1b2c3d4e5f6...
SHA256: a1b2...
Source: Found on compromised DC during internal pentest

STATIC ANALYSIS
- Packer: UPX 3.96
- Compiler: MinGW GCC
- Imports: CryptEncrypt, InternetOpenUrl, CreateProcess
- Strings: 3 C2 domains, 2 wallet addresses, ransom note text

DYNAMIC ANALYSIS
- Created persistence: HKCU\...\Run → %APPDATA%\svchost.exe
- Encrypted: .doc, .xls, .pdf, .jpg → .locked
- Dropped: README_LOCKED.html in each directory
- C2 contacted: evil-c2[.]com (resolved to 185.x.x.x)
- Anti-analysis: IsDebuggerPresent, 30min sleep if sandbox detected

DECOMPILATION HIGHLIGHTS
- AES-256 encryption with embedded key
- RSA-2048 for key encryption
- No implementation flaws → no decryption without private key

IOCS EXTRACTED
- Domains: evil-c2[.]com, paymentportal[.]onion
- Wallet: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
- YARA rule attached

RISK ASSESSMENT
- Severity: Critical (CVSS 9.0)
- Data loss: Complete encryption of local + mapped drives
- Recoverability: None without backup or private key

RECOMMENDATIONS
- Block C2 domains at perimeter firewall
- Check for lateral movement indicators
- Restore from offline backups
- Deploy YARA rule on endpoints

  1. Yara Rule Generation


Create custom detection rules from your analysis:


rule Ransomware_Indicators {
    meta:
        description = "Detects ransomware from internal pentest"
        author = "Pentest Team"
        date = "2024-01-15"
    
    strings:
        $s1 = ".locked" fullword
        $s2 = "README_LOCKED.html" fullword
        $s3 = "bitcoin:" nocase
        $c1 = { 56 57 58 59 5A }  # XOR key bytes
        $c2 = "CryptEncrypt" wide
    
    condition:
        uint16(0) == 0x5A4D and  // PE file
        ($s1 or $s2) and $c2
}

# Scan hosts:
yara -r ransomware_rule.yara C:\

  1. Pentest Integration


When you find malware during a pentest:


1. Isolate affected host immediately
2. Copy sample (forensically sound)
3. Quick static analysis → extract C2 domains
4. Block C2 at perimeter (if still active)
5. Full dynamic analysis in sandbox
6. Generate IOCs + YARA rules
7. Deploy detection across environment
8. Include in findings report

Tools Cheatsheet:


Task

Tool

Command

File info

file

file sample.exe

Strings

strings

strings -n 10 sample.exe

Entropy

binwalk

binwalk -E sample.exe

Packer

exiftool

exiftool sample.exe

Capabilities

capa

capa sample.exe

Unpack UPX

upx

upx -d -o unpacked.exe sample.exe

Memory dump

volatility3

python3 vol.py -f ram.raw windows.pslist

Network

tcpdump

tcpdump -i eth0 -w capture.pcap

YARA scan

yara

yara -s rules.yara sample.exe


Enroll In Online Cybersecurity & Hacking Classes/Courses | Black Hat HQ

Comments


bottom of page