# FOR610 Lab/Workflow Catalog # All labs from the SANS FOR610 workbook with ordered tool usage # Tool order reflects the actual step-by-step workflow sequence labs: # ============================================================ # SECTION 1: MALWARE ANALYSIS FUNDAMENTALS # ============================================================ - id: "1.1" section: 1 title: "Static Properties Analysis of brbbot.exe" sample: "brbbot.exe" analysis_type: static-properties tools_used: - tool_id: unzip platform: linux purpose: "Extract malware sample from archive" - tool_id: pestr platform: linux purpose: "Extract ASCII and Unicode strings" - tool_id: pestudio platform: windows purpose: "Examine PE properties, imports, sections, and anomalies" - tool_id: peframe platform: linux purpose: "Examine static properties and detect anomalies" key_techniques: - string-extraction - pe-header-analysis - anomaly-detection - import-analysis tags: [static-analysis, pe, strings, triage] - id: "1.2" section: 1 title: "Initial Behavioral Analysis of brbbot.exe" sample: "brbbot.exe" analysis_type: behavioral tools_used: - tool_id: system-informer platform: windows purpose: "Monitor running processes and network connections" - tool_id: process-monitor platform: windows purpose: "Capture file system, registry, and process activity" - tool_id: regshot platform: windows purpose: "Take registry/filesystem snapshot before infection" - tool_id: wireshark platform: linux purpose: "Capture network traffic from malware" - tool_id: regshot platform: windows purpose: "Compare registry/filesystem snapshot after infection" - tool_id: procdot platform: windows purpose: "Visualize Process Monitor logs for analysis" key_techniques: - process-monitoring - registry-monitoring - network-capture - behavioral-visualization prerequisite_labs: ["1.1"] tags: [behavioral, monitoring, registry, network] - id: "1.3" section: 1 title: "Intercepting brbbot.exe's Network Traffic" sample: "brbbot.exe" analysis_type: network-interception tools_used: - tool_id: fakedns platform: linux purpose: "Spoof DNS to redirect malware traffic to REMnux" - tool_id: nslookup platform: windows purpose: "Verify DNS spoofing is working" - tool_id: wireshark platform: linux purpose: "Capture redirected network traffic" - tool_id: httpd platform: linux purpose: "Simulate C2 web server" - tool_id: visual-studio-code platform: linux purpose: "Edit web server response files" key_techniques: - dns-spoofing - traffic-interception - c2-analysis - http-payload-examination prerequisite_labs: ["1.2"] tags: [network, dns, c2, interception] - id: "1.4" section: 1 title: "Emulating the Execution of brbbot.exe" sample: "brbbot.exe" analysis_type: emulation tools_used: - tool_id: speakeasy platform: linux purpose: "Emulate Windows API calls without native execution" - tool_id: visual-studio-code platform: linux purpose: "Examine emulation output" - tool_id: jq platform: linux purpose: "Extract API names from JSON report" - tool_id: capa platform: linux purpose: "Identify malware capabilities with MITRE ATT&CK mapping" key_techniques: - api-emulation - capability-detection - json-analysis prerequisite_labs: ["1.1"] tags: [emulation, api-analysis, capa, speakeasy] - id: "1.5" section: 1 title: "Decrypting brbbot.exe's Configuration File" sample: "brbbot.exe" analysis_type: debugging tools_used: - tool_id: x64dbg platform: windows purpose: "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs" - tool_id: pestudio platform: windows purpose: "Examine imports to identify encryption APIs" - tool_id: cyberchef platform: linux purpose: "Decode XOR-encrypted exfiltrated payload" key_techniques: - api-breakpoints - configuration-decryption - xor-decoding - handle-inspection prerequisite_labs: ["1.1", "1.3"] tags: [debugging, decryption, xor, c2-config] - id: "1.6" section: 1 title: "Experimenting with C2 Functionality in brbbot.exe" sample: "brbbot.exe" analysis_type: behavioral tools_used: - tool_id: httpd platform: linux purpose: "Serve C2 commands via ads.php" - tool_id: wireshark platform: linux purpose: "Observe C2 request/response traffic" - tool_id: system-informer platform: windows purpose: "Monitor process spawning from C2 commands" key_techniques: - c2-command-testing - beaconing-analysis - command-execution-monitoring prerequisite_labs: ["1.3", "1.5"] tags: [c2, behavioral, command-control] - id: "1.7" section: 1 title: "Intercepting HTTPS Connections Initiated by ghyte.exe" sample: "ghyte.exe" analysis_type: network-interception tools_used: - tool_id: wireshark platform: linux purpose: "Capture initial network traffic" - tool_id: fakedns platform: linux purpose: "Redirect DNS for HTTPS interception" - tool_id: system-informer platform: windows purpose: "Monitor malware process" - tool_id: inetsim platform: linux purpose: "Emulate HTTPS and other internet services" key_techniques: - https-interception - service-emulation - tls-analysis prerequisite_labs: ["1.1"] tags: [network, https, inetsim, interception] - id: "1.8" section: 1 title: "Intercepting IP Address-Based Traffic Using iptables" sample: "getdown.exe" analysis_type: network-interception tools_used: - tool_id: wireshark platform: linux purpose: "Capture network traffic" - tool_id: system-informer platform: windows purpose: "Monitor malware process" - tool_id: httpd platform: linux purpose: "Serve responses to redirected traffic" - tool_id: iptables platform: linux purpose: "Redirect IP-based traffic via NAT rules" key_techniques: - iptables-redirection - ip-based-interception - nat-rules prerequisite_labs: ["1.3"] tags: [network, iptables, traffic-redirection] # ============================================================ # SECTION 2: REVERSING MALICIOUS CODE # ============================================================ - id: "2.1" section: 2 title: "Intro to Assembly and Ghidra" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Disassemble and decompile — navigate function graphs, symbol trees, imports" key_techniques: - ghidra-navigation - function-graph - import-analysis - cross-references - equate-constants - commenting tags: [assembly, ghidra, code-analysis, fundamentals] - id: "2.2" section: 2 title: "HTTP C2 Analysis" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze HTTP C2 code patterns and API usage" key_techniques: - http-api-identification - data-type-archives - parameter-analysis - function-renaming prerequisite_labs: ["2.1"] tags: [c2, http, api-patterns, ghidra] - id: "2.3" section: 2 title: "Function Components, Part 1" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze function prologue, epilogue, stack frames, and local variables" key_techniques: - function-prologue - function-epilogue - stack-frame - local-variables prerequisite_labs: ["2.1"] tags: [assembly, functions, stack, ghidra] - id: "2.4" section: 2 title: "Function Components, Part 2" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze function parameters, calling conventions, and return values" key_techniques: - calling-conventions - parameter-passing - return-values prerequisite_labs: ["2.3"] tags: [assembly, functions, calling-conventions, ghidra] - id: "2.5" section: 2 title: "Loop Components" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Identify loops using string references and control flow analysis" key_techniques: - string-references - loop-identification - control-flow prerequisite_labs: ["2.1"] tags: [assembly, loops, control-flow, ghidra] - id: "2.6" section: 2 title: "Compound Expressions" sample: "svchost.exe" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze complex conditional logic and nested decisions" key_techniques: - compound-conditions - nested-logic - decompiler-interpretation prerequisite_labs: ["2.1"] tags: [assembly, conditionals, ghidra] - id: "2.7" section: 2 title: "Dropper Analysis" sample: "ishelp.dll" analysis_type: code-analysis tools_used: - tool_id: pestudio platform: windows purpose: "Confirm DLL type and examine exports" - tool_id: ghidra platform: windows purpose: "Analyze resource extraction and file dropping code" key_techniques: - dll-analysis - exported-functions - resource-extraction - file-dropping prerequisite_labs: ["2.1"] tags: [dropper, dll, resources, ghidra] - id: "2.8" section: 2 title: "Intro to 64-bit Code Analysis" sample: "64-bit specimen" analysis_type: code-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze 64-bit calling conventions and register usage" key_techniques: - x64-calling-convention - register-usage - schtasks-persistence prerequisite_labs: ["2.1"] tags: [64-bit, assembly, x64, ghidra] # ============================================================ # SECTION 3: BEYOND TRADITIONAL EXECUTABLES # ============================================================ - id: "3.1" section: 3 title: "Examining steel1.pdf with pdf-parser.py" sample: "steel1.pdf" analysis_type: pdf-analysis tools_used: - tool_id: unzip platform: linux purpose: "Extract sample from archive" - tool_id: pdfid-py platform: linux purpose: "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)" - tool_id: pdf-parser-py platform: linux purpose: "Parse PDF objects, extract URLs, and dump embedded images" - tool_id: feh platform: linux purpose: "View extracted image from PDF object" key_techniques: - pdf-keyword-scanning - object-extraction - url-extraction - embedded-image-analysis tags: [pdf, phishing, static-analysis] - id: "3.2" section: 3 title: "Investigating the 'crophysi' Website with Fiddler" sample: "crophysi website" analysis_type: web-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Load and analyze captured HTTP/HTTPS traffic" key_techniques: - redirection-chain-analysis - http-request-inspection - payload-extraction tags: [web, http, fiddler, traffic-analysis] - id: "3.3" section: 3 title: "Analyzing mydoc.docm with oledump.py" sample: "mydoc.docm" analysis_type: document-analysis tools_used: - tool_id: unzip platform: linux purpose: "Extract sample from archive" - tool_id: trid platform: linux purpose: "Identify file format (OOXML)" - tool_id: oledump-py platform: linux purpose: "List OLE streams and extract VBA macros" - tool_id: numbers-to-string-py platform: linux purpose: "Convert decimal sequences to readable strings" - tool_id: visual-studio-code platform: linux purpose: "View extracted macro code" key_techniques: - file-format-identification - ole-stream-analysis - vba-macro-extraction - string-decoding tags: [office, vba, macro, oledump] - id: "3.4" section: 3 title: "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc" sample: "checkbox.doc" analysis_type: document-analysis tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: file platform: linux purpose: "Identify file type" - tool_id: trid platform: linux purpose: "Confirm OLE2 format" - tool_id: oledump-py platform: linux purpose: "Extract OLE streams and identify macro streams" - tool_id: base64dump-py platform: linux purpose: "Decode Base64-encoded PowerShell from UserForm" - tool_id: gunzip platform: linux purpose: "Decompress gzipped payload" - tool_id: translate-py platform: linux purpose: "XOR decode shellcode (byte ^ 35)" - tool_id: strings platform: linux purpose: "Extract strings from decoded shellcode" - tool_id: scdbgc platform: linux purpose: "Emulate shellcode to identify behavior" - tool_id: yara platform: linux purpose: "Scan for known malware patterns" - tool_id: 1768-py platform: linux purpose: "Parse Cobalt Strike beacon configuration" key_techniques: - multi-stage-decoding - base64-gunzip-xor-chain - shellcode-emulation - cobalt-strike-identification prerequisite_labs: ["3.3"] tags: [office, powershell, shellcode, cobalt-strike, multi-stage] - id: "3.5" section: 3 title: "Examining qa.doc With rtfdump.py, scdbgc, and runsc" sample: "qa.doc" analysis_type: document-analysis tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: file platform: linux purpose: "Identify RTF format" - tool_id: rtfdump-py platform: linux purpose: "Parse RTF structure, locate hex-encoded embedded objects" - tool_id: xorsearch platform: linux purpose: "Detect shellcode patterns in extracted binary" - tool_id: scdbgc platform: linux purpose: "Emulate extracted shellcode" - tool_id: runsc32 platform: windows purpose: "Execute shellcode for dynamic analysis" - tool_id: x32dbg platform: windows purpose: "Debug shellcode execution" - tool_id: rar platform: linux purpose: "Extract self-extracting RAR payloads" key_techniques: - rtf-structure-analysis - shellcode-detection - shellcode-emulation - self-extracting-archive-analysis prerequisite_labs: ["3.4"] tags: [rtf, shellcode, exploitation, rar] - id: "3.6" section: 3 title: "Deobfuscating loveyou.js with SpiderMonkey" sample: "loveyou.js" analysis_type: javascript-deobfuscation tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: js-beautify platform: linux purpose: "Format obfuscated JavaScript for readability" - tool_id: visual-studio-code platform: linux purpose: "Review beautified code" - tool_id: spidermonkey platform: linux purpose: "Execute JavaScript with objects.js to deobfuscate" - tool_id: cscript platform: windows purpose: "Execute JavaScript for AMSI monitoring" - tool_id: logman platform: windows purpose: "Start AMSI event trace session" - tool_id: amsiscriptcontentretrieval platform: windows purpose: "Extract monitored script content from AMSI logs" - tool_id: notepadpp platform: windows purpose: "View extracted AMSI output" key_techniques: - javascript-beautification - spidermonkey-execution - objects-js-simulation - amsi-monitoring tags: [javascript, deobfuscation, spidermonkey, amsi] - id: "3.7" section: 3 title: "Deobfuscating fgg.js Using SpiderMonkey" sample: "fgg.js" analysis_type: javascript-deobfuscation tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: spidermonkey platform: linux purpose: "Execute JavaScript (identify missing location.href)" - tool_id: visual-studio-code platform: linux purpose: "Edit objects.js to set location.href" - tool_id: spidermonkey platform: linux purpose: "Re-execute with modified objects.js to deobfuscate" key_techniques: - environment-simulation - objects-js-customization - location-href-spoofing prerequisite_labs: ["3.6"] tags: [javascript, deobfuscation, spidermonkey] - id: "3.8" section: 3 title: "Decoding the Initial Script with Fiddler and CyberChef" sample: "roomsvisitor.saz" analysis_type: web-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Load captured HTTP traffic and follow redirect chain" - tool_id: notepadpp platform: windows purpose: "View Base64-encoded PowerShell command" - tool_id: cyberchef platform: both purpose: "Decode Base64 and UTF-16LE to reveal PowerShell" key_techniques: - redirect-chain-analysis - base64-decoding - utf16-decoding - powershell-extraction prerequisite_labs: ["3.2"] tags: [web, base64, powershell, cyberchef] - id: "3.9" section: 3 title: "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE" sample: "wrcaf.ps1" analysis_type: powershell-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Extract PowerShell script from HTTP traffic" - tool_id: notepadpp platform: windows purpose: "Initial script viewing" - tool_id: powershell-ise platform: windows purpose: "Debug script with breakpoints to extract decoded payload" key_techniques: - powershell-debugging - breakpoint-usage - variable-extraction - invoke-expression-interception prerequisite_labs: ["3.8"] tags: [powershell, debugging, deobfuscation] - id: "3.10" section: 3 title: "Examining Package.exe and iviewers.dll with PeStudio and x32dbg" sample: "Package.exe, iviewers.dll" analysis_type: code-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Extract Package.exe from HTTP traffic" - tool_id: pestudio platform: windows purpose: "Examine digital signature and PE properties" - tool_id: x32dbg platform: windows purpose: "Debug DLL loading and CreateProcessW calls" - tool_id: notepadpp platform: windows purpose: "View extracted PowerShell command parameters" key_techniques: - digital-signature-analysis - dll-sideloading - createprocess-breakpoints - multi-stage-payload prerequisite_labs: ["3.9"] tags: [dll, debugging, digital-signature, sideloading] - id: "3.11" section: 3 title: "Decoding iubn.ps1 With Fiddler and PowerShell ISE" sample: "iubn.ps1" analysis_type: powershell-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Extract PowerShell script from HTTP traffic" - tool_id: notepadpp platform: windows purpose: "Initial script examination" - tool_id: powershell-ise platform: windows purpose: "Debug and decode layered PowerShell" key_techniques: - powershell-debugging - invoke-expression-interception - out-file-extraction - dotnet-assembly-download prerequisite_labs: ["3.10"] tags: [powershell, debugging, dotnet-loading] - id: "3.12" section: 3 title: "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef" sample: "rwvg1.exe, ersyb.exe" analysis_type: dotnet-analysis tools_used: - tool_id: fiddler platform: windows purpose: "Extract .NET assembly from HTTP traffic" - tool_id: pestudio platform: windows purpose: "Confirm .NET assembly" - tool_id: ilspy platform: windows purpose: "Decompile .NET to view C# source code" - tool_id: cyberchef platform: both purpose: "Decode Base64 + XOR payload" - tool_id: exeinfo-pe platform: windows purpose: "Identify second-stage .NET binary" key_techniques: - dotnet-decompilation - runtime-compilation-analysis - base64-xor-decoding - csharpcodeprovider-analysis prerequisite_labs: ["3.11"] tags: [dotnet, decompilation, cyberchef, multi-stage] # ============================================================ # SECTION 4: IN-DEPTH MALWARE ANALYSIS # ============================================================ - id: "4.1" section: 4 title: "Assessing the Packed brbbot.exe File" sample: "brbbot.exe (packed)" analysis_type: unpacking tools_used: - tool_id: unzip platform: linux purpose: "Extract packed sample" - tool_id: pestudio platform: windows purpose: "Examine entropy, sections, and packing indicators" - tool_id: diec platform: linux purpose: "Identify packer (UPX detection)" key_techniques: - entropy-analysis - section-examination - packer-identification tags: [packing, entropy, detection, triage] - id: "4.2" section: 4 title: "Dumping and Fixing brbbot.exe Using Scylla" sample: "brbbot.exe (packed)" analysis_type: unpacking tools_used: - tool_id: upx platform: linux purpose: "Attempt automated unpacking (fails — modified UPX)" - tool_id: setdllcharacteristics platform: windows purpose: "Disable ASLR for consistent memory addresses" - tool_id: system-informer platform: windows purpose: "Verify process is running after infection" - tool_id: scylla platform: windows purpose: "Dump unpacked process from memory and fix IAT" - tool_id: pestudio platform: windows purpose: "Verify dumped file is valid PE" key_techniques: - aslr-disabling - process-dumping - iat-reconstruction - scylla-workflow prerequisite_labs: ["4.1"] tags: [unpacking, scylla, iat, memory-dump] - id: "4.3" section: 4 title: "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx" sample: "brbbot.exe (packed)" analysis_type: unpacking tools_used: - tool_id: x64dbg platform: windows purpose: "Debug to locate unpacker JMP to OEP" - tool_id: ollydumpex platform: windows purpose: "Dump unpacked process from within debugger" - tool_id: scylla platform: windows purpose: "Fix IAT in dumped executable (as x64dbg plugin)" key_techniques: - oep-detection - unpacker-breakpoints - memory-dumping - iat-fixing prerequisite_labs: ["4.1"] tags: [unpacking, debugger, oep, ollydumpex] - id: "4.4" section: 4 title: "Debugging the Packed Version of brbbot.exe" sample: "brbbot.exe (packed)" analysis_type: debugging tools_used: - tool_id: x64dbg platform: windows purpose: "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior" key_techniques: - hardware-breakpoints - api-interception - packed-runtime-analysis prerequisite_labs: ["4.1"] tags: [debugging, packed-malware, hardware-breakpoints] - id: "4.5" section: 4 title: "Analyzing Multi-Technology Specimen PDFXCview.exe" sample: "PDFXCview.exe" analysis_type: code-analysis tools_used: - tool_id: system-informer platform: windows purpose: "Monitor process creation and child processes" - tool_id: process-monitor platform: windows purpose: "Capture file system and registry activity" - tool_id: procdot platform: windows purpose: "Visualize multi-stage execution" - tool_id: regedit platform: windows purpose: "Examine registry keys created by malware" - tool_id: reg-export platform: windows purpose: "Extract JavaScript stored in registry to file" - tool_id: winscp platform: windows purpose: "Transfer artifacts to REMnux for analysis" - tool_id: spidermonkey platform: linux purpose: "Deobfuscate JavaScript component" - tool_id: js-beautify platform: linux purpose: "Format decoded JavaScript for readability" - tool_id: visual-studio-code platform: linux purpose: "View and analyze decoded scripts" - tool_id: base64dump-py platform: linux purpose: "Decode Base64-encoded payloads" - tool_id: notepadpp platform: windows purpose: "View decoded scripts" - tool_id: powershell-ise platform: windows purpose: "Debug PowerShell component" key_techniques: - multi-technology-analysis - registry-based-malware - fileless-techniques - cross-platform-workflow tags: [multi-stage, javascript, powershell, behavioral] - id: "4.6" section: 4 title: "Examining Capabilities of Shellcode Used by PDFXCview.exe" sample: "Shellcode from PDFXCview.exe" analysis_type: shellcode-analysis tools_used: - tool_id: scdbgc platform: both purpose: "Emulate shellcode to identify API calls" - tool_id: runsc32 platform: windows purpose: "Execute shellcode for dynamic analysis" - tool_id: x32dbg platform: windows purpose: "Debug shellcode execution and examine parameters" key_techniques: - shellcode-emulation - shellcode-debugging - api-parameter-analysis prerequisite_labs: ["4.5"] tags: [shellcode, emulation, debugging] - id: "4.7" section: 4 title: "Unpacking Shellcode That Was Used by PDFXCview.exe" sample: "Shellcode from PDFXCview.exe" analysis_type: shellcode-analysis tools_used: - tool_id: x32dbg platform: windows purpose: "Set breakpoints on VirtualAlloc to track memory allocation" - tool_id: pestudio platform: windows purpose: "Verify dumped PE from allocated memory" key_techniques: - virtualalloc-breakpoints - multi-stage-shellcode - memory-dumping prerequisite_labs: ["4.6"] tags: [shellcode, unpacking, virtualalloc] - id: "4.8" section: 4 title: "Examining .NET Malware chatroom.exe" sample: "chatroom.exe" analysis_type: dotnet-analysis tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: peframe platform: linux purpose: "Identify as .NET with high entropy (packed)" - tool_id: pestr platform: linux purpose: "Extract strings" - tool_id: ilspycmd platform: linux purpose: "Decompile .NET assembly on command line" - tool_id: visual-studio-code platform: linux purpose: "Search decompiled code for Assembly.Load" - tool_id: dnspyex platform: windows purpose: "Debug .NET with breakpoints to extract in-memory assembly" - tool_id: pestudio platform: windows purpose: "Examine dumped assembly" - tool_id: ilspy platform: windows purpose: "Decompile dumped assembly" - tool_id: de4dot platform: windows purpose: "Deobfuscate .NET assembly" key_techniques: - dotnet-decompilation - reflective-loading-detection - assembly-load-breakpoints - in-memory-dumping - dotnet-deobfuscation tags: [dotnet, debugging, deobfuscation, reflective-loading] - id: "4.9" section: 4 title: "Examining Code Injection Capabilities of great.exe" sample: "great.exe" analysis_type: code-injection tools_used: - tool_id: ghidra platform: windows purpose: "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code" key_techniques: - createremotethread-analysis - virtualallocex-identification - process-enumeration - createtoolhelp32snapshot prerequisite_labs: ["2.1"] tags: [code-injection, api-analysis, ghidra] # ============================================================ # SECTION 5: EXAMINING SELF-DEFENDING MALWARE # ============================================================ - id: "5.1" section: 5 title: "Patching getdown.exe to Bypass Debugger Detection" sample: "getdown.exe" analysis_type: anti-analysis tools_used: - tool_id: wireshark platform: linux purpose: "Monitor network traffic" - tool_id: system-informer platform: windows purpose: "Monitor process behavior" - tool_id: x64dbg platform: windows purpose: "Identify and patch IsDebuggerPresent check" key_techniques: - isdebuggerpresent-bypass - instruction-patching - conditional-jump-modification tags: [anti-debugging, patching, isdebuggerpresent] - id: "5.2" section: 5 title: "Deobfuscating Strings Encoded Using Simple and Common Algorithms" sample: "getdown.exe, hubert.dll, 9.exe" analysis_type: string-deobfuscation tools_used: - tool_id: unzip platform: linux purpose: "Extract samples" - tool_id: xorsearch platform: linux purpose: "Search for XOR-encoded patterns" - tool_id: strings platform: linux purpose: "Extract readable strings" - tool_id: brxor-py platform: linux purpose: "Brute-force XOR key detection" - tool_id: bbcrack platform: linux purpose: "Detect XOR/ROL/ADD obfuscation algorithms" - tool_id: ghidra platform: windows purpose: "Analyze deobfuscation routines in code" - tool_id: strdeob-pl platform: linux purpose: "Decode stack-built strings" - tool_id: floss platform: linux purpose: "Automatically extract all obfuscated strings" - tool_id: visual-studio-code platform: linux purpose: "View deobfuscation results" key_techniques: - xor-brute-forcing - stack-string-decoding - automated-string-extraction - obfuscation-algorithm-identification prerequisite_labs: ["2.1"] tags: [strings, xor, deobfuscation, floss] - id: "5.3" section: 5 title: "Unpacking drtg.exe" sample: "drtg.exe" analysis_type: unpacking tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: floss platform: linux purpose: "Extract strings to assess packing" - tool_id: visual-studio-code platform: linux purpose: "View FLOSS output" - tool_id: x32dbg platform: windows purpose: "Debug with RtlDecompressBuffer breakpoints" - tool_id: scyllahide platform: windows purpose: "Hide debugger from anti-debugging checks" - tool_id: pestudio platform: windows purpose: "Verify unpacked dump" key_techniques: - rtldecompressbuffer-interception - debugger-hiding - exception-configuration - memory-dumping prerequisite_labs: ["5.2"] tags: [unpacking, anti-debugging, decompression] - id: "5.4" section: 5 title: "Unpacking WinHost32.exe" sample: "WinHost32.exe" analysis_type: unpacking tools_used: - tool_id: unzip platform: linux purpose: "Extract sample" - tool_id: capa platform: linux purpose: "Identify process hollowing capability" - tool_id: ghidra platform: windows purpose: "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory" - tool_id: x32dbg platform: windows purpose: "Set breakpoint on WriteProcessMemory to catch injected PE" - tool_id: pestudio platform: windows purpose: "Verify dumped PE from process hollowing" key_techniques: - process-hollowing-detection - create-suspended-analysis - writeprocessmemory-breakpoints - ntunmapviewofsection prerequisite_labs: ["5.3"] tags: [process-hollowing, code-injection, unpacking] - id: "5.5" section: 5 title: "Examining the Anti-Sandbox Defensive Capability of vbprop.exe" sample: "vbprop.exe" analysis_type: anti-analysis tools_used: - tool_id: ghidra platform: windows purpose: "Analyze SetWindowsHookExA for mouse event interception" - tool_id: x32dbg platform: windows purpose: "Debug hook installation and handler" key_techniques: - setwindowshookex-analysis - mouse-hook-detection - sandbox-evasion prerequisite_labs: ["2.1"] tags: [anti-sandbox, hooks, evasion] - id: "5.6" section: 5 title: "Examining the Toolkit Detection Capabilities of raas.exe" sample: "raas.exe" analysis_type: anti-analysis tools_used: - tool_id: x32dbg platform: windows purpose: "Step through toolkit detection routines" - tool_id: scyllahide platform: windows purpose: "Hide debugger from detection checks" key_techniques: - getmodulehandle-checks - findwindow-checks - process-enumeration - registry-vm-detection - blockinput-bypass prerequisite_labs: ["2.1"] tags: [anti-analysis, toolkit-detection, vm-detection] - id: "5.7" section: 5 title: "Understanding the SEH Defense in want.exe" sample: "want.exe" analysis_type: anti-analysis tools_used: - tool_id: x32dbg platform: windows purpose: "Analyze SEH chain setup and exception handler execution" key_techniques: - seh-manipulation - exception-handler-analysis - fs-segment-usage - seh-breakpoints prerequisite_labs: ["2.1"] tags: [seh, anti-analysis, exception-handling] - id: "5.8" section: 5 title: "Unpacking want.exe Using a Stack Breakpoint" sample: "want.exe" analysis_type: unpacking tools_used: - tool_id: x32dbg platform: windows purpose: "Set stack breakpoint to detect unpacking completion" - tool_id: ollydumpex platform: windows purpose: "Dump unpacked process from memory" - tool_id: scylla platform: windows purpose: "Reconstruct IAT in dumped executable" - tool_id: pestudio platform: windows purpose: "Verify unpacked PE" key_techniques: - stack-breakpoints - oep-detection-via-stack - memory-dumping - iat-reconstruction prerequisite_labs: ["5.7"] tags: [unpacking, stack-breakpoint, seh] - id: "5.9" section: 5 title: "Bypassing Self-Defensive Measures in lansrv.exe" sample: "lansrv.exe" analysis_type: anti-analysis tools_used: - tool_id: pestudio platform: windows purpose: "Identify TLS callback in thread-local-storage section" - tool_id: x32dbg platform: windows purpose: "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override" key_techniques: - tls-callback-analysis - isdebuggerpresent-bypass - segment-register-patching - xor-decoding-loop - multi-defense-bypass prerequisite_labs: ["2.1"] tags: [tls-callback, anti-debugging, patching, multi-defense] - id: "5.10" section: 5 title: "Unpacking yep.exe with the Help of x32dbg and pe_unmapper" sample: "yep.exe" analysis_type: unpacking tools_used: - tool_id: pestudio platform: windows purpose: "Initial analysis — note gibberish strings indicating packing" - tool_id: x32dbg platform: windows purpose: "Set breakpoints on LoadLibraryA and VirtualProtect" - tool_id: xanalyzer platform: windows purpose: "Enhanced analysis showing API parameters" - tool_id: pe-unmapper platform: windows purpose: "Convert virtual-aligned dump to raw alignment" - tool_id: scylla platform: windows purpose: "Fix IAT in unmapped executable" key_techniques: - loadlibrary-breakpoints - virtualprotect-breakpoints - memory-region-dumping - virtual-to-raw-alignment - oep-anticipation prerequisite_labs: ["5.8"] tags: [unpacking, pe-unmapper, virtualprotect, loadlibrary]