# REMnux Analysis Workflows # Generic, reusable workflows for malware and forensic analysis # All use , , placeholders — not tied to specific specimens # Tools marked [W] are Windows-only; all others available in REMnux container workflows: # ============================================================ # 1. STATIC ANALYSIS # ============================================================ - id: static-analysis-workflow name: "Static Properties Analysis" description: "Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents." steps: - order: 1 name: "File Identification & Hashing" tools: [file, trid, exiftool, sha256sum] description: "Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps." - order: 2 name: "Reputation Check" tools: [malwoverview, virustotal-search] description: "Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis." - order: 3 name: "Packing & Entropy Check" tools: [diec, peframe] description: "Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow." - order: 4 name: "String Extraction" tools: [strings, floss, pestr] description: "Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names." - order: 5 name: "Capability Detection" tools: [capa, yara] description: "Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities." - order: 6 name: "Import & Export Analysis" tools: [peframe, capa] description: "Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality." - order: 7 name: "Disassembly (if needed)" tools: [ghidra, cutter, radare2] description: "Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view." - order: 8 name: "Document Findings" tools: [] description: "Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?" related_labs: ["1.1", "2.1", "4.1"] tags: [static, triage, pe-analysis, elf-analysis] # ============================================================ # 2. BEHAVIORAL ANALYSIS # ============================================================ - id: behavioral-analysis-workflow name: "Behavioral Analysis" description: "Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows." steps: - order: 1 name: "Environment Preparation" tools: [] description: "Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes)." - order: 2 name: "Network Interception Setup" tools: [fakedns, inetsim, fakenet-ng] description: "Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP." - order: 3 name: "Monitoring Setup" tools: [wireshark, tcpdump, strace] description: "Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring." - order: 4 name: "Emulation (Safe Alternative)" tools: [speakeasy, capa] description: "Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview." - order: 5 name: "Execute & Monitor" tools: [] description: "Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes." - order: 6 name: "Analyze Results" tools: [wireshark, procdot] description: "Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes." - order: 7 name: "Extract IOCs" tools: [] description: "Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc." related_labs: ["1.2", "1.4", "1.6", "4.5"] tags: [behavioral, dynamic, monitoring, emulation] # ============================================================ # 3. NETWORK INTERCEPTION # ============================================================ - id: network-interception-workflow name: "Network Traffic Interception" description: "Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception." steps: - order: 1 name: "DNS Interception" tools: [fakedns] description: "Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP." - order: 2 name: "Service Emulation" tools: [inetsim, fakenet-ng, httpd] description: "Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only." - order: 3 name: "TLS/HTTPS Interception (if needed)" tools: [mitmproxy, polarproxy] description: "For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed." - order: 4 name: "Packet Capture" tools: [wireshark, tcpdump] description: "Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis." - order: 5 name: "Execute & Observe" tools: [] description: "Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port)." - order: 6 name: "Traffic Analysis" tools: [wireshark, tshark, ngrep, tcpflow] description: "Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals)." - order: 7 name: "File Extraction" tools: [tcpxtract, networkminer] description: "Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically." - order: 8 name: "IP-Based Redirection (if needed)" tools: [iptables] description: "If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services." - order: 9 name: "Document Network IOCs" tools: [] description: "Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details." related_labs: ["1.3", "1.7", "1.8"] tags: [network, interception, c2, dns, https, pcap] # ============================================================ # 4. DOCUMENT ANALYSIS # ============================================================ - id: document-analysis-workflow name: "Malicious Document Analysis" description: "Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology." steps: - order: 1 name: "Format Identification" tools: [file, trid] description: "Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes." - order: 2 name: "Structure Analysis" tools: [oledump-py, rtfdump-py, pdfid-py, pdf-parser-py, onedump-py] description: "Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups." - order: 3 name: "Password Handling (if encrypted)" tools: [msoffcrypto-tool] description: "If document is password-protected: msoffcrypto-tool -p . Common passwords: infected, malware, password, 123456." - order: 4 name: "Macro/Script Extraction" tools: [oledump-py, olevba, pcode2code, XLMMacroDeobfuscator] description: "Extract VBA: oledump.py -s -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open)." - order: 5 name: "Payload Decoding" tools: [base64dump-py, translate-py, gunzip, numbers-to-string-py, cyberchef] description: "Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key)." - order: 6 name: "Embedded Object Analysis" tools: [scdbgc, xorsearch, yara, 1768-py] description: "If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow." - order: 7 name: "Document IOCs" tools: [] description: "Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable)." related_labs: ["3.1", "3.3", "3.4", "3.5"] tags: [documents, office, pdf, rtf, macro, onenote] # ============================================================ # 5. JAVASCRIPT DEOBFUSCATION # ============================================================ - id: javascript-deobfuscation-workflow name: "JavaScript Deobfuscation" description: "Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros." steps: - order: 1 name: "Beautification" tools: [js-beautify] description: "Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob()." - order: 2 name: "Static Review" tools: [visual-studio-code] description: "Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated)." - order: 3 name: "Safe Execution (SpiderMonkey)" tools: [spidermonkey] description: "Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f . Captures eval'd code without running it." - order: 4 name: "Environment Tuning" tools: [visual-studio-code] description: "If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey." - order: 5 name: "Alternative Analysis" tools: [box-js, jstillery] description: "box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation." - order: 6 name: "Payload Identification" tools: [] description: "What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths." related_labs: ["3.6", "3.7"] tags: [javascript, deobfuscation, spidermonkey, box-js, web] # ============================================================ # 6. UNPACKING # ============================================================ - id: unpacking-workflow name: "Unpacking Packed Executables" description: "Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques." steps: - order: 1 name: "Packing Identification" tools: [diec, peframe] description: "Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed)." - order: 2 name: "Automated Unpacking" tools: [upx, de4dot] description: "Try known unpackers first. UPX: upx -d . .NET: de4dot . If automated unpacking fails (modified packer), proceed to manual." - order: 3 name: "Emulation-Based Unpacking" tools: [speakeasy, qiling] description: "Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns." - order: 4 name: "Debugger-Based Unpacking [W]" tools: [x64dbg, x32dbg] description: "Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP." - order: 5 name: "Anti-Debug Bypass [W]" tools: [scyllahide] description: "If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks." - order: 6 name: "Memory Dumping [W]" tools: [ollydumpex, scylla] description: "At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump)." - order: 7 name: "PE Fixup [W]" tools: [pe-unmapper] description: "If dump has virtual alignment: pe_unmapper /in /base 400000 /out . Only needed if sections have wrong raw sizes." - order: 8 name: "Verification" tools: [strings, peframe, capa] description: "Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis." related_labs: ["4.1", "4.2", "4.3", "5.3", "5.8", "5.10"] tags: [unpacking, packing, iat, memory-dump, oep] # ============================================================ # 7. CODE INJECTION ANALYSIS # ============================================================ - id: code-injection-workflow name: "Code Injection Analysis" description: "Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading." steps: - order: 1 name: "Capability Detection" tools: [capa] description: "Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs." - order: 2 name: "Injection Type Classification" tools: [ghidra, cutter] description: "Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC)." - order: 3 name: "Target Process Analysis" tools: [ghidra] description: "How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls." - order: 4 name: "Payload Identification" tools: [ghidra] description: "What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content." - order: 5 name: "Memory Allocation Analysis" tools: [ghidra] description: "Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation." - order: 6 name: "Injection Verification [W]" tools: [x32dbg, x64dbg] description: "Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis." - order: 7 name: "Extracted Payload Analysis" tools: [peframe, capa, strings] description: "Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly)." - order: 8 name: "Document Technique" tools: [] description: "Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x)." related_labs: ["4.9", "5.4"] tags: [code-injection, process-hollowing, dll-injection, reflective-loading] # ============================================================ # 8. .NET ANALYSIS # ============================================================ - id: dotnet-analysis-workflow name: ".NET Malware Analysis" description: "Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies." steps: - order: 1 name: "Identification & Metadata" tools: [peframe, diec, dnfile, dotnetfile] description: "Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies." - order: 2 name: "Obfuscator Detection" tools: [diec, de4dot] description: "Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d reports detected obfuscator without modifying the file." - order: 3 name: "Decompilation" tools: [ilspycmd, monodis] description: "Decompile to C# source: ilspycmd > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources." - order: 4 name: "Dynamic Loading Detection" tools: [visual-studio-code] description: "Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading." - order: 5 name: "Deobfuscation" tools: [de4dot] description: "Run: de4dot -o . If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants." - order: 6 name: "Dynamic Debugging [W]" tools: [dnspyex] description: "If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk." - order: 7 name: "Extracted Payload Analysis" tools: [ilspycmd, peframe] description: "Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain." - order: 8 name: "Document Findings" tools: [] description: "Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms." related_labs: ["3.12", "4.8"] tags: [dotnet, decompilation, deobfuscation, ilspy, de4dot] # ============================================================ # 9. SHELLCODE ANALYSIS (NEW) # ============================================================ - id: shellcode-analysis-workflow name: "Shellcode Analysis" description: "Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification." steps: - order: 1 name: "Shellcode Detection" tools: [xorsearch, yara, capa] description: "Scan carrier file for shellcode patterns. XORSearch -W -d 3 detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks." - order: 2 name: "Extraction" tools: [rtfdump-py, oledump-py, pdf-parser-py] description: "Extract shellcode from carrier. For RTF: rtfdump.py -s -H -d > sc.bin. For OLE: oledump.py -s -d > sc.bin. For PDF: pdf-parser.py -o -d sc.bin." - order: 3 name: "Emulation" tools: [scdbgc, speakeasy] description: "Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation." - order: 4 name: "Framework Identification" tools: [yara, 1768-py] description: "Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found." - order: 5 name: "Conversion to EXE" tools: [shcode2exe] description: "Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra." - order: 6 name: "String & IOC Extraction" tools: [strings, floss, cyberchef] description: "Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content." - order: 7 name: "Document Findings" tools: [] description: "Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless)." related_labs: ["3.4", "3.5", "4.6", "4.7"] tags: [shellcode, emulation, cobalt-strike, metasploit, scdbg] # ============================================================ # 10. STRING & DATA DEOBFUSCATION (NEW) # ============================================================ - id: string-deobfuscation-workflow name: "String & Data Deobfuscation" description: "Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding." steps: - order: 1 name: "Automated Extraction" tools: [floss, strings] description: "Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings." - order: 2 name: "Encoding Detection" tools: [xorsearch, bbcrack] description: "Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels." - order: 3 name: "Single-Byte XOR Recovery" tools: [brxor-py, xortool] description: "For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode." - order: 4 name: "Multi-Byte / Custom Decoding" tools: [translate-py, cyberchef] description: "For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe." - order: 5 name: "Stack String Recovery" tools: [strdeob-pl, floss] description: "For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction." - order: 6 name: "Validation & IOC Extraction" tools: [] description: "Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns." related_labs: ["1.5", "5.2"] tags: [strings, xor, deobfuscation, floss, cyberchef, encoding] # ============================================================ # 11. MEMORY FORENSICS (NEW) # ============================================================ - id: memory-forensics-workflow name: "Memory Forensics" description: "Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux." steps: - order: 1 name: "Image Identification" tools: [volatility3] description: "Determine OS and profile: vol3 -f windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture." - order: 2 name: "Process Analysis" tools: [volatility3] description: "List processes: vol3 -f windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes." - order: 3 name: "Network Connections" tools: [volatility3] description: "List connections: vol3 -f windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs." - order: 4 name: "Injection Detection" tools: [volatility3] description: "Detect injected code: vol3 -f windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis." - order: 5 name: "DLL Analysis" tools: [volatility3] description: "List loaded DLLs: vol3 -f windows.dlllist --pid . Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline." - order: 6 name: "String Search" tools: [volatility3, strings] description: "Search for known IOCs in memory: vol3 -f windows.strings. Also: strings | grep -i ''. Look for URLs, domains, file paths, commands." - order: 7 name: "Process & Code Dumping" tools: [volatility3] description: "Extract suspicious processes: vol3 -f windows.dumpfiles --pid . Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow." - order: 8 name: "Timeline Reconstruction" tools: [volatility3] description: "Build timeline: vol3 -f timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data." related_labs: [] tags: [memory, forensics, volatility, injection, incident-response] # ============================================================ # 12. ANDROID MALWARE ANALYSIS (NEW) # ============================================================ - id: android-analysis-workflow name: "Android Malware Analysis" description: "Analyze suspicious Android APK files using static and dynamic techniques available in REMnux." steps: - order: 1 name: "APK Triage" tools: [file, apkid] description: "Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques." - order: 2 name: "Manifest Analysis" tools: [apktool] description: "Decompile APK: apktool d -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters." - order: 3 name: "Source Code Recovery" tools: [jadx] description: "Decompile DEX to Java: jadx -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks." - order: 4 name: "Static Analysis" tools: [androguard, droidlysis] description: "androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage." - order: 5 name: "Native Library Analysis" tools: [strings, radare2] description: "If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto." - order: 6 name: "Dynamic Instrumentation" tools: [frida] description: "Hook suspicious functions at runtime: frida -U -l hook.js . Intercept: crypto operations, network calls, file access, SMS operations." - order: 7 name: "Document Findings" tools: [] description: "Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location)." related_labs: [] tags: [android, apk, mobile, frida, jadx, apktool] # ============================================================ # 13. JAVA MALWARE ANALYSIS (NEW) # ============================================================ - id: java-analysis-workflow name: "Java Malware Analysis" description: "Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis." steps: - order: 1 name: "Archive Inspection" tools: [unzip, file] description: "Extract JAR contents: unzip -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files." - order: 2 name: "Decompilation" tools: [cfr, jd-gui] description: "Decompile with CFR: cfr --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better." - order: 3 name: "Multi-Decompiler Comparison" tools: [cfr, procyon] description: "If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine." - order: 4 name: "Code Analysis" tools: [visual-studio-code] description: "Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName)." - order: 5 name: "Resource Extraction" tools: [strings] description: "Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common." - order: 6 name: "Document Findings" tools: [] description: "Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements." related_labs: [] tags: [java, jar, decompilation, cfr, jd-gui] # ============================================================ # 14. EMAIL & PHISHING ANALYSIS (NEW) # ============================================================ - id: email-analysis-workflow name: "Email & Phishing Analysis" description: "Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links." steps: - order: 1 name: "Header Analysis" tools: [emldump-py, mail-parser] description: "Parse SMTP headers: emldump.py . Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer." - order: 2 name: "Attachment Extraction" tools: [emldump-py, msg-extractor] description: "Extract attachments: emldump.py -d. For MSG format: msg-extractor . List all attachments with types and sizes." - order: 3 name: "Attachment Triage" tools: [file, trid, yara, sha256sum] description: "For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML)." - order: 4 name: "Link Analysis" tools: [unfurl] description: "Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters)." - order: 5 name: "Payload Analysis" tools: [] description: "Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page." - order: 6 name: "Document IOCs" tools: [] description: "Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names)." related_labs: [] tags: [email, phishing, eml, msg, attachments, headers] # ============================================================ # 15. COBALT STRIKE ANALYSIS (NEW) # ============================================================ - id: cobalt-strike-workflow name: "Cobalt Strike Analysis" description: "Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux." steps: - order: 1 name: "Beacon Detection" tools: [yara, capa] description: "Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns." - order: 2 name: "Configuration Extraction" tools: [1768-py] description: "Parse beacon config: 1768.py . Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config." - order: 3 name: "Metadata Decryption" tools: [cs-decrypt-metadata-py] description: "Decrypt beacon metadata from network captures: cs-decrypt-metadata.py . Reveals: computer name, user, process info sent to team server." - order: 4 name: "Key Extraction" tools: [cs-extract-key-py] description: "Extract encryption keys: cs-extract-key.py -f . Recovers AES and HMAC keys used for C2 communication encryption." - order: 5 name: "Traffic Decryption" tools: [cs-parse-traffic-py] description: "Decrypt C2 traffic: cs-parse-traffic.py -f -k . Reveals: tasking commands, downloaded payloads, exfiltrated data." - order: 6 name: "Sleep Mask Analysis" tools: [cs-analyze-processdump-py] description: "Analyze sleep mask: cs-analyze-processdump.py . Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics." - order: 7 name: "Document Findings" tools: [] description: "Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators." related_labs: ["3.4"] tags: [cobalt-strike, c2, beacon, didier-stevens, threat-intel]