tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
67 lines
2.3 KiB
Plaintext
67 lines
2.3 KiB
Plaintext
============================================================
|
|
Behavioral Analysis
|
|
============================================================
|
|
|
|
Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows.
|
|
|
|
Related FOR610 Labs: 1.2, 1.4, 1.6, 4.5
|
|
|
|
────────────────────────────────────────────────────────────
|
|
|
|
Step 1: Environment Preparation
|
|
Revert to clean snapshot. Disconnect from production
|
|
network. Verify isolation (host-only networking). Set
|
|
max execution time (2-5 minutes).
|
|
|
|
Step 2: Network Interception Setup
|
|
Tools: fakedns, inetsim, fakenet-ng
|
|
Start fake DNS and service emulation so malware gets
|
|
responses. On REMnux: fakedns for DNS, INetSim or
|
|
FakeNet-NG for HTTP/HTTPS/SMTP/FTP.
|
|
|
|
$ fakedns
|
|
$ inetsim
|
|
$ fakenet
|
|
|
|
Step 3: Monitoring Setup
|
|
Tools: wireshark, tcpdump, strace
|
|
Start packet capture (wireshark or tcpdump). On Linux:
|
|
strace/ltrace for syscalls. Start filesystem
|
|
monitoring.
|
|
|
|
$ wireshark
|
|
$ tcpdump -i eth0 -w capture.pcap
|
|
|
|
Step 4: Emulation (Safe Alternative)
|
|
Tools: speakeasy, capa
|
|
Before live execution, try emulation: speakeasy
|
|
emulates Windows API calls on Linux safely. Use capa
|
|
-vv for capability overview.
|
|
|
|
$ speakeasy -t specimen.exe -o report.json 2> report.txt
|
|
$ capa specimen.exe
|
|
|
|
Step 5: Execute & Monitor
|
|
Run the sample with a timeout. Monitor for: new
|
|
processes spawned, files created/modified, network
|
|
connections, DNS queries. Kill after 2-5 minutes.
|
|
|
|
Step 6: Analyze Results
|
|
Tools: wireshark, procdot
|
|
Review network capture: follow TCP streams, extract
|
|
payloads, identify C2 patterns. Analyze process
|
|
activity logs. Map filesystem changes.
|
|
|
|
$ wireshark
|
|
$ procdot
|
|
|
|
Step 7: Extract IOCs
|
|
Document: contacted domains/IPs, created
|
|
files/registry keys, spawned processes, persistence
|
|
mechanisms. Classify behavior: downloader, backdoor,
|
|
ransomware, etc.
|
|
|
|
────────────────────────────────────────────────────────────
|
|
Tip: 'fhelp cheat <tool>' for full examples
|
|
'Ctrl+G' for interactive cheatsheet browser
|