tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1201 lines
37 KiB
YAML
1201 lines
37 KiB
YAML
# FOR610 Lab/Workflow Catalog
|
|
# All labs from the SANS FOR610 workbook with ordered tool usage
|
|
# Tool order reflects the actual step-by-step workflow sequence
|
|
|
|
labs:
|
|
|
|
# ============================================================
|
|
# SECTION 1: MALWARE ANALYSIS FUNDAMENTALS
|
|
# ============================================================
|
|
|
|
- id: "1.1"
|
|
section: 1
|
|
title: "Static Properties Analysis of brbbot.exe"
|
|
sample: "brbbot.exe"
|
|
analysis_type: static-properties
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract malware sample from archive"
|
|
- tool_id: pestr
|
|
platform: linux
|
|
purpose: "Extract ASCII and Unicode strings"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Examine PE properties, imports, sections, and anomalies"
|
|
- tool_id: peframe
|
|
platform: linux
|
|
purpose: "Examine static properties and detect anomalies"
|
|
key_techniques:
|
|
- string-extraction
|
|
- pe-header-analysis
|
|
- anomaly-detection
|
|
- import-analysis
|
|
tags: [static-analysis, pe, strings, triage]
|
|
|
|
- id: "1.2"
|
|
section: 1
|
|
title: "Initial Behavioral Analysis of brbbot.exe"
|
|
sample: "brbbot.exe"
|
|
analysis_type: behavioral
|
|
tools_used:
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor running processes and network connections"
|
|
- tool_id: process-monitor
|
|
platform: windows
|
|
purpose: "Capture file system, registry, and process activity"
|
|
- tool_id: regshot
|
|
platform: windows
|
|
purpose: "Take registry/filesystem snapshot before infection"
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Capture network traffic from malware"
|
|
- tool_id: regshot
|
|
platform: windows
|
|
purpose: "Compare registry/filesystem snapshot after infection"
|
|
- tool_id: procdot
|
|
platform: windows
|
|
purpose: "Visualize Process Monitor logs for analysis"
|
|
key_techniques:
|
|
- process-monitoring
|
|
- registry-monitoring
|
|
- network-capture
|
|
- behavioral-visualization
|
|
prerequisite_labs: ["1.1"]
|
|
tags: [behavioral, monitoring, registry, network]
|
|
|
|
- id: "1.3"
|
|
section: 1
|
|
title: "Intercepting brbbot.exe's Network Traffic"
|
|
sample: "brbbot.exe"
|
|
analysis_type: network-interception
|
|
tools_used:
|
|
- tool_id: fakedns
|
|
platform: linux
|
|
purpose: "Spoof DNS to redirect malware traffic to REMnux"
|
|
- tool_id: nslookup
|
|
platform: windows
|
|
purpose: "Verify DNS spoofing is working"
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Capture redirected network traffic"
|
|
- tool_id: httpd
|
|
platform: linux
|
|
purpose: "Simulate C2 web server"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "Edit web server response files"
|
|
key_techniques:
|
|
- dns-spoofing
|
|
- traffic-interception
|
|
- c2-analysis
|
|
- http-payload-examination
|
|
prerequisite_labs: ["1.2"]
|
|
tags: [network, dns, c2, interception]
|
|
|
|
- id: "1.4"
|
|
section: 1
|
|
title: "Emulating the Execution of brbbot.exe"
|
|
sample: "brbbot.exe"
|
|
analysis_type: emulation
|
|
tools_used:
|
|
- tool_id: speakeasy
|
|
platform: linux
|
|
purpose: "Emulate Windows API calls without native execution"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "Examine emulation output"
|
|
- tool_id: jq
|
|
platform: linux
|
|
purpose: "Extract API names from JSON report"
|
|
- tool_id: capa
|
|
platform: linux
|
|
purpose: "Identify malware capabilities with MITRE ATT&CK mapping"
|
|
key_techniques:
|
|
- api-emulation
|
|
- capability-detection
|
|
- json-analysis
|
|
prerequisite_labs: ["1.1"]
|
|
tags: [emulation, api-analysis, capa, speakeasy]
|
|
|
|
- id: "1.5"
|
|
section: 1
|
|
title: "Decrypting brbbot.exe's Configuration File"
|
|
sample: "brbbot.exe"
|
|
analysis_type: debugging
|
|
tools_used:
|
|
- tool_id: x64dbg
|
|
platform: windows
|
|
purpose: "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Examine imports to identify encryption APIs"
|
|
- tool_id: cyberchef
|
|
platform: linux
|
|
purpose: "Decode XOR-encrypted exfiltrated payload"
|
|
key_techniques:
|
|
- api-breakpoints
|
|
- configuration-decryption
|
|
- xor-decoding
|
|
- handle-inspection
|
|
prerequisite_labs: ["1.1", "1.3"]
|
|
tags: [debugging, decryption, xor, c2-config]
|
|
|
|
- id: "1.6"
|
|
section: 1
|
|
title: "Experimenting with C2 Functionality in brbbot.exe"
|
|
sample: "brbbot.exe"
|
|
analysis_type: behavioral
|
|
tools_used:
|
|
- tool_id: httpd
|
|
platform: linux
|
|
purpose: "Serve C2 commands via ads.php"
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Observe C2 request/response traffic"
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor process spawning from C2 commands"
|
|
key_techniques:
|
|
- c2-command-testing
|
|
- beaconing-analysis
|
|
- command-execution-monitoring
|
|
prerequisite_labs: ["1.3", "1.5"]
|
|
tags: [c2, behavioral, command-control]
|
|
|
|
- id: "1.7"
|
|
section: 1
|
|
title: "Intercepting HTTPS Connections Initiated by ghyte.exe"
|
|
sample: "ghyte.exe"
|
|
analysis_type: network-interception
|
|
tools_used:
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Capture initial network traffic"
|
|
- tool_id: fakedns
|
|
platform: linux
|
|
purpose: "Redirect DNS for HTTPS interception"
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor malware process"
|
|
- tool_id: inetsim
|
|
platform: linux
|
|
purpose: "Emulate HTTPS and other internet services"
|
|
key_techniques:
|
|
- https-interception
|
|
- service-emulation
|
|
- tls-analysis
|
|
prerequisite_labs: ["1.1"]
|
|
tags: [network, https, inetsim, interception]
|
|
|
|
- id: "1.8"
|
|
section: 1
|
|
title: "Intercepting IP Address-Based Traffic Using iptables"
|
|
sample: "getdown.exe"
|
|
analysis_type: network-interception
|
|
tools_used:
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Capture network traffic"
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor malware process"
|
|
- tool_id: httpd
|
|
platform: linux
|
|
purpose: "Serve responses to redirected traffic"
|
|
- tool_id: iptables
|
|
platform: linux
|
|
purpose: "Redirect IP-based traffic via NAT rules"
|
|
key_techniques:
|
|
- iptables-redirection
|
|
- ip-based-interception
|
|
- nat-rules
|
|
prerequisite_labs: ["1.3"]
|
|
tags: [network, iptables, traffic-redirection]
|
|
|
|
# ============================================================
|
|
# SECTION 2: REVERSING MALICIOUS CODE
|
|
# ============================================================
|
|
|
|
- id: "2.1"
|
|
section: 2
|
|
title: "Intro to Assembly and Ghidra"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Disassemble and decompile — navigate function graphs, symbol trees, imports"
|
|
key_techniques:
|
|
- ghidra-navigation
|
|
- function-graph
|
|
- import-analysis
|
|
- cross-references
|
|
- equate-constants
|
|
- commenting
|
|
tags: [assembly, ghidra, code-analysis, fundamentals]
|
|
|
|
- id: "2.2"
|
|
section: 2
|
|
title: "HTTP C2 Analysis"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze HTTP C2 code patterns and API usage"
|
|
key_techniques:
|
|
- http-api-identification
|
|
- data-type-archives
|
|
- parameter-analysis
|
|
- function-renaming
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [c2, http, api-patterns, ghidra]
|
|
|
|
- id: "2.3"
|
|
section: 2
|
|
title: "Function Components, Part 1"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze function prologue, epilogue, stack frames, and local variables"
|
|
key_techniques:
|
|
- function-prologue
|
|
- function-epilogue
|
|
- stack-frame
|
|
- local-variables
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [assembly, functions, stack, ghidra]
|
|
|
|
- id: "2.4"
|
|
section: 2
|
|
title: "Function Components, Part 2"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze function parameters, calling conventions, and return values"
|
|
key_techniques:
|
|
- calling-conventions
|
|
- parameter-passing
|
|
- return-values
|
|
prerequisite_labs: ["2.3"]
|
|
tags: [assembly, functions, calling-conventions, ghidra]
|
|
|
|
- id: "2.5"
|
|
section: 2
|
|
title: "Loop Components"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Identify loops using string references and control flow analysis"
|
|
key_techniques:
|
|
- string-references
|
|
- loop-identification
|
|
- control-flow
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [assembly, loops, control-flow, ghidra]
|
|
|
|
- id: "2.6"
|
|
section: 2
|
|
title: "Compound Expressions"
|
|
sample: "svchost.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze complex conditional logic and nested decisions"
|
|
key_techniques:
|
|
- compound-conditions
|
|
- nested-logic
|
|
- decompiler-interpretation
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [assembly, conditionals, ghidra]
|
|
|
|
- id: "2.7"
|
|
section: 2
|
|
title: "Dropper Analysis"
|
|
sample: "ishelp.dll"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Confirm DLL type and examine exports"
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze resource extraction and file dropping code"
|
|
key_techniques:
|
|
- dll-analysis
|
|
- exported-functions
|
|
- resource-extraction
|
|
- file-dropping
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [dropper, dll, resources, ghidra]
|
|
|
|
- id: "2.8"
|
|
section: 2
|
|
title: "Intro to 64-bit Code Analysis"
|
|
sample: "64-bit specimen"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze 64-bit calling conventions and register usage"
|
|
key_techniques:
|
|
- x64-calling-convention
|
|
- register-usage
|
|
- schtasks-persistence
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [64-bit, assembly, x64, ghidra]
|
|
|
|
# ============================================================
|
|
# SECTION 3: BEYOND TRADITIONAL EXECUTABLES
|
|
# ============================================================
|
|
|
|
- id: "3.1"
|
|
section: 3
|
|
title: "Examining steel1.pdf with pdf-parser.py"
|
|
sample: "steel1.pdf"
|
|
analysis_type: pdf-analysis
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample from archive"
|
|
- tool_id: pdfid-py
|
|
platform: linux
|
|
purpose: "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)"
|
|
- tool_id: pdf-parser-py
|
|
platform: linux
|
|
purpose: "Parse PDF objects, extract URLs, and dump embedded images"
|
|
- tool_id: feh
|
|
platform: linux
|
|
purpose: "View extracted image from PDF object"
|
|
key_techniques:
|
|
- pdf-keyword-scanning
|
|
- object-extraction
|
|
- url-extraction
|
|
- embedded-image-analysis
|
|
tags: [pdf, phishing, static-analysis]
|
|
|
|
- id: "3.2"
|
|
section: 3
|
|
title: "Investigating the 'crophysi' Website with Fiddler"
|
|
sample: "crophysi website"
|
|
analysis_type: web-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Load and analyze captured HTTP/HTTPS traffic"
|
|
key_techniques:
|
|
- redirection-chain-analysis
|
|
- http-request-inspection
|
|
- payload-extraction
|
|
tags: [web, http, fiddler, traffic-analysis]
|
|
|
|
- id: "3.3"
|
|
section: 3
|
|
title: "Analyzing mydoc.docm with oledump.py"
|
|
sample: "mydoc.docm"
|
|
analysis_type: document-analysis
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample from archive"
|
|
- tool_id: trid
|
|
platform: linux
|
|
purpose: "Identify file format (OOXML)"
|
|
- tool_id: oledump-py
|
|
platform: linux
|
|
purpose: "List OLE streams and extract VBA macros"
|
|
- tool_id: numbers-to-string-py
|
|
platform: linux
|
|
purpose: "Convert decimal sequences to readable strings"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "View extracted macro code"
|
|
key_techniques:
|
|
- file-format-identification
|
|
- ole-stream-analysis
|
|
- vba-macro-extraction
|
|
- string-decoding
|
|
tags: [office, vba, macro, oledump]
|
|
|
|
- id: "3.4"
|
|
section: 3
|
|
title: "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc"
|
|
sample: "checkbox.doc"
|
|
analysis_type: document-analysis
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: file
|
|
platform: linux
|
|
purpose: "Identify file type"
|
|
- tool_id: trid
|
|
platform: linux
|
|
purpose: "Confirm OLE2 format"
|
|
- tool_id: oledump-py
|
|
platform: linux
|
|
purpose: "Extract OLE streams and identify macro streams"
|
|
- tool_id: base64dump-py
|
|
platform: linux
|
|
purpose: "Decode Base64-encoded PowerShell from UserForm"
|
|
- tool_id: gunzip
|
|
platform: linux
|
|
purpose: "Decompress gzipped payload"
|
|
- tool_id: translate-py
|
|
platform: linux
|
|
purpose: "XOR decode shellcode (byte ^ 35)"
|
|
- tool_id: strings
|
|
platform: linux
|
|
purpose: "Extract strings from decoded shellcode"
|
|
- tool_id: scdbgc
|
|
platform: linux
|
|
purpose: "Emulate shellcode to identify behavior"
|
|
- tool_id: yara
|
|
platform: linux
|
|
purpose: "Scan for known malware patterns"
|
|
- tool_id: 1768-py
|
|
platform: linux
|
|
purpose: "Parse Cobalt Strike beacon configuration"
|
|
key_techniques:
|
|
- multi-stage-decoding
|
|
- base64-gunzip-xor-chain
|
|
- shellcode-emulation
|
|
- cobalt-strike-identification
|
|
prerequisite_labs: ["3.3"]
|
|
tags: [office, powershell, shellcode, cobalt-strike, multi-stage]
|
|
|
|
- id: "3.5"
|
|
section: 3
|
|
title: "Examining qa.doc With rtfdump.py, scdbgc, and runsc"
|
|
sample: "qa.doc"
|
|
analysis_type: document-analysis
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: file
|
|
platform: linux
|
|
purpose: "Identify RTF format"
|
|
- tool_id: rtfdump-py
|
|
platform: linux
|
|
purpose: "Parse RTF structure, locate hex-encoded embedded objects"
|
|
- tool_id: xorsearch
|
|
platform: linux
|
|
purpose: "Detect shellcode patterns in extracted binary"
|
|
- tool_id: scdbgc
|
|
platform: linux
|
|
purpose: "Emulate extracted shellcode"
|
|
- tool_id: runsc32
|
|
platform: windows
|
|
purpose: "Execute shellcode for dynamic analysis"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug shellcode execution"
|
|
- tool_id: rar
|
|
platform: linux
|
|
purpose: "Extract self-extracting RAR payloads"
|
|
key_techniques:
|
|
- rtf-structure-analysis
|
|
- shellcode-detection
|
|
- shellcode-emulation
|
|
- self-extracting-archive-analysis
|
|
prerequisite_labs: ["3.4"]
|
|
tags: [rtf, shellcode, exploitation, rar]
|
|
|
|
- id: "3.6"
|
|
section: 3
|
|
title: "Deobfuscating loveyou.js with SpiderMonkey"
|
|
sample: "loveyou.js"
|
|
analysis_type: javascript-deobfuscation
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: js-beautify
|
|
platform: linux
|
|
purpose: "Format obfuscated JavaScript for readability"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "Review beautified code"
|
|
- tool_id: spidermonkey
|
|
platform: linux
|
|
purpose: "Execute JavaScript with objects.js to deobfuscate"
|
|
- tool_id: cscript
|
|
platform: windows
|
|
purpose: "Execute JavaScript for AMSI monitoring"
|
|
- tool_id: logman
|
|
platform: windows
|
|
purpose: "Start AMSI event trace session"
|
|
- tool_id: amsiscriptcontentretrieval
|
|
platform: windows
|
|
purpose: "Extract monitored script content from AMSI logs"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "View extracted AMSI output"
|
|
key_techniques:
|
|
- javascript-beautification
|
|
- spidermonkey-execution
|
|
- objects-js-simulation
|
|
- amsi-monitoring
|
|
tags: [javascript, deobfuscation, spidermonkey, amsi]
|
|
|
|
- id: "3.7"
|
|
section: 3
|
|
title: "Deobfuscating fgg.js Using SpiderMonkey"
|
|
sample: "fgg.js"
|
|
analysis_type: javascript-deobfuscation
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: spidermonkey
|
|
platform: linux
|
|
purpose: "Execute JavaScript (identify missing location.href)"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "Edit objects.js to set location.href"
|
|
- tool_id: spidermonkey
|
|
platform: linux
|
|
purpose: "Re-execute with modified objects.js to deobfuscate"
|
|
key_techniques:
|
|
- environment-simulation
|
|
- objects-js-customization
|
|
- location-href-spoofing
|
|
prerequisite_labs: ["3.6"]
|
|
tags: [javascript, deobfuscation, spidermonkey]
|
|
|
|
- id: "3.8"
|
|
section: 3
|
|
title: "Decoding the Initial Script with Fiddler and CyberChef"
|
|
sample: "roomsvisitor.saz"
|
|
analysis_type: web-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Load captured HTTP traffic and follow redirect chain"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "View Base64-encoded PowerShell command"
|
|
- tool_id: cyberchef
|
|
platform: both
|
|
purpose: "Decode Base64 and UTF-16LE to reveal PowerShell"
|
|
key_techniques:
|
|
- redirect-chain-analysis
|
|
- base64-decoding
|
|
- utf16-decoding
|
|
- powershell-extraction
|
|
prerequisite_labs: ["3.2"]
|
|
tags: [web, base64, powershell, cyberchef]
|
|
|
|
- id: "3.9"
|
|
section: 3
|
|
title: "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE"
|
|
sample: "wrcaf.ps1"
|
|
analysis_type: powershell-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Extract PowerShell script from HTTP traffic"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "Initial script viewing"
|
|
- tool_id: powershell-ise
|
|
platform: windows
|
|
purpose: "Debug script with breakpoints to extract decoded payload"
|
|
key_techniques:
|
|
- powershell-debugging
|
|
- breakpoint-usage
|
|
- variable-extraction
|
|
- invoke-expression-interception
|
|
prerequisite_labs: ["3.8"]
|
|
tags: [powershell, debugging, deobfuscation]
|
|
|
|
- id: "3.10"
|
|
section: 3
|
|
title: "Examining Package.exe and iviewers.dll with PeStudio and x32dbg"
|
|
sample: "Package.exe, iviewers.dll"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Extract Package.exe from HTTP traffic"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Examine digital signature and PE properties"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug DLL loading and CreateProcessW calls"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "View extracted PowerShell command parameters"
|
|
key_techniques:
|
|
- digital-signature-analysis
|
|
- dll-sideloading
|
|
- createprocess-breakpoints
|
|
- multi-stage-payload
|
|
prerequisite_labs: ["3.9"]
|
|
tags: [dll, debugging, digital-signature, sideloading]
|
|
|
|
- id: "3.11"
|
|
section: 3
|
|
title: "Decoding iubn.ps1 With Fiddler and PowerShell ISE"
|
|
sample: "iubn.ps1"
|
|
analysis_type: powershell-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Extract PowerShell script from HTTP traffic"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "Initial script examination"
|
|
- tool_id: powershell-ise
|
|
platform: windows
|
|
purpose: "Debug and decode layered PowerShell"
|
|
key_techniques:
|
|
- powershell-debugging
|
|
- invoke-expression-interception
|
|
- out-file-extraction
|
|
- dotnet-assembly-download
|
|
prerequisite_labs: ["3.10"]
|
|
tags: [powershell, debugging, dotnet-loading]
|
|
|
|
- id: "3.12"
|
|
section: 3
|
|
title: "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef"
|
|
sample: "rwvg1.exe, ersyb.exe"
|
|
analysis_type: dotnet-analysis
|
|
tools_used:
|
|
- tool_id: fiddler
|
|
platform: windows
|
|
purpose: "Extract .NET assembly from HTTP traffic"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Confirm .NET assembly"
|
|
- tool_id: ilspy
|
|
platform: windows
|
|
purpose: "Decompile .NET to view C# source code"
|
|
- tool_id: cyberchef
|
|
platform: both
|
|
purpose: "Decode Base64 + XOR payload"
|
|
- tool_id: exeinfo-pe
|
|
platform: windows
|
|
purpose: "Identify second-stage .NET binary"
|
|
key_techniques:
|
|
- dotnet-decompilation
|
|
- runtime-compilation-analysis
|
|
- base64-xor-decoding
|
|
- csharpcodeprovider-analysis
|
|
prerequisite_labs: ["3.11"]
|
|
tags: [dotnet, decompilation, cyberchef, multi-stage]
|
|
|
|
# ============================================================
|
|
# SECTION 4: IN-DEPTH MALWARE ANALYSIS
|
|
# ============================================================
|
|
|
|
- id: "4.1"
|
|
section: 4
|
|
title: "Assessing the Packed brbbot.exe File"
|
|
sample: "brbbot.exe (packed)"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract packed sample"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Examine entropy, sections, and packing indicators"
|
|
- tool_id: diec
|
|
platform: linux
|
|
purpose: "Identify packer (UPX detection)"
|
|
key_techniques:
|
|
- entropy-analysis
|
|
- section-examination
|
|
- packer-identification
|
|
tags: [packing, entropy, detection, triage]
|
|
|
|
- id: "4.2"
|
|
section: 4
|
|
title: "Dumping and Fixing brbbot.exe Using Scylla"
|
|
sample: "brbbot.exe (packed)"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: upx
|
|
platform: linux
|
|
purpose: "Attempt automated unpacking (fails — modified UPX)"
|
|
- tool_id: setdllcharacteristics
|
|
platform: windows
|
|
purpose: "Disable ASLR for consistent memory addresses"
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Verify process is running after infection"
|
|
- tool_id: scylla
|
|
platform: windows
|
|
purpose: "Dump unpacked process from memory and fix IAT"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Verify dumped file is valid PE"
|
|
key_techniques:
|
|
- aslr-disabling
|
|
- process-dumping
|
|
- iat-reconstruction
|
|
- scylla-workflow
|
|
prerequisite_labs: ["4.1"]
|
|
tags: [unpacking, scylla, iat, memory-dump]
|
|
|
|
- id: "4.3"
|
|
section: 4
|
|
title: "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx"
|
|
sample: "brbbot.exe (packed)"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: x64dbg
|
|
platform: windows
|
|
purpose: "Debug to locate unpacker JMP to OEP"
|
|
- tool_id: ollydumpex
|
|
platform: windows
|
|
purpose: "Dump unpacked process from within debugger"
|
|
- tool_id: scylla
|
|
platform: windows
|
|
purpose: "Fix IAT in dumped executable (as x64dbg plugin)"
|
|
key_techniques:
|
|
- oep-detection
|
|
- unpacker-breakpoints
|
|
- memory-dumping
|
|
- iat-fixing
|
|
prerequisite_labs: ["4.1"]
|
|
tags: [unpacking, debugger, oep, ollydumpex]
|
|
|
|
- id: "4.4"
|
|
section: 4
|
|
title: "Debugging the Packed Version of brbbot.exe"
|
|
sample: "brbbot.exe (packed)"
|
|
analysis_type: debugging
|
|
tools_used:
|
|
- tool_id: x64dbg
|
|
platform: windows
|
|
purpose: "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior"
|
|
key_techniques:
|
|
- hardware-breakpoints
|
|
- api-interception
|
|
- packed-runtime-analysis
|
|
prerequisite_labs: ["4.1"]
|
|
tags: [debugging, packed-malware, hardware-breakpoints]
|
|
|
|
- id: "4.5"
|
|
section: 4
|
|
title: "Analyzing Multi-Technology Specimen PDFXCview.exe"
|
|
sample: "PDFXCview.exe"
|
|
analysis_type: code-analysis
|
|
tools_used:
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor process creation and child processes"
|
|
- tool_id: process-monitor
|
|
platform: windows
|
|
purpose: "Capture file system and registry activity"
|
|
- tool_id: procdot
|
|
platform: windows
|
|
purpose: "Visualize multi-stage execution"
|
|
- tool_id: regedit
|
|
platform: windows
|
|
purpose: "Examine registry keys created by malware"
|
|
- tool_id: reg-export
|
|
platform: windows
|
|
purpose: "Extract JavaScript stored in registry to file"
|
|
- tool_id: winscp
|
|
platform: windows
|
|
purpose: "Transfer artifacts to REMnux for analysis"
|
|
- tool_id: spidermonkey
|
|
platform: linux
|
|
purpose: "Deobfuscate JavaScript component"
|
|
- tool_id: js-beautify
|
|
platform: linux
|
|
purpose: "Format decoded JavaScript for readability"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "View and analyze decoded scripts"
|
|
- tool_id: base64dump-py
|
|
platform: linux
|
|
purpose: "Decode Base64-encoded payloads"
|
|
- tool_id: notepadpp
|
|
platform: windows
|
|
purpose: "View decoded scripts"
|
|
- tool_id: powershell-ise
|
|
platform: windows
|
|
purpose: "Debug PowerShell component"
|
|
key_techniques:
|
|
- multi-technology-analysis
|
|
- registry-based-malware
|
|
- fileless-techniques
|
|
- cross-platform-workflow
|
|
tags: [multi-stage, javascript, powershell, behavioral]
|
|
|
|
- id: "4.6"
|
|
section: 4
|
|
title: "Examining Capabilities of Shellcode Used by PDFXCview.exe"
|
|
sample: "Shellcode from PDFXCview.exe"
|
|
analysis_type: shellcode-analysis
|
|
tools_used:
|
|
- tool_id: scdbgc
|
|
platform: both
|
|
purpose: "Emulate shellcode to identify API calls"
|
|
- tool_id: runsc32
|
|
platform: windows
|
|
purpose: "Execute shellcode for dynamic analysis"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug shellcode execution and examine parameters"
|
|
key_techniques:
|
|
- shellcode-emulation
|
|
- shellcode-debugging
|
|
- api-parameter-analysis
|
|
prerequisite_labs: ["4.5"]
|
|
tags: [shellcode, emulation, debugging]
|
|
|
|
- id: "4.7"
|
|
section: 4
|
|
title: "Unpacking Shellcode That Was Used by PDFXCview.exe"
|
|
sample: "Shellcode from PDFXCview.exe"
|
|
analysis_type: shellcode-analysis
|
|
tools_used:
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Set breakpoints on VirtualAlloc to track memory allocation"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Verify dumped PE from allocated memory"
|
|
key_techniques:
|
|
- virtualalloc-breakpoints
|
|
- multi-stage-shellcode
|
|
- memory-dumping
|
|
prerequisite_labs: ["4.6"]
|
|
tags: [shellcode, unpacking, virtualalloc]
|
|
|
|
- id: "4.8"
|
|
section: 4
|
|
title: "Examining .NET Malware chatroom.exe"
|
|
sample: "chatroom.exe"
|
|
analysis_type: dotnet-analysis
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: peframe
|
|
platform: linux
|
|
purpose: "Identify as .NET with high entropy (packed)"
|
|
- tool_id: pestr
|
|
platform: linux
|
|
purpose: "Extract strings"
|
|
- tool_id: ilspycmd
|
|
platform: linux
|
|
purpose: "Decompile .NET assembly on command line"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "Search decompiled code for Assembly.Load"
|
|
- tool_id: dnspyex
|
|
platform: windows
|
|
purpose: "Debug .NET with breakpoints to extract in-memory assembly"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Examine dumped assembly"
|
|
- tool_id: ilspy
|
|
platform: windows
|
|
purpose: "Decompile dumped assembly"
|
|
- tool_id: de4dot
|
|
platform: windows
|
|
purpose: "Deobfuscate .NET assembly"
|
|
key_techniques:
|
|
- dotnet-decompilation
|
|
- reflective-loading-detection
|
|
- assembly-load-breakpoints
|
|
- in-memory-dumping
|
|
- dotnet-deobfuscation
|
|
tags: [dotnet, debugging, deobfuscation, reflective-loading]
|
|
|
|
- id: "4.9"
|
|
section: 4
|
|
title: "Examining Code Injection Capabilities of great.exe"
|
|
sample: "great.exe"
|
|
analysis_type: code-injection
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code"
|
|
key_techniques:
|
|
- createremotethread-analysis
|
|
- virtualallocex-identification
|
|
- process-enumeration
|
|
- createtoolhelp32snapshot
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [code-injection, api-analysis, ghidra]
|
|
|
|
# ============================================================
|
|
# SECTION 5: EXAMINING SELF-DEFENDING MALWARE
|
|
# ============================================================
|
|
|
|
- id: "5.1"
|
|
section: 5
|
|
title: "Patching getdown.exe to Bypass Debugger Detection"
|
|
sample: "getdown.exe"
|
|
analysis_type: anti-analysis
|
|
tools_used:
|
|
- tool_id: wireshark
|
|
platform: linux
|
|
purpose: "Monitor network traffic"
|
|
- tool_id: system-informer
|
|
platform: windows
|
|
purpose: "Monitor process behavior"
|
|
- tool_id: x64dbg
|
|
platform: windows
|
|
purpose: "Identify and patch IsDebuggerPresent check"
|
|
key_techniques:
|
|
- isdebuggerpresent-bypass
|
|
- instruction-patching
|
|
- conditional-jump-modification
|
|
tags: [anti-debugging, patching, isdebuggerpresent]
|
|
|
|
- id: "5.2"
|
|
section: 5
|
|
title: "Deobfuscating Strings Encoded Using Simple and Common Algorithms"
|
|
sample: "getdown.exe, hubert.dll, 9.exe"
|
|
analysis_type: string-deobfuscation
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract samples"
|
|
- tool_id: xorsearch
|
|
platform: linux
|
|
purpose: "Search for XOR-encoded patterns"
|
|
- tool_id: strings
|
|
platform: linux
|
|
purpose: "Extract readable strings"
|
|
- tool_id: brxor-py
|
|
platform: linux
|
|
purpose: "Brute-force XOR key detection"
|
|
- tool_id: bbcrack
|
|
platform: linux
|
|
purpose: "Detect XOR/ROL/ADD obfuscation algorithms"
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze deobfuscation routines in code"
|
|
- tool_id: strdeob-pl
|
|
platform: linux
|
|
purpose: "Decode stack-built strings"
|
|
- tool_id: floss
|
|
platform: linux
|
|
purpose: "Automatically extract all obfuscated strings"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "View deobfuscation results"
|
|
key_techniques:
|
|
- xor-brute-forcing
|
|
- stack-string-decoding
|
|
- automated-string-extraction
|
|
- obfuscation-algorithm-identification
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [strings, xor, deobfuscation, floss]
|
|
|
|
- id: "5.3"
|
|
section: 5
|
|
title: "Unpacking drtg.exe"
|
|
sample: "drtg.exe"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: floss
|
|
platform: linux
|
|
purpose: "Extract strings to assess packing"
|
|
- tool_id: visual-studio-code
|
|
platform: linux
|
|
purpose: "View FLOSS output"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug with RtlDecompressBuffer breakpoints"
|
|
- tool_id: scyllahide
|
|
platform: windows
|
|
purpose: "Hide debugger from anti-debugging checks"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Verify unpacked dump"
|
|
key_techniques:
|
|
- rtldecompressbuffer-interception
|
|
- debugger-hiding
|
|
- exception-configuration
|
|
- memory-dumping
|
|
prerequisite_labs: ["5.2"]
|
|
tags: [unpacking, anti-debugging, decompression]
|
|
|
|
- id: "5.4"
|
|
section: 5
|
|
title: "Unpacking WinHost32.exe"
|
|
sample: "WinHost32.exe"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: unzip
|
|
platform: linux
|
|
purpose: "Extract sample"
|
|
- tool_id: capa
|
|
platform: linux
|
|
purpose: "Identify process hollowing capability"
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Set breakpoint on WriteProcessMemory to catch injected PE"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Verify dumped PE from process hollowing"
|
|
key_techniques:
|
|
- process-hollowing-detection
|
|
- create-suspended-analysis
|
|
- writeprocessmemory-breakpoints
|
|
- ntunmapviewofsection
|
|
prerequisite_labs: ["5.3"]
|
|
tags: [process-hollowing, code-injection, unpacking]
|
|
|
|
- id: "5.5"
|
|
section: 5
|
|
title: "Examining the Anti-Sandbox Defensive Capability of vbprop.exe"
|
|
sample: "vbprop.exe"
|
|
analysis_type: anti-analysis
|
|
tools_used:
|
|
- tool_id: ghidra
|
|
platform: windows
|
|
purpose: "Analyze SetWindowsHookExA for mouse event interception"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug hook installation and handler"
|
|
key_techniques:
|
|
- setwindowshookex-analysis
|
|
- mouse-hook-detection
|
|
- sandbox-evasion
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [anti-sandbox, hooks, evasion]
|
|
|
|
- id: "5.6"
|
|
section: 5
|
|
title: "Examining the Toolkit Detection Capabilities of raas.exe"
|
|
sample: "raas.exe"
|
|
analysis_type: anti-analysis
|
|
tools_used:
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Step through toolkit detection routines"
|
|
- tool_id: scyllahide
|
|
platform: windows
|
|
purpose: "Hide debugger from detection checks"
|
|
key_techniques:
|
|
- getmodulehandle-checks
|
|
- findwindow-checks
|
|
- process-enumeration
|
|
- registry-vm-detection
|
|
- blockinput-bypass
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [anti-analysis, toolkit-detection, vm-detection]
|
|
|
|
- id: "5.7"
|
|
section: 5
|
|
title: "Understanding the SEH Defense in want.exe"
|
|
sample: "want.exe"
|
|
analysis_type: anti-analysis
|
|
tools_used:
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Analyze SEH chain setup and exception handler execution"
|
|
key_techniques:
|
|
- seh-manipulation
|
|
- exception-handler-analysis
|
|
- fs-segment-usage
|
|
- seh-breakpoints
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [seh, anti-analysis, exception-handling]
|
|
|
|
- id: "5.8"
|
|
section: 5
|
|
title: "Unpacking want.exe Using a Stack Breakpoint"
|
|
sample: "want.exe"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Set stack breakpoint to detect unpacking completion"
|
|
- tool_id: ollydumpex
|
|
platform: windows
|
|
purpose: "Dump unpacked process from memory"
|
|
- tool_id: scylla
|
|
platform: windows
|
|
purpose: "Reconstruct IAT in dumped executable"
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Verify unpacked PE"
|
|
key_techniques:
|
|
- stack-breakpoints
|
|
- oep-detection-via-stack
|
|
- memory-dumping
|
|
- iat-reconstruction
|
|
prerequisite_labs: ["5.7"]
|
|
tags: [unpacking, stack-breakpoint, seh]
|
|
|
|
- id: "5.9"
|
|
section: 5
|
|
title: "Bypassing Self-Defensive Measures in lansrv.exe"
|
|
sample: "lansrv.exe"
|
|
analysis_type: anti-analysis
|
|
tools_used:
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Identify TLS callback in thread-local-storage section"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override"
|
|
key_techniques:
|
|
- tls-callback-analysis
|
|
- isdebuggerpresent-bypass
|
|
- segment-register-patching
|
|
- xor-decoding-loop
|
|
- multi-defense-bypass
|
|
prerequisite_labs: ["2.1"]
|
|
tags: [tls-callback, anti-debugging, patching, multi-defense]
|
|
|
|
- id: "5.10"
|
|
section: 5
|
|
title: "Unpacking yep.exe with the Help of x32dbg and pe_unmapper"
|
|
sample: "yep.exe"
|
|
analysis_type: unpacking
|
|
tools_used:
|
|
- tool_id: pestudio
|
|
platform: windows
|
|
purpose: "Initial analysis — note gibberish strings indicating packing"
|
|
- tool_id: x32dbg
|
|
platform: windows
|
|
purpose: "Set breakpoints on LoadLibraryA and VirtualProtect"
|
|
- tool_id: xanalyzer
|
|
platform: windows
|
|
purpose: "Enhanced analysis showing API parameters"
|
|
- tool_id: pe-unmapper
|
|
platform: windows
|
|
purpose: "Convert virtual-aligned dump to raw alignment"
|
|
- tool_id: scylla
|
|
platform: windows
|
|
purpose: "Fix IAT in unmapped executable"
|
|
key_techniques:
|
|
- loadlibrary-breakpoints
|
|
- virtualprotect-breakpoints
|
|
- memory-region-dumping
|
|
- virtual-to-raw-alignment
|
|
- oep-anticipation
|
|
prerequisite_labs: ["5.8"]
|
|
tags: [unpacking, pe-unmapper, virtualprotect, loadlibrary]
|