irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
f3ccc09c3df0c785d7efed5e1464c81966290a7b
docker_file_analysis/data/for610/workflows.yaml
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

589 lines
35 KiB
YAML
Raw Blame History

# REMnux Analysis Workflows
# Generic, reusable workflows for malware and forensic analysis
# All use <sample>, <document>, <file> placeholders — not tied to specific specimens
# Tools marked [W] are Windows-only; all others available in REMnux container
workflows:
# ============================================================
# 1. STATIC ANALYSIS
# ============================================================
- id: static-analysis-workflow
name: "Static Properties Analysis"
description: "Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents."
steps:
- order: 1
name: "File Identification & Hashing"
tools: [file, trid, exiftool, sha256sum]
description: "Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps."
- order: 2
name: "Reputation Check"
tools: [malwoverview, virustotal-search]
description: "Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis."
- order: 3
name: "Packing & Entropy Check"
tools: [diec, peframe]
description: "Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow."
- order: 4
name: "String Extraction"
tools: [strings, floss, pestr]
description: "Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names."
- order: 5
name: "Capability Detection"
tools: [capa, yara]
description: "Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities."
- order: 6
name: "Import & Export Analysis"
tools: [peframe, capa]
description: "Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality."
- order: 7
name: "Disassembly (if needed)"
tools: [ghidra, cutter, radare2]
description: "Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view."
- order: 8
name: "Document Findings"
tools: []
description: "Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?"
related_labs: ["1.1", "2.1", "4.1"]
tags: [static, triage, pe-analysis, elf-analysis]
# ============================================================
# 2. BEHAVIORAL ANALYSIS
# ============================================================
- id: behavioral-analysis-workflow
name: "Behavioral Analysis"
description: "Monitor runtime behavior in an isolated environment. Applicable to any executable or script on Linux (REMnux) or Windows."
steps:
- order: 1
name: "Environment Preparation"
tools: []
description: "Revert to clean snapshot. Disconnect from production network. Verify isolation (host-only networking). Set max execution time (2-5 minutes)."
- order: 2
name: "Network Interception Setup"
tools: [fakedns, inetsim, fakenet-ng]
description: "Start fake DNS and service emulation so malware gets responses. On REMnux: fakedns for DNS, INetSim or FakeNet-NG for HTTP/HTTPS/SMTP/FTP."
- order: 3
name: "Monitoring Setup"
tools: [wireshark, tcpdump, strace]
description: "Start packet capture (wireshark or tcpdump). On Linux: strace/ltrace for syscalls. Start filesystem monitoring."
- order: 4
name: "Emulation (Safe Alternative)"
tools: [speakeasy, capa]
description: "Before live execution, try emulation: speakeasy emulates Windows API calls on Linux safely. Use capa -vv for capability overview."
- order: 5
name: "Execute & Monitor"
tools: []
description: "Run the sample with a timeout. Monitor for: new processes spawned, files created/modified, network connections, DNS queries. Kill after 2-5 minutes."
- order: 6
name: "Analyze Results"
tools: [wireshark, procdot]
description: "Review network capture: follow TCP streams, extract payloads, identify C2 patterns. Analyze process activity logs. Map filesystem changes."
- order: 7
name: "Extract IOCs"
tools: []
description: "Document: contacted domains/IPs, created files/registry keys, spawned processes, persistence mechanisms. Classify behavior: downloader, backdoor, ransomware, etc."
related_labs: ["1.2", "1.4", "1.6", "4.5"]
tags: [behavioral, dynamic, monitoring, emulation]
# ============================================================
# 3. NETWORK INTERCEPTION
# ============================================================
- id: network-interception-workflow
name: "Network Traffic Interception"
description: "Redirect and analyze malware network traffic in an isolated REMnux environment. Covers DNS, HTTP, HTTPS, and raw IP interception."
steps:
- order: 1
name: "DNS Interception"
tools: [fakedns]
description: "Start fakedns to resolve ALL domains to REMnux IP. Verify: nslookup any-domain.com should return your REMnux IP."
- order: 2
name: "Service Emulation"
tools: [inetsim, fakenet-ng, httpd]
description: "Choose emulator based on needed protocols. INetSim: HTTP, HTTPS, DNS, FTP, SMTP (most complete). FakeNet-NG: similar but different engine. httpd: simple HTTP only."
- order: 3
name: "TLS/HTTPS Interception (if needed)"
tools: [mitmproxy, polarproxy]
description: "For HTTPS C2: mitmproxy as transparent proxy, or PolarProxy for TLS decryption. Install proxy CA cert on analysis machine if needed."
- order: 4
name: "Packet Capture"
tools: [wireshark, tcpdump]
description: "Start capture before executing malware. Filter: not arp and not broadcast. Save to PCAP for later analysis."
- order: 5
name: "Execute & Observe"
tools: []
description: "Run malware on analysis VM. Watch for: DNS queries (domain names), HTTP requests (URLs, user-agents), raw TCP connections (IP:port)."
- order: 6
name: "Traffic Analysis"
tools: [wireshark, tshark, ngrep, tcpflow]
description: "Follow TCP streams for full request/response. Use ngrep for pattern search across packets. Use tcpflow to extract individual streams. Identify beaconing (regular intervals)."
- order: 7
name: "File Extraction"
tools: [tcpxtract, networkminer]
description: "Carve files from PCAP: downloaded payloads, exfiltrated data, second-stage malware. NetworkMiner does this automatically."
- order: 8
name: "IP-Based Redirection (if needed)"
tools: [iptables]
description: "If malware uses hardcoded IPs (no DNS): iptables -t nat -A PREROUTING -i eth0 -j REDIRECT. This redirects ALL traffic to local services."
- order: 9
name: "Document Network IOCs"
tools: []
description: "Record: C2 domains/IPs, URI paths, user-agent strings, beacon intervals, downloaded file hashes, TLS certificate details."
related_labs: ["1.3", "1.7", "1.8"]
tags: [network, interception, c2, dns, https, pcap]
# ============================================================
# 4. DOCUMENT ANALYSIS
# ============================================================
- id: document-analysis-workflow
name: "Malicious Document Analysis"
description: "Analyze suspicious documents (PDF, Office, RTF, OneNote) for embedded malware, macros, and exploits. Follows Zeltser's 6-step methodology."
steps:
- order: 1
name: "Format Identification"
tools: [file, trid]
description: "Identify true format: OLE2 (legacy Office), OOXML (modern Office), RTF, PDF, OneNote. Don't trust the file extension — use magic bytes."
- order: 2
name: "Structure Analysis"
tools: [oledump-py, rtfdump-py, pdfid-py, pdf-parser-py, onedump-py]
description: "Parse document internals. For Office: oledump.py to list streams (M = macro). For PDF: pdfid.py for risky keywords (/JavaScript, /OpenAction). For RTF: rtfdump.py for hex-heavy groups."
- order: 3
name: "Password Handling (if encrypted)"
tools: [msoffcrypto-tool]
description: "If document is password-protected: msoffcrypto-tool -p <password> <input> <output>. Common passwords: infected, malware, password, 123456."
- order: 4
name: "Macro/Script Extraction"
tools: [oledump-py, olevba, pcode2code, XLMMacroDeobfuscator]
description: "Extract VBA: oledump.py -s <stream> -v. For p-code: pcode2code. For Excel 4.0 macros: XLMMacroDeobfuscator. Check olevba for auto-execute triggers (AutoOpen, Document_Open)."
- order: 5
name: "Payload Decoding"
tools: [base64dump-py, translate-py, gunzip, numbers-to-string-py, cyberchef]
description: "Decode embedded payloads. Common chains: Base64 → gunzip → XOR. Use CyberChef for visual multi-step decoding. translate.py for byte-level transforms (byte ^ key)."
- order: 6
name: "Embedded Object Analysis"
tools: [scdbgc, xorsearch, yara, 1768-py]
description: "If shellcode found: emulate with scdbgc. Scan for known patterns (YARA). Check for Cobalt Strike beacons (1768.py). Route PE payloads to Static Analysis Workflow."
- order: 7
name: "Document IOCs"
tools: []
description: "Record: embedded URLs, downloaded payload hashes, C2 addresses, macro behavior (what APIs called), exploit type (CVE if applicable)."
related_labs: ["3.1", "3.3", "3.4", "3.5"]
tags: [documents, office, pdf, rtf, macro, onenote]
# ============================================================
# 5. JAVASCRIPT DEOBFUSCATION
# ============================================================
- id: javascript-deobfuscation-workflow
name: "JavaScript Deobfuscation"
description: "Deobfuscate and analyze malicious JavaScript from web pages, email attachments, or document macros."
steps:
- order: 1
name: "Beautification"
tools: [js-beautify]
description: "Format minified/compressed JavaScript for readability. Look for: eval() calls, document.write(), String.fromCharCode(), unescape(), atob()."
- order: 2
name: "Static Review"
tools: [visual-studio-code]
description: "Identify obfuscation layers. Search for: eval/Function constructor (code execution), long encoded strings, variable name patterns (single chars = likely obfuscated)."
- order: 3
name: "Safe Execution (SpiderMonkey)"
tools: [spidermonkey]
description: "Execute outside browser with objects.js to simulate browser/WScript APIs. Command: js -f /usr/share/remnux/objects.js -f <script.js>. Captures eval'd code without running it."
- order: 4
name: "Environment Tuning"
tools: [visual-studio-code]
description: "If script expects specific environment (location.href, navigator.userAgent): edit objects.js to provide expected values. Re-run SpiderMonkey."
- order: 5
name: "Alternative Analysis"
tools: [box-js, jstillery]
description: "box-js: Node.js sandbox with WScript emulation. JStillery: AST-based deobfuscation. Use when SpiderMonkey can't handle the obfuscation."
- order: 6
name: "Payload Identification"
tools: []
description: "What does the deobfuscated JS do? Common patterns: download & execute (dropper), redirect to exploit kit, credential harvesting. Extract all URLs, IPs, file paths."
related_labs: ["3.6", "3.7"]
tags: [javascript, deobfuscation, spidermonkey, box-js, web]
# ============================================================
# 6. UNPACKING
# ============================================================
- id: unpacking-workflow
name: "Unpacking Packed Executables"
description: "Unpack compressed, encrypted, or obfuscated executables to reveal the original code. Covers automated and manual techniques."
steps:
- order: 1
name: "Packing Identification"
tools: [diec, peframe]
description: "Identify packer: DIE detects UPX, ASPack, PECompact, Themida, etc. Check entropy (>7.0 suggests packing). Look for: few imports, unusual section names (.UPX, .packed)."
- order: 2
name: "Automated Unpacking"
tools: [upx, de4dot]
description: "Try known unpackers first. UPX: upx -d <sample>. .NET: de4dot <sample>. If automated unpacking fails (modified packer), proceed to manual."
- order: 3
name: "Emulation-Based Unpacking"
tools: [speakeasy, qiling]
description: "Emulate execution to let the unpacker run. Speakeasy and Qiling can trace API calls during unpacking without a debugger. Look for VirtualAlloc followed by memcpy patterns."
- order: 4
name: "Debugger-Based Unpacking [W]"
tools: [x64dbg, x32dbg]
description: "Set breakpoints on: VirtualAlloc/VirtualProtect (memory allocation), tail JMP to OEP (end of unpacker), or stack breakpoint (ESP trick). Step to OEP."
- order: 5
name: "Anti-Debug Bypass [W]"
tools: [scyllahide]
description: "If malware detects debugger: enable ScyllaHide. Handles IsDebuggerPresent, NtQueryInformationProcess, timing checks."
- order: 6
name: "Memory Dumping [W]"
tools: [ollydumpex, scylla]
description: "At OEP: dump process with OllyDumpEx. Fix IAT with Scylla (IAT Autosearch → Get Imports → Fix Dump)."
- order: 7
name: "PE Fixup [W]"
tools: [pe-unmapper]
description: "If dump has virtual alignment: pe_unmapper /in <dump> /base 400000 /out <fixed>. Only needed if sections have wrong raw sizes."
- order: 8
name: "Verification"
tools: [strings, peframe, capa]
description: "Verify: strings are now visible, imports are reasonable, capa detects capabilities. If good, route to Static Analysis Workflow for full analysis."
related_labs: ["4.1", "4.2", "4.3", "5.3", "5.8", "5.10"]
tags: [unpacking, packing, iat, memory-dump, oep]
# ============================================================
# 7. CODE INJECTION ANALYSIS
# ============================================================
- id: code-injection-workflow
name: "Code Injection Analysis"
description: "Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading."
steps:
- order: 1
name: "Capability Detection"
tools: [capa]
description: "Run capa to identify injection techniques. Look for: 'inject code', 'create suspended process', 'allocate RWX memory'. Note MITRE ATT&CK technique IDs."
- order: 2
name: "Injection Type Classification"
tools: [ghidra, cutter]
description: "Identify which technique: Classic DLL injection (LoadLibrary), Process Hollowing (CreateProcess SUSPENDED + NtUnmapViewOfSection), Reflective DLL (manual PE loading), APC injection (QueueUserAPC)."
- order: 3
name: "Target Process Analysis"
tools: [ghidra]
description: "How does malware choose its target? Look for: CreateToolhelp32Snapshot + Process32First/Next (enumeration), hardcoded process names (svchost.exe, explorer.exe), OpenProcess calls."
- order: 4
name: "Payload Identification"
tools: [ghidra]
description: "What gets injected? Trace data flow to WriteProcessMemory or NtWriteVirtualMemory. Is it: embedded PE, shellcode, encrypted blob? Check size and content."
- order: 5
name: "Memory Allocation Analysis"
tools: [ghidra]
description: "Examine VirtualAllocEx parameters: size (hints at payload type), protection flags (PAGE_EXECUTE_READWRITE = 0x40 = suspicious). Allocation address for base relocation."
- order: 6
name: "Injection Verification [W]"
tools: [x32dbg, x64dbg]
description: "Set breakpoint on WriteProcessMemory. When hit: examine lpBuffer (injected data), nSize (payload size). Dump the buffer to file for separate analysis."
- order: 7
name: "Extracted Payload Analysis"
tools: [peframe, capa, strings]
description: "Analyze the injected payload as standalone file. Route to: Static Analysis Workflow (if PE), Shellcode Workflow (if shellcode), .NET Workflow (if .NET assembly)."
- order: 8
name: "Document Technique"
tools: []
description: "Record: injection technique, target process criteria, payload type and hash, API call sequence, memory protection flags. Map to MITRE ATT&CK (T1055.x)."
related_labs: ["4.9", "5.4"]
tags: [code-injection, process-hollowing, dll-injection, reflective-loading]
# ============================================================
# 8. .NET ANALYSIS
# ============================================================
- id: dotnet-analysis-workflow
name: ".NET Malware Analysis"
description: "Analyze .NET malware using decompilation, debugging, and deobfuscation. Works for .NET Framework, .NET Core, and mixed-mode assemblies."
steps:
- order: 1
name: "Identification & Metadata"
tools: [peframe, diec, dnfile, dotnetfile]
description: "Confirm .NET binary (peframe shows 'CLR'). Check runtime version (.NET 2/4/Core). Use dnfile or dotnetfile for .NET-specific metadata. Note entry point and referenced assemblies."
- order: 2
name: "Obfuscator Detection"
tools: [diec, de4dot]
description: "Detect obfuscator: DIE identifies ConfuserEx, Eziriz .NET Reactor, Babel, etc. de4dot -d <sample> reports detected obfuscator without modifying the file."
- order: 3
name: "Decompilation"
tools: [ilspycmd, monodis]
description: "Decompile to C# source: ilspycmd <sample> > output.cs. On REMnux use ilspycmd (CLI). Examine: Main() entry, suspicious class/method names, embedded resources."
- order: 4
name: "Dynamic Loading Detection"
tools: [visual-studio-code]
description: "Search decompiled code for: Assembly.Load(byte[]), Assembly.LoadFrom(), Activator.CreateInstance(), MethodInfo.Invoke(), CSharpCodeProvider. These indicate runtime code loading."
- order: 5
name: "Deobfuscation"
tools: [de4dot]
description: "Run: de4dot <sample> -o <clean>. If de4dot fails: try with --dont-rename flag, or manually rename obfuscated symbols. For ConfuserEx: de4dot handles most variants."
- order: 6
name: "Dynamic Debugging [W]"
tools: [dnspyex]
description: "If static analysis insufficient: load in dnSpyEx, set breakpoint on Assembly.Load or suspicious method. Run and inspect Locals window for decrypted payloads. Save byte[] arrays to disk."
- order: 7
name: "Extracted Payload Analysis"
tools: [ilspycmd, peframe]
description: "Analyze extracted payload: is it another .NET assembly? (recurse this workflow). Is it a PE file? (route to Static Analysis). Document the unpacking chain."
- order: 8
name: "Document Findings"
tools: []
description: "Record: obfuscator type, .NET version, loading mechanism, payload hashes, C2 endpoints found in decompiled code, encryption keys/algorithms."
related_labs: ["3.12", "4.8"]
tags: [dotnet, decompilation, deobfuscation, ilspy, de4dot]
# ============================================================
# 9. SHELLCODE ANALYSIS (NEW)
# ============================================================
- id: shellcode-analysis-workflow
name: "Shellcode Analysis"
description: "Analyze extracted shellcode from documents, exploits, or injected processes. Covers detection, emulation, and payload identification."
steps:
- order: 1
name: "Shellcode Detection"
tools: [xorsearch, yara, capa]
description: "Scan carrier file for shellcode patterns. XORSearch -W -d 3 <file> detects common shellcode signatures even when XOR-encoded. YARA rules catch known frameworks."
- order: 2
name: "Extraction"
tools: [rtfdump-py, oledump-py, pdf-parser-py]
description: "Extract shellcode from carrier. For RTF: rtfdump.py -s <group> -H -d > sc.bin. For OLE: oledump.py -s <stream> -d > sc.bin. For PDF: pdf-parser.py -o <obj> -d sc.bin."
- order: 3
name: "Emulation"
tools: [scdbgc, speakeasy]
description: "Emulate without execution. scdbgc /f sc.bin /s -1 shows API calls. speakeasy -t sc.bin -r -a x86 for deeper emulation. Look for: URL downloads, file writes, process creation."
- order: 4
name: "Framework Identification"
tools: [yara, 1768-py]
description: "Check for known frameworks. 1768.py identifies Cobalt Strike beacons. YARA rules detect Metasploit, Cobalt Strike, custom frameworks. Document beacon config if found."
- order: 5
name: "Conversion to EXE"
tools: [shcode2exe]
description: "Convert shellcode to executable for static analysis: shcode2exe sc.bin sc.exe. Then analyze with peframe, strings, ghidra."
- order: 6
name: "String & IOC Extraction"
tools: [strings, floss, cyberchef]
description: "Extract strings from shellcode. Look for: C2 URLs, download paths, filename markers, encryption keys. Use CyberChef for encoded content."
- order: 7
name: "Document Findings"
tools: []
description: "Record: shellcode offset in carrier, size, encoding/XOR key, framework (Metasploit/CS/custom), C2 address, downloaded payload URL, technique (staged/stageless)."
related_labs: ["3.4", "3.5", "4.6", "4.7"]
tags: [shellcode, emulation, cobalt-strike, metasploit, scdbg]
# ============================================================
# 10. STRING & DATA DEOBFUSCATION (NEW)
# ============================================================
- id: string-deobfuscation-workflow
name: "String & Data Deobfuscation"
description: "Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding."
steps:
- order: 1
name: "Automated Extraction"
tools: [floss, strings]
description: "Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings."
- order: 2
name: "Encoding Detection"
tools: [xorsearch, bbcrack]
description: "Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels."
- order: 3
name: "Single-Byte XOR Recovery"
tools: [brxor-py, xortool]
description: "For single-byte XOR: brxor.py <file> finds English words. xortool <file> guesses key length and probable key. xortool-xor -s <key> -i <file> -o decoded.bin to decode."
- order: 4
name: "Multi-Byte / Custom Decoding"
tools: [translate-py, cyberchef]
description: "For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe."
- order: 5
name: "Stack String Recovery"
tools: [strdeob-pl, floss]
description: "For strings built on the stack (MOV byte-by-byte): strdeob.pl <file> or FLOSS stack string detection. Common in evasive malware to avoid string extraction."
- order: 6
name: "Validation & IOC Extraction"
tools: []
description: "Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns."
related_labs: ["1.5", "5.2"]
tags: [strings, xor, deobfuscation, floss, cyberchef, encoding]
# ============================================================
# 11. MEMORY FORENSICS (NEW)
# ============================================================
- id: memory-forensics-workflow
name: "Memory Forensics"
description: "Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux."
steps:
- order: 1
name: "Image Identification"
tools: [volatility3]
description: "Determine OS and profile: vol3 -f <dump> windows.info (or linux.info). Verify image is valid and identify OS version, build, architecture."
- order: 2
name: "Process Analysis"
tools: [volatility3]
description: "List processes: vol3 -f <dump> windows.pslist / windows.pstree. Look for: suspicious names, unusual parent-child relationships, processes with no window title, duplicate system processes."
- order: 3
name: "Network Connections"
tools: [volatility3]
description: "List connections: vol3 -f <dump> windows.netscan. Identify: C2 connections, unusual ports, connections to known-bad IPs. Cross-reference with process PIDs."
- order: 4
name: "Injection Detection"
tools: [volatility3]
description: "Detect injected code: vol3 -f <dump> windows.malfind. Shows: processes with executable memory not backed by a file. Dump suspicious regions for further analysis."
- order: 5
name: "DLL Analysis"
tools: [volatility3]
description: "List loaded DLLs: vol3 -f <dump> windows.dlllist --pid <PID>. Look for: DLLs loaded from unusual paths (temp, appdata), unsigned DLLs, DLLs not in known-good baseline."
- order: 6
name: "String Search"
tools: [volatility3, strings]
description: "Search for known IOCs in memory: vol3 -f <dump> windows.strings. Also: strings <dump> | grep -i '<pattern>'. Look for URLs, domains, file paths, commands."
- order: 7
name: "Process & Code Dumping"
tools: [volatility3]
description: "Extract suspicious processes: vol3 -f <dump> windows.dumpfiles --pid <PID>. Extract injected code regions from malfind results. Analyze dumped files with Static Analysis Workflow."
- order: 8
name: "Timeline Reconstruction"
tools: [volatility3]
description: "Build timeline: vol3 -f <dump> timeliner.Timeliner. Reconstruct: when malware started, what it did, lateral movement. Correlate with process tree and network data."
related_labs: []
tags: [memory, forensics, volatility, injection, incident-response]
# ============================================================
# 12. ANDROID MALWARE ANALYSIS (NEW)
# ============================================================
- id: android-analysis-workflow
name: "Android Malware Analysis"
description: "Analyze suspicious Android APK files using static and dynamic techniques available in REMnux."
steps:
- order: 1
name: "APK Triage"
tools: [file, apkid]
description: "Verify file type and check for packers/obfuscators. APKiD detects: known packers (DexGuard, Bangcle), obfuscators, anti-debug techniques."
- order: 2
name: "Manifest Analysis"
tools: [apktool]
description: "Decompile APK: apktool d <apk> -o output/. Examine AndroidManifest.xml for: excessive permissions, receivers, services, exported components, intent filters."
- order: 3
name: "Source Code Recovery"
tools: [jadx]
description: "Decompile DEX to Java: jadx <apk> -d output/. Review source code for: C2 URLs, crypto operations, SMS interception, data exfiltration, root checks."
- order: 4
name: "Static Analysis"
tools: [androguard, droidlysis]
description: "androguard: analyze APK structure, permissions, activities. droidlysis: automated static analysis with IOC extraction. Check for: hardcoded keys, URLs, suspicious API usage."
- order: 5
name: "Native Library Analysis"
tools: [strings, radare2]
description: "If APK contains .so libraries: extract from lib/ directory. Analyze with strings and radare2. Native code often hides C2 logic and crypto."
- order: 6
name: "Dynamic Instrumentation"
tools: [frida]
description: "Hook suspicious functions at runtime: frida -U -l hook.js <package>. Intercept: crypto operations, network calls, file access, SMS operations."
- order: 7
name: "Document Findings"
tools: []
description: "Record: package name, permissions abused, C2 infrastructure, data exfiltrated, persistence mechanism, targeted user data (SMS, contacts, location)."
related_labs: []
tags: [android, apk, mobile, frida, jadx, apktool]
# ============================================================
# 13. JAVA MALWARE ANALYSIS (NEW)
# ============================================================
- id: java-analysis-workflow
name: "Java Malware Analysis"
description: "Analyze malicious Java archives (JAR), applets, and compiled classes. Covers decompilation and code analysis."
steps:
- order: 1
name: "Archive Inspection"
tools: [unzip, file]
description: "Extract JAR contents: unzip <file.jar> -d output/. Examine META-INF/MANIFEST.MF for Main-Class entry point. List all .class files."
- order: 2
name: "Decompilation"
tools: [cfr, jd-gui]
description: "Decompile with CFR: cfr <file.jar> --outputdir output/. Or use JD-GUI for visual browsing. CFR handles modern Java (lambdas, try-with-resources) better."
- order: 3
name: "Multi-Decompiler Comparison"
tools: [cfr, procyon]
description: "If one decompiler fails on a class: try Procyon. Compare outputs. Some obfuscators break specific decompilers while others handle them fine."
- order: 4
name: "Code Analysis"
tools: [visual-studio-code]
description: "Review decompiled source. Search for: Runtime.exec() (command execution), URLConnection (network), Cipher (crypto), File I/O operations, reflection (Class.forName)."
- order: 5
name: "Resource Extraction"
tools: [strings]
description: "Extract embedded resources and strings. Check for: encoded payloads in resources, config files, embedded binaries. Base64-encoded content is common."
- order: 6
name: "Document Findings"
tools: []
description: "Record: entry point class, malicious methods, URLs/IPs, downloaded payloads, commands executed, Java version requirements."
related_labs: []
tags: [java, jar, decompilation, cfr, jd-gui]
# ============================================================
# 14. EMAIL & PHISHING ANALYSIS (NEW)
# ============================================================
- id: email-analysis-workflow
name: "Email & Phishing Analysis"
description: "Analyze suspicious email messages for phishing indicators, malicious attachments, and weaponized links."
steps:
- order: 1
name: "Header Analysis"
tools: [emldump-py, mail-parser]
description: "Parse SMTP headers: emldump.py <email.eml>. Check: Received headers (delivery path), Return-Path vs From (spoofing), SPF/DKIM results, X-Mailer."
- order: 2
name: "Attachment Extraction"
tools: [emldump-py, msg-extractor]
description: "Extract attachments: emldump.py <email.eml> -d. For MSG format: msg-extractor <email.msg>. List all attachments with types and sizes."
- order: 3
name: "Attachment Triage"
tools: [file, trid, yara, sha256sum]
description: "For each attachment: identify type, compute hash, scan with YARA. Route to appropriate workflow: Document Analysis (Office/PDF), Static Analysis (PE), JavaScript Deobfuscation (JS/HTML)."
- order: 4
name: "Link Analysis"
tools: [unfurl]
description: "Extract all URLs from email body and headers. Use Unfurl to decompose URLs (reveal tracking pixels, redirect chains, encoded parameters)."
- order: 5
name: "Payload Analysis"
tools: []
description: "Analyze extracted attachments using the appropriate workflow. Common patterns: Office doc with macro → downloads PE, PDF with link → credential harvester, HTML attachment → phishing page."
- order: 6
name: "Document IOCs"
tools: []
description: "Record: sender address and IP, subject line, attachment names and hashes, all URLs, C2/phishing domains, email infrastructure (mail server names)."
related_labs: []
tags: [email, phishing, eml, msg, attachments, headers]
# ============================================================
# 15. COBALT STRIKE ANALYSIS (NEW)
# ============================================================
- id: cobalt-strike-workflow
name: "Cobalt Strike Analysis"
description: "Analyze Cobalt Strike beacons, configurations, and network traffic using Didier Stevens' CS toolkit on REMnux."
steps:
- order: 1
name: "Beacon Detection"
tools: [yara, capa]
description: "Scan suspect file with YARA rules for CS signatures. capa detects 'receive data from C2' and beacon-like capabilities. Check for: characteristic 200KB+ size, sleep patterns."
- order: 2
name: "Configuration Extraction"
tools: [1768-py]
description: "Parse beacon config: 1768.py <sample>. Extracts: C2 URLs, user-agent, beacon interval, watermark, spawn-to process, named pipes, proxy config."
- order: 3
name: "Metadata Decryption"
tools: [cs-decrypt-metadata-py]
description: "Decrypt beacon metadata from network captures: cs-decrypt-metadata.py <metadata>. Reveals: computer name, user, process info sent to team server."
- order: 4
name: "Key Extraction"
tools: [cs-extract-key-py]
description: "Extract encryption keys: cs-extract-key.py -f <process_dump>. Recovers AES and HMAC keys used for C2 communication encryption."
- order: 5
name: "Traffic Decryption"
tools: [cs-parse-traffic-py]
description: "Decrypt C2 traffic: cs-parse-traffic.py -f <pcap> -k <keys>. Reveals: tasking commands, downloaded payloads, exfiltrated data."
- order: 6
name: "Sleep Mask Analysis"
tools: [cs-analyze-processdump-py]
description: "Analyze sleep mask: cs-analyze-processdump.py <dump>. Detects if beacon encrypts itself in memory during sleep. Useful for memory forensics."
- order: 7
name: "Document Findings"
tools: []
description: "Record: C2 domains/IPs, beacon interval, watermark (operator ID), user-agent strings, named pipe patterns, spawn-to process, malleable C2 profile indicators."
related_labs: ["3.4"]
tags: [cobalt-strike, c2, beacon, didier-stevens, threat-intel]
Reference in New Issue View Git Blame Copy Permalink