1. What is Malware Analysis?
Malware Analysis is the process of studying malicious software in
order to understand:
- what it does (data theft, spying, encryption, etc.)
- how it works internally
- how to detect it
- how to defend against it
It is a key skill for a SOC Analyst or Cybersecurity Analyst.
2. Lab Objectives
In this lab, you will learn how to:
- Identify a suspicious file
- Perform static analysis (without executing it)
- Perform dynamic analysis (by executing it in a safe environment)
- Monitor malicious network activity
- Extract Indicators of Compromise (IOCs)
3. Tools Used
Secure Environment
- VirtualBox
Used to create isolated virtual machines (sandbox)
- FLARE VM
Pre-configured Windows environment for malware analysis
Static Analysis Tools
- PE Studio
Analyzes malware without executing it
- Strings
Extracts hidden text inside files (URLs, commands, etc.)
Dynamic Analysis Tools
- Process Monitor
Monitors file system, registry, and process activity
- Process Explorer
Displays running processes and their behavior
Network Analysis
- Wireshark
Captures and analyzes network traffic
4. Main Tabs and Their Use
PE Studio
- Indicators → shows suspicious behaviors
- Strings → extracts hidden messages and URLs
- Imports → shows system functions used by the malware
Process Monitor
- File System → file creation/modification
- Registry → registry changes
- Process Activity → real-time malware actions
Wireshark
- Capture → live traffic monitoring
- Follow TCP Stream → read communications
- Filters → refine traffic (e.g. http, dns)
5. Step-by-Step Lab Process
Step 1: Installation
1. Install VirtualBox
- Download from official website
- Click: Next → Next → Install → Finish
2. Install FLARE VM
- Open PowerShell as Administrator
- Run:
```powershell
iwr -useb https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1
| iex
```
Step 2: Prepare the Malware Sample
- Download a sample from a safe source (e.g., MalwareBazaar)
- Move it into the VM
- ⚠️ Ensure the VM is isolated (no real network access)
Step 3: Static Analysis
Using PE Studio
1. Open PE Studio
2. Go to File → Open → select malware file
You will see:
- Red flags (suspicious behavior)
- Imports (system functions used)
- URLs or suspicious strings
Using Strings
1. Open Command Prompt
2. Run:
```bash
strings malware.exe
```
You will find:
- IP addresses
- Hidden URLs
- Embedded commands
Step 4: Dynamic Analysis
Using Process Monitor
1. Open Process Monitor
2. Click File → Capture Events
3. Run the malware sample
You will observe:
- File creation/modification
- Registry changes
- Suspicious system activity
Using Process Explorer
1. Open Process Explorer
2. Run the malware
You will observe:
- New suspicious processes
- CPU/memory usage spikes
- Injected DLLs
Step 5: Network Analysis (Wireshark)
1. Open Wireshark
2. Click Start Capture
3. Execute the malware
You will detect:
- DNS requests
- External IP connections
- Suspicious traffic patterns
Useful filters:
```
dns
http
tcp
```
6. Final Expected Results
At the end of the lab, you should be able to:
- Identify malware type
- Understand its behavior
- Extract IOCs:
- IP addresses
- Domains
- File hashes
- Propose mitigation steps
7. Response Actions
- Delete infected file
- Block malicious IPs/domains
- Update antivirus systems
- Isolate compromised machines
8. Prevention
- Never open unknown files
- Always use a sandbox environment
- Keep systems updated
- Train users against phishing/malware
Final Summary
This lab turns you into someone who can understand malware behavior,
not just detect it.
You go from:
❌ “This is a virus”
to
✅ “I understand how it works and how to stop it”
Copyright © All rights reserved.