Exploit Notes

Malware Analysis

Last modified: 2023-02-21


Build a Sandbox

Before analyzing malware, it’s recommended to build a sandbox for malware analysis.
Below are useful tools for building such an environment.


    It is a collection of software installations scripts for Windows systems to maintain a reverse engineering environment on a virtual machine.

  • REMnux

    A Linux toolkit for malware analysis.


    An interactive online malware sandbox.

  • Hybrid Analysis

    A free online malware analysis.

Get Information About Malware

First off, we get the hash of the malware.

# Linux
md5sum example
sha256sum example

# PowerShell
Get-FileHash -Algorithm MD5 example.exe
Get-FileHash -Algorithm SHA256 example.exe

We can use the hash for finding details of malware, so copy the output hash.

We can search the information about malware by searching the hash.

In search form, input the hash value as below.


Now access to websites listed the search result.


VirusTotal analyses suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
To search the information about suspicious files, first get the hash in our terminal.

MalwareBazaar in Abuse.ch

MalwareBazaar also analyses suspicious files.

We can input the hash in Browse Database as below.


Resource Hacker

Resource Hacker is a resource extraction utility and resource compiler for Windows.

By opening a malware file, we can retrieve detail information about the file in “Version Info”.


capa detects capabilities in executable files.

capa example.exe
# -vv: All feature match details
capa -vv example.exe


We can find specific text contained in the malware.

# Linux
strings example | grep "text_here"

# PowerShell
strings example.exe | findstr "text_here"

Reverse Engineering


Ghidra is a reverse engineering software.


PE-bear is a multi-platform reversing tool for PE files.

Analysis Tools

  • Pithus

    An open-source mobile threat Intelligence platform.


  • Process Hacker

    It monitors system resources, debug software and detect malware.

  • ProcDOT

    ProcDOT is a visual malware analysis tool.
    To investigate logs, in Monitoring Logs, open a log file (.csv) in Procmon and open a dump file in WinDump. Then click “Refresh”. Executable files and PID listed.


  • Yara

    The pattern matching swiss knife for malware researchers.

    • Automation Tools

      • Loki

        # Update first, then will add `signature-base` directory
        python ~/Loki/loki.py --update
        # Run
        python ~/Loki/loki.py -p ./suspicious_files_dir
        # Run & output a log file
        python loki.py -p ./suspicious_files_dir -l log.txt
      • yarGen

        # Update first
        python ~/yarGen/yarGen.py --update
        # Generate Yara ruls for specific file
        python ~/yarGen/yarGen.py -m ./suspicious_files_dir --excludegood -o ./suspicious_files_dir/rule.yar
        # Check if the file flagged
        yara ./suspicious_files_dir/rule.yar ./suspicious_files_dir/somefile.php
        # If flagged, copy this ruls to Loki's signature yara directory
        cp ./suspicious_files_dir/rule.yar ~/Loki/signature-base/yara
        # Then run Loki
        # ...
    • Manual

      • Find Files Matches Rules

        yara rule.yar ./somedir
        # Print only number of matches
        yara -c rule.yar ./somedir
        # Print only not satisfied rules 
        yara -n rule.yar ./somedir
        # Print metadata
        yara -m rule.yar ./somedir
      • Create Rules

        Create "rule.yar".

        rule rule_name {
                author = "pentester"
                description = "test rule"
                created = "6/20/2022 00:00"
                $hello = "Hello"
                $text_file = ".txt"
                $hello and $text_file

Static Analysis

Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.

  • Detect It Easy

    It determines types of files.

  • [CAPA](https://github.com/mandiant/capa](https://github.com/mandiant/capa)

    It identifies capabilities in executable files.

    capa ./executable

If you found that the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.

upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>

Dynamic Analysis

If our environment is Windows, we need to start the Process Monitor before running the dynamic analysis.
Process Monitor (ProcMon) is a Windows tool that analyze the behavior (real-time registry, file system, and process/threat activity) while analyzing malware.

In ProcMon, set “Process Name” “is” “executable.exe” then “Include” in the Process Monitor Filter, and click “Add” → “OK”.

After executing, you should see results appear in the ProcMon.
The first step is to unset all filters on the right of the tool bar, then set again a filter one by one.

  • Show Registry Activity

    This filter allows us to determine if any significant Registry Modifications are executed by the binary. To focus on Registry Key Creations and Modifications, exclude RegOpenKey, RegQueryValue, RegQueryKey, RegCloseKey by right-clicking on the row of results.

  • Show File System Activity

    This filter allows us to determint if the malware executes File Creations. To focus only on File Write events, exclude CreateFile, CreateFileMapping, QuerySecurityFile, QueryNameInformationFile, QueryBasicInformationFile, CloseFile, ReadFile.

  • Show Network Activity

    This filter allows us to confirm if the malware attempts to make a network connection.

Malicious Document (.doc) Analysis

  1. Open CyberChef
  2. Upload the suspicious doc file on CyberChef.
  3. Use the “Strings” function to extract strings.
  4. If you found obfuscated strings in the results, add the “Find / Replace” function to remove extra strings.
  5. If necessary, add the “Drop bytes” function to remove extra bytes.

Attack with Malware


Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.