NeoShield Security logo NeoShield Security Quantum X

Academy / Malware Analysis (Static + Dynamic)

MODULE 06 · Advanced

Malware Analysis (Static + Dynamic)

Safely triage and characterize samples to produce detections — analysis, not authoring.

Module overview

This module teaches defensive malware analysis: safely characterizing a sample to extract indicators and behaviors that feed detections. You will do static triage (hashing, strings, PE structure, YARA/capa) and dynamic analysis in an isolated sandbox (behavioral and network monitoring). The goal is detection and understanding — never creation. All work happens in a disposable, network-controlled lab.

Lesson 1

Static Triage: Strings, PE Structure, YARA & capa

Deep explanation

Static analysis characterizes a sample without running it. Start with identity (hashes) and reputation, then strings (URLs, registry keys, mutexes, suspicious APIs), then PE structure: sections, imports (IAT), entropy (high entropy suggests packing), and compile timestamps. capa maps capabilities to ATT&CK from the binary alone. From these observations you author a YARA rule that detects the family or shared tradecraft.

Safety first: handle samples in a disposable VM, never on your host, with no auto-execution and controlled file transfer.

Examples

  • strings reveals a hard-coded C2 URL and a unique mutex name — both become detection indicators.
  • High section entropy + a tiny import table indicates a packer; capa flags "create process" and "HTTP communication" capabilities.

Commands & tools

# Identity & reputation (lab VM, sample handled safely)
sha256sum sample.bin

# Strings + PE structure
strings -n 8 sample.bin | less
pecheck.py sample.bin            # or: python -m pefile  (sections, imports, entropy)
capa sample.bin                  # capabilities -> ATT&CK

# YARA rule authored from observed indicators
rule Suspicious_Family_Example {
  strings: $u = "http://c2.example.lab" ascii  $m = "Global\\unique_mutex" wide
  condition: uint16(0) == 0x5A4D and any of them
}
yara rule.yar sample.bin

Diagram

  sample -> [ hashes ] -> [ strings ] -> [ PE: sections/imports/entropy ] -> [ capa ]
                                                  |
                                    observed indicators -> YARA rule -> deploy to EDR/scan

Hands-on lab

  1. In a disposable, network-isolated VM, compute the hash of a provided benign/known training sample.
  2. Extract strings and review PE sections/imports/entropy; note any URLs, mutexes, or suspicious APIs.
  3. Run capa and record the mapped capabilities/ATT&CK techniques.
  4. Author a YARA rule from at least two stable indicators and test it against the sample and a clean file (no false positive).
Expected output: A characterization sheet (hash, key strings, sections/entropy, capa capabilities) plus a YARA rule that matches the sample and not the clean file.
What to observe: Strong indicators are stable ones (mutex, embedded config) rather than trivially mutable ones; entropy and import anomalies hint at packing.

How attackers exploit · how defenders respond

Exploit: Authors pack/obfuscate, strip metadata, and randomize trivial indicators to defeat naive signatures.

Detect & respond: YARA on robust strings/structure, capa-driven behavioral expectations, and reputation/hash feeds — combined, not alone.

Red teamPack and mutate to break weak signatures.
Blue teamAuthor resilient YARA from stable artifacts; pair with behavioral detection from the dynamic phase.

Real-world scenario

A single well-chosen YARA rule on an embedded config string has historically caught entire malware families across many repacked variants.
Lesson 2

Dynamic Analysis in a Sandbox & Building Detections

Deep explanation

Dynamic analysis runs the sample in an instrumented, isolated sandbox and records behavior: file/registry changes, process creation, injected memory, and network indicators (DNS, C2). Tools like Procmon + Noriben, or an automated sandbox (Cuckoo/CAPE), capture the activity. You convert observed behavior into detections — Sigma rules for the process/registry patterns and network IOCs for the C2 — closing the loop from sample to defense.

Isolation discipline is non-negotiable: host-only/simulated network (INetSim), no shared folders left mounted, disposable snapshots reverted after each run.

Examples

  • The sample creates a Run key for persistence and beacons to a domain every 60s — both become detections.
  • Procmon shows the binary spawning powershell with an encoded command — a Sigma rule generalizes it.

Commands & tools

# Sandbox network simulation so the sample cannot reach the real internet
inetsim            # fake DNS/HTTP so behavior is observed safely

# Behavioral capture (Windows lab VM, reverted after each run)
Noriben.py         # wraps Procmon, summarizes file/reg/proc/net activity

# From behavior -> Sigma detection (persistence via Run key)
title: Suspicious Run Key Persistence
logsource: { product: windows, category: registry_set }
detection:
  sel: { TargetObject|contains: '\CurrentVersion\Run' }
  condition: sel
level: medium

Diagram

  sample -> [ isolated sandbox + INetSim ] -> behavior log
                 |                |               |
             file/reg          process         network (DNS/C2)
                 \______________ convert _______________/
                          Sigma rules + network IOCs -> SIEM/EDR

Hands-on lab

  1. Detonate the provided training sample in an isolated sandbox VM with INetSim providing fake network services.
  2. Capture behavior with Noriben/Procmon; record persistence, process, and network indicators.
  3. Write one Sigma rule (e.g., Run-key persistence) and one network IOC from what you observed.
  4. Revert the VM snapshot and confirm the environment is clean before the next run.
Expected output: A behavior report listing persistence/process/network indicators, plus a Sigma rule and a network IOC derived directly from the run.
What to observe: Dynamic behavior generalizes better than file hashes; the same Run-key or beacon pattern detects many repacked variants.

How attackers exploit · how defenders respond

Exploit: Malware checks for sandboxes/VMs and may delay or alter behavior to evade analysis (defense evasion).

Detect & respond: Robust sandboxing (anti-evasion config), behavior-based Sigma/EDR detections, and network IOCs — plus EDR on real endpoints to catch what sandboxes miss.

Red teamSandbox-evasion checks, delayed execution, environment keying.
Blue teamHarden the sandbox, prefer behavioral detections, validate on live EDR telemetry.

Real-world scenario

Behavioral detections authored from one detonation routinely catch future variants that change every hash but keep the same persistence and beacon pattern.

End-of-module assessment

Tap an answer to check it.

1. High entropy and a tiny import table most likely indicate:

Packers compress/encrypt code, raising entropy and shrinking the visible IAT.

2. The safest place to run a sample for dynamic analysis is:

Isolation + network simulation + snapshot revert is mandatory.

3. Behavioral detections are valuable because they:

Behavior (persistence, beacons) persists across cosmetic changes to the binary.

Key takeaways

  • This is analysis, not authoring: characterize samples to produce detections, always in isolation.
  • Static triage (strings/PE/capa/YARA) plus dynamic behavior gives durable, family-level detection.
  • Behavioral Sigma/EDR detections beat hash IOCs against repacked variants.
← Digital Forensics & Incident Response Cloud Security (AWS, Azure, GCP) →

Sign in to save your progress across devices, track lessons, and ask the AI instructor.

Ask the AI instructor

Stuck on this module? Ask a question and get a practical, defensive explanation.

Daily limit: visitors 1, members 3, donors 20.

Related reading: NeoShield security blog · Practice safely in an isolated lab only.