π¦ Malware Analysis & Reverse Engineering β Playbook: Static, Dynamic, dan Memory Analysis
Panduan komprehensif analisis malware dan reverse engineering β dari triage cepat dan static analysis, sandbox dynamic analysis, memory forensics (Volatility), hingga binary instrumentation (Frida, Unicorn). Mencakup analisis PE (Portable Executable) dan ELF (Executable and Linkable Format), packing/unpacking detection, YARA rule authoring, serta incident-response triage menggunakan FLOSS, CAPA, dan IDA Pro/Ghidra workflow.
Hubungan ke Vault
Nota ini terkait dengan firmware-reverse-engineering-deepdive untuk RE tingkat firmware/hardware, endpoint-detection-playbook untuk triage forensik di host yang mungkin terinfeksi, blueteam-detection-matrix untuk deteksi behavioral malware, comprehensive-threat-directory untuk taksonomi jenis malware, ebpf-kernel-security dan ebpf-beyond-security untuk kernel-level detection of malware behavior, serta incident-response-framework untuk konteks IR yang lebih luas.
Daftar Isi
Foundation
Tingkat Analisis Malware
| Level | Tujuan | Alat | Kecepatan | Kedalaman |
|---|---|---|---|---|
| L0 β Triage | Determine: malicious? family? IoC? | VirusTotal, Hybrid Analysis, YARA, CAPA | β‘ (5-10 menit) | Dangkal |
| L1 β Static Analysis | Extract strings, imports, exports, sections, metadata tanpa eksekusi | PEStudio, Detect It Easy (DiE), strings, FLOSS, Ghidra | β‘β‘ (15-30 menit) | Medium |
| L2 β Dynamic Analysis | Observe behavior in sandbox: network, filesystem, registry, process | Cuckoo Sandbox, CAPE, ANY.RUN, ProcMon, Wireshark | β±οΈ (30-60 menit) | Medium-High |
| L3 β Memory Analysis | Dump dan analisis RAM untuk malware artifacts | Volatility 3, Rekall, LiME, winpmem | β±οΈβ±οΈ (1-2 jam) | High |
| L4 β Full Reverse Engineering | Disassemble β decompile β understand full logic | IDA Pro, Ghidra, Binary Ninja, x64dbg, GDB | π§ (hari-minggu) | Full |
Kapan berhenti? Jika tujuan adalah incident response, L0βL2 sudah cukup untuk containment dan remediation. Full RE (L4) diperlukan jika malware adalah zero-day, APT tool, atau butuh custom signature untuk EDR.
Format File β PE vs ELF vs Mach-O
| Fitur | PE (Windows) | ELF (Linux) | Mach-O (macOS) |
|---|---|---|---|
| Struktur | DOS Header β PE Header β Section Headers β Sections | ELF Header β Program Headers β Section Headers β Sections | Mach-O Header β Load Commands β Segments/Sections |
| Entry point | AddressOfEntryPoint (relatif ke ImageBase) | e_entry (virtual address) | LC_MAIN load command |
| Imports | IMAGE_DIRECTORY_ENTRY_IMPORT (IAT) | .dynsym + .dynstr sections | LC_DYLD_INFO |
| Exports | IMAGE_DIRECTORY_ENTRY_EXPORT (EAT) | .dynsym (STB_GLOBAL) | LC_DYLD_INFO (export trie) |
| Sections umum | .text, .data, .rdata, .rsrc, .reloc | .text, .data, .bss, .rodata, .plt, .got | __TEXT, __DATA, __LINKEDIT |
| ASLR | /DYNAMICBASE linker option | -pie compiler flag | Default (PIE mandatory since 10.7) |
Technical Deep-Dive
L0 β Triage Cepat
VirusTotal Automation (CLI)
# Submit file
curl -X POST "https://www.virustotal.com/api/v3/files" \
-H "x-apikey: $VT_API_KEY" \
-F "file=@sample.exe"
# Check hash
curl -X GET "https://www.virustotal.com/api/v3/files/$HASH" \
-H "x-apikey: $VT_API_KEY" | jq '.data.attributes.last_analysis_stats'YARA First Pass β Rule Authoring
rule APT_Malware_Generic {
meta:
description = "Generic APT malware detection β mutex + API patterns"
author = "SOC Team"
date = "2026-07-15"
hash = "a1b2c3d4..."
strings:
// Mutex names (common APT families)
$m1 = "Global\\{457224D0-1B01-11D3-BC1D-0090271B6B21}" ascii wide
$m2 = "Global\\Mutex_MSWinUpdate" ascii wide
// Suspicious API sequences
$a1 = "VirtualAllocEx" ascii fullword
$a2 = "WriteProcessMemory" ascii fullword
$a3 = "CreateRemoteThread" ascii fullword
// C2 indicators
$c1 = "http://" ascii
$c2 = "Command=" ascii
$c3 = "&id=" ascii
condition:
(1 of ($m*)) and (2 of ($a*)) and (any of ($c*))
}
rule UPX_Packed {
meta:
description = "UPX packed executable"
strings:
$upx = "UPX!" ascii
$upx0 = "UPX0" ascii
$upx1 = "UPX1" ascii
condition:
$upx at 0 and ($upx0 or $upx1)
}CAPA β Automatic Malware Capability Detection
CAPA (FireEye/Mandiant) mendeteksi kemampuan malware dari binary tanpa perlu eksekusi:
# Install
pip install flare-capa
# Run
capa sample.exe -j > capabilities.json
# Output sample
ββββββββββββββββββββββββββββββββ
β CAPA v7.0 β sample.exe β
β MD5: a1b2c3... β
ββββββββββββββββββββββββββββββββ€
β ATT&CK Tactic: Execution β
β - T1059 Command & Scriptingβ
β ATT&CK Tactic: Defense Evasion β
β - T1027 Obfuscated Files β
β - T1140 Deobfuscate/Decode β
β MBC Method: Process::Create β
β - CreateProcess API β
β Networking β
β - HTTP communication β
β - Encode data with Base64 β
β Persistence β
β - Registry Run Key β
ββββββββββββββββββββββββββββββββL1 β Static Analysis
PE File Structure
ββββββββββββββββββββββββ
β DOS Header β β "MZ" magic, e_lfanew offset
ββββββββββββββββββββββββ€
β DOS Stub β β "This program cannot be run in DOS mode"
ββββββββββββββββββββββββ€
β PE Header (NT Header)β
β ββ Signature β β "PE\\0\\0"
β ββ File Header β β machine, sections, timestamp, symbol info
β ββ Optional Header β β entry point, image base, subsystem, DLL characteristics
ββββββββββββββββββββββββ€
β Section Headers β β .text, .data, .rdata, .rsrc, .reloc
ββββββββββββββββββββββββ€
β Sections (raw data) β
ββββββββββββββββββββββββ
Anomali PE yang patut dicurigai:
| Anomali | Deskripsi | Tingkat Kecurigaan |
|---|---|---|
| SizeOfHeaders abnormal | > 0x1000 β kemungkinan overlay data | π‘ Medium |
| Section name aneh | .abc, .zdata, ..text β bukan nama standar | π‘ Medium |
| Section RawSize β VirtualSize | Packer atau custom loader β data terkompresi | π΄ High |
| EntryPoint di section non-.text | Code execution dari .data atau .rdata | π΄ High |
| Subsystem = IMAGE_SUBSYSTEM_NATIVE | Driver atau bootkit | π΄ High |
| DLL Characteristics = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE | Normal untuk legitimate β tapi banyak juga malware yang enable | π’ Low |
| Rich Header aneh | Padding anomali β bisa mengandung kompiler fingerprint | π‘ Medium |
| Many sections (>12) | Legit bisa, tetapi umum pada packer | π‘ Medium |
| Import Address Table kosong | Resolved at runtime β dynamic loading | π΄ High |
FLOSS β FireEye Labs Obfuscated String Solver
FLOSS mengekstrak string yang di-decode/de-obfuscate secara statis (tanpa eksekusi):
floss sample.exe --output floss-results.txtMendukung: stack strings, tight strings, decoded strings dari function arguments. Hasil:
-------------------
| FLOSS RESULTS |
-------------------
Decoded Strings:
- "http://malware-c2.example.com/gate.php"
- "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
- "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
- "C:\\Users\\Public\\svchost.exe"
- "x86_64-linux-gnu.so" [suspicious β Windows binary with Linux string]
Stack Strings:
- "WinExec"
- "URLDownloadToFileA"
- "CreateToolhelp32Snapshot" [process enumeration]
- "OpenProcess"
- "VirtualAllocEx"
Ghidra / IDA Workflow β Dasar
1. Load binary β Select loader (PE/ELF)
2. Auto-analysis β Wait for initial decompilation
3. Check entry point function (usually `start` or `entry`)
4. Identify main function (follow reference from entry)
5. Rename key variables and functions
6. Look for:
- URL/domain strings β C2 indicators
- Decryption loops β XOR, RC4, AES
- Process injection APIs β CreateRemoteThread, NtCreateThreadEx
- COM object creation β persistence or lateral movement
7. Create custom structs for configuration data
8. Export pseudo-code + notes β write report
L2 β Dynamic Analysis (Sandbox)
Cuckoo Sandbox / CAPE Setup Minimal
CAPE (Cuckoo Augmented PE) β fork aktif dari Cuckoo:
# Install (Ubuntu 22.04)
sudo apt-get install python3-pip postgresql tcpdump genisoimage
git clone https://github.com/kevoreilly/CAPE/
cd CAPE
pip3 install -r requirements.txt
python3 cuckoo.py initdb
# Start
python3 cuckoo.py --debugUntuk IR cepat β menggunakan ANY.RUN atau Joe Sandbox online:
# Submit ke ANY.RUN via API
curl -X POST "https://api.any.run/v1/analysis" \
-H "Authorization: Bearer $ANY_RUN_KEY" \
-F "file=@sample.exe" \
-F "env_os=windows-10" \
-F "env_bitness=64"Analisis Sandbox β Yang Harus Diperhatikan
| Aspek | Indikator Malware | Tool/Catatan |
|---|---|---|
| Process tree | rundll32.exe spawns powershell.exe β cmd.exe β svchost.exe | Process Hacker, ProcMon |
| Network | DNS query to DGA domain, HTTP POST to /gate.php, C2 beacon interval | Wireshark, FakeNet, INetSim |
| Registry | Run key write, AppInit_DLLs modification, service creation | ProcMon, RegShot |
| Filesystem | Drop file to %TEMP%, create hidden file, modify hosts file | FileSystem Scanner, ProcMon |
| Named pipes | Create named pipe for IPC (keylogger, backconnect) | PipeList, Sysmon Event 17/18 |
| Mutex | Create unique mutex β bisa jadi [1] single-instance guard, [2] family fingerprint | Handle, Process Explorer |
| Injection | WriteProcessMemory + CreateRemoteThread ke explorer.exe atau svchost.exe | API Monitor, Sysmon Event 8/10 |
| Anti-VM | Query SELECT * FROM Win32_ComputerSystem β check Model = βVirtualBoxβ | Wireshark + ProcMon |
InetSim β Fake Network Services untuk Dynamic Analysis
# Install
sudo apt install inetsim
# Config: /etc/inetsim/inetsim.conf
start_service dns,http,https,smtp,pop3,imap,ftp,tftp,irc,nntp
# Run
sudo inetsimAdvanced
Memory Forensics dengan Volatility 3
Volatility 3 adalah framework memory analysis open-source. Tidak lagi memerlukan profile β auto-detect OS.
# Install
pip3 install volatility3
# Dapatkan memory dump (dari host yang dicurigai terinfeksi)
# Windows: winpmem (https://github.com/Velocidex/WinPmem)
winpmem_mini_x64_rc2.exe mem.dmp
# Linux: LiME (https://github.com/504ensicsLabs/LiME)
insmod lime.ko "path=mem.dmp format=lime"
# Dasar Volatility 3
vol -f mem.dmp windows.pslist.PsList
vol -f mem.dmp windows.psscan.PsScan # hidden/unlinked processes
vol -f mem.dmp windows.netscan.NetScan # network connections
vol -f mem.dmp windows.dlllist.DllList # loaded DLLs per process
vol -f mem.dmp windows.cmdline.CmdLine # command line arguments
vol -f mem.dmp windows.filescan.FileScan # file handlesProses Mencurigakan β Checklist Memory Analysis
| Indikator | Volatility Plugin | Apa yang Dicari |
|---|---|---|
| Hidden process | psscan vs pslist | Proses ada di psscan tapi tidak di pslist = rootkit process hiding |
| No parent | pstree | PPID 0 atau PPID tidak ada = process didirectly injected |
| Suspicious offset | psscan | _EPROCESS offset tidak biasa antara pool tags |
| False binary path | cmdline, envars | C:\Windows\System32\rundll32.exe tapi DLL dari C:\Users\Public\ |
| Injected code | malfind, vadinfo | RWX memory region yang bukan image mapping β inject detection |
| API hooking | apihooks | Inline hooks di ntdll.dll, kernel32.dll β userland rootkit |
| Suspicious handles | handles | Handle ke proses lain dengan PROCESS_ALL_ACCESS |
| Malfind output | malfind | Memory page dengan karakteristik VAD mismatch + execute permission |
| Driver signature | modscan, driverirp | Driver unsigned, IRP hooking |
| Registry hive | hivelist, hivedump | Abnormal registry keys, persistence |
MalFind β Deteksi Process Injection
vol -f mem.dmp windows.malfind.Malfind --pid 1234
# Output example:
# Process: lsass.exe PID: 672
# Address 0x7f3d0000 tag: VAD
# File: ???
# Protect: PAGE_EXECUTE_READWRITE
# --- Hex dump (16 bytes) ---
# 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 ...
# --- Disassembly ---
# 0x7f3d0000 jmp 0x7f3d0010
# 0x7f3d0002 nop
#
# β MALICIOUS: PE header (MZ) mapped in lsass with RWX β classic process hollowingBinary Instrumentation β Frida
Frida untuk dynamic instrumentation tanpa perlu reverse engineering penuh:
# hook.js
Interceptor.attach(Module.findExportByName("kernel32.dll", "CreateRemoteThread"), {
onEnter: function(args) {
console.log("[+] CreateRemoteThread called");
console.log(" hProcess:", args[0]);
console.log(" lpStartAddress:", args[2]);
console.log(" lpParameter:", args[3]);
this.startAddress = args[2];
},
onLeave: function(retval) {
console.log(" Thread handle:", retval);
}
});
# Run
frida "notepad.exe" -l hook.js --no-pauseAdvanced Frida β Dekripsi Runtime
# intercept_decrypt.js
// Asumsikan malware punya fungsi decrypt di offset 0x401000
var decryptFunc = new NativePointer(ptr(Module.findBaseAddress("sample.exe")).add(0x1000));
Interceptor.attach(decryptFunc, {
onEnter: function(args) {
this.buffer = args[0];
this.length = args[1].toInt32();
},
onLeave: function(retval) {
// read decrypted data
var decrypted = this.buffer.readByteArray(this.length);
console.log("[+] Decrypted data:", hexdump(decrypted, { length: this.length }));
}
});YARA β Rule Authoring Advanced
YARA Module β PE-specific
import "pe"
rule APT_Malware_DLL {
meta:
description = "Detects APT malware DLL with specific PE characteristics"
condition:
pe.is_dll and
pe.number_of_sections == 4 and
pe.section_names[0] == ".text" and
pe.section_names[1] == ".rdata" and
pe.section_names[2] == ".data" and
pe.section_names[3] == ".rsrc" and
pe.entry_point >= 0x1000 and
for any i in (0..pe.number_of_sections - 1):
(
pe.sections[i].raw_data_size >
pe.sections[i].virtual_size and
pe.sections[i].raw_data_size > 0
)
}
rule C2_Domain_Regex {
meta:
description = "Mendeteksi C2 domain pattern dalam string"
strings:
// DGA-like domain patterns
$dga1 = /http:\/\/[a-z]{8,12}\.(com|net|tk|cf|ga|ml)/
// Base64-encoded C2
$b64c2 = /[A-Za-z0-9+\/]{40,}={0,2}/
condition:
any of ($dga1) and #b64c2 > 3
}YARA Module β Math (Entropy)
import "math"
rule High_Entropy_Section {
meta:
description = "Mendeteksi section dengan entropi tinggi β kemungkinan packed/encrypted"
condition:
for any i in (0..pe.number_of_sections - 1):
(
math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.0 and
pe.sections[i].raw_data_size > 4096
)
}Packers vs Crypters β Detection
| Type | Karakteristik | Detection |
|---|---|---|
| UPX | Compressed sections (UPX0, UPX1, UPX!), entry point OEP restore | YARA string βUPX!β + section names |
| Themida | Anti-debug, anti-VM, imported code obfuscation | Section .themida, high entropy, EP obfuscated |
| VMProtect | Code virtualization, anti-debug | Large .text section with virtualized bytecode |
| Crypters | Encrypt original PE β decrypt at runtime in memory | Emulation detection, anti-sandbox, delayed execution |
| ConfuserEx | .NET obfuscator β rename, constant encryption, control flow | Detect via metadata + string patterns |
| Obfuscator-LLVM | LLVM pass β control flow flattening, bogus control flow | No specific section pattern; anomaly in instruction distribution |
Unpacking β generic approach:
- Determine packer (Detect It Easy / DiE)
- Set hardware breakpoint on OEP (use x64dbg or OllyDbg)
- Dump process memory after OEP reached
- Rebuild IAT (Import Address Table) β use Scylla plugin
- Re-analyze with Ghidra/IDA
Sigma Rules untuk Malware Behavior Detection
Process Injection via CreateRemoteThread
title: CreateRemoteThread Detected
id: 4a1b2c3d-9e8f-7a6b-5c4d-3e2f1a0b9c8d
status: experimental
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8 # CreateRemoteThread
SourceImage|endswith:
- '\rundll32.exe'
- '\regsvr32.exe'
- '\mshta.exe'
- '\powershell.exe'
- '\wmic.exe'
TargetImage|endswith:
- '\explorer.exe'
- '\svchost.exe'
- '\winlogon.exe'
- '\lsass.exe'
StartAddress|endswith:
- '\ntdll.dll'
- '\kernel32.dll'
condition: selection
level: highMalicious Service Installation
title: Suspicious Service Installed in User Temp
id: 7b8c9d0e-1f2a-3b4c-5d6e-7f8a9b0c1d2e
status: experimental
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11 # FileCreate
TargetFilename|contains:
- '\AppData\Local\Temp\'
- '\Users\Public\'
TargetFilename|endswith: ".exe"
filter:
TargetFilename|contains:
- '\Temp\Rar$'
- '\Temp\7z'
condition: selection and not filter
level: mediumMalware Analysis Virtual Lab Setup
Host (Linux/Kali)
βββ VirtualBox / VMware
β βββ REMnux v3 (malware analysis tools)
β βββ Windows 10 VM (isolated β FLARE VM + tools)
β β βββ FLARE VM (FireEye's Windows analysis distro)
β β βββ ProcMon, Process Explorer, RegShot
β β βββ x64dbg, IDA Pro, Ghidra
β β βββ Wireshark, FakeNet, TCPView
β β βββ Frida, Python 3
β βββ CAPE Sandbox (analysis engine)
βββ Host-only network (isolated β no internet to real world)
β βββ InetSim (fake DNS, HTTP, SMTP)
βββ Snapshot management (revert after each analysis)
Case Studies
| Studi Kasus | Konteks | Temuan Kunci | Mitigasi Diimplementasi |
|---|---|---|---|
| NotPetya (2017) | Destructive wiper disguised sebagai ransomware β serangan supply chain via M.E.Doc | 1. EternalBlue exploit + credential theft untuk lateral movement. 2. MBR overwrite + file encryption via SMB. 3. Static analysis: section name aneh, EP di section data. 4. Memory: lsass.exe credential dumping, volume shadow copy deletion. | 1. MS17-010 patch. 2. SMB v1 disable. 3. Endpoint detection untuk lateral movement via PsExec/WMI. 4. Air-gapped backup. |
| Emotet Banking Trojan (2018-2021) | Modular loader β spread via spam, menjadi dropper untuk ransomware | 1. PE: packed dengan custom crypter β high entropy. 2. Static: DGA domain pattern (8 char + .com/.net). 3. Dynamic: process hollowing ke svchost.exe. 4. Memory: injected code di svchost.exe β network beaconing. | 1. YARA rule untuk DGA domain. 2. Behavior block: Office macro + OLE embedding. 3. URL reputation + DNS sinkhole. 4. EDR alert: process hollowing pattern. |
| Cobalt Strike Beacon (2024 variant) | Post-exploitation beacon β legitimate tool abused by ransomware gangs | 1. Artifact: pipe names contain βMSSE-β, named pipe impersonation. 2. Network: HTTPS beaconing with JA3 fingerprint 51c64c77f60cβ¦ 3. Memory: reflective DLL loading β tidak ada file di disk. 4. Process: inject into explorer.exe via CreateRemoteThread + queue user APC. | 1. JA3/JA3S fingerprint block. 2. Process creation monitoring β rundll32.exe β explorer.exe (abnormal). 3. Memory scanning untuk reflective loader pattern. |
| PlugX RAT (2023) | China-nexus RAT β USB propagation + encrypted C2 | 1. DLL side-loading via legitimate signed binary + malicious DLL. 2. RC4-encrypted C2 configuration embedded in .rsrc section. 3. USB autorun.inf + hidden directory for propagation. 4. Anti-analysis: checking for debugger via NtQueryInformationProcess. | 1. Autorun disable via GPO. 2. DLL load monitoring (Sysmon Event 7) + signature validation. 3. Encrypted traffic analysis. 4. Application whitelisting (WDAC/AppLocker). |
| Simulated Malware IR (Tabletop, 2024) | Red team deploy custom backdoor β triage full cycle | 1. Triage (L0): VirusTotal 7/70 detection β YARA match to βDCRatβ family. 2. Static (L1): PEStudio β 2 suspicious sections, FLOSS decode base64 C2 URL. 3. Dynamic (L2): connects to C2 after 5-second sleep, downloads second-stage PowerShell payload. 4. Memory (L3): malfind mendeteksi hollowed svchost.exe. 5. Full RE (L4): Ghidra menemukan XOR key 0xAB untuk decrypt config. | 1. C2 domain block via DNS sinkhole. 2. Host isolation. 3. Custom YARA for IOC. 4. Memory scan for all endpoints in same subnet. |
Koneksi ke Vault
- firmware-reverse-engineering-deepdive β RE tingkat firmware/hardware yang melengkapi RE software malware
- endpoint-detection-playbook β triage forensik untuk host terkena malware (RAM dump, Volatility, persistence analysis)
- blueteam-detection-matrix β detection matrix yang mencakup malware behavioral detection
- comprehensive-threat-directory β taksonomi lengkap jenis malware dan threat actor
- ebpf-kernel-security β kernel-level detection (eBPF, Tetragon) untuk malware yang melakukan system call anomaly
- ebpf-beyond-security β eBPF untuk observability performa yang bisa mendeteksi crypto miner atau C2 beacon
- incident-response-framework β konteks IR yang lebih luas (containment, eradication, recovery)
- cobalt-strike dan sliver β C2 framework yang post-exploitation artifact bisa dianalisis dengan teknik di sini
- browser-security-exploitation-deepdive β browser-based malware dan drive-by download analysis
- web-hacking-exploitation β web-based malware injection dan webshell analysis
Referensi
- Mandiant (FLARE). FLARE VM. https://github.com/mandiant/flare-vm
- Mandiant. FLOSS β Obfuscated String Solver. https://github.com/mandiant/floss
- Mandiant. CAPA β Malware Capability Detection. https://github.com/mandiant/capa
- VirusTotal. VirusTotal API Documentation. https://developers.virustotal.com/reference/overview
- YARA. YARA Documentation. https://yara.readthedocs.io/en/stable/
- Volatility Foundation. Volatility 3. https://volatility3.dev/
- Frida. Frida Dynamic Instrumentation. https://frida.re/docs/home/
- Ghidra (NSA). Ghidra RE Framework. https://ghidra-sre.org/
- IDA Pro (Hex-Rays). IDA Disassembler. https://hex-rays.com/ida-pro/
- CAPE Sandbox. CAPE β Malware Sandbox. https://github.com/kevoreilly/CAPE/
- ANY.RUN. Malware Analysis Platform. https://any.run/
- Cuckoo Foundation. Cuckoo Sandbox. https://cuckoosandbox.org/ (archived)
- InetSim. InetSim Documentation. https://www.inetsim.org/
- Monnappa, K A. Learning Malware Analysis. Packt Publishing, 2018.
- Sikorski, Michael & Andrew Honig. Practical Malware Analysis. No Starch Press, 2012.
- Ligh, Michael Hale et al. The Art of Memory Forensics. Wiley, 2014.
- Eagle, Chris. The IDA Pro Book, 2nd Ed. No Starch Press, 2011.
- MITRE ATT&CK. Malware Techniques. https://attack.mitre.org/techniques/enterprise/
- Sigma HQ. Sigma Malware Detection Rules. https://github.com/SigmaHQ/sigma/tree/master/rules/malware/
- OWASP. Malware Analysis Guide. https://owasp.org/www-community/Malware_Analysis
- SANS. FOR610: Reverse Engineering Malware. https://www.sans.org/cyber-security-courses/reverse-engineering-malware/
- Any.Run. Interactive Malware Analysis. https://app.any.run/
- Hybrid Analysis. Malware Analysis Platform. https://www.hybrid-analysis.com/
- Joe Security. Joe Sandbox. https://www.joesecurity.org/
- VirusShare. Malware Samples Collection. https://virusshare.com/
Bottom Line
Malware analysis adalah skill yang dibangun bertahap β mulai dari triage cepat (VirusTotal + YARA + CAPA), lanjut ke static analysis (PEStudio + FLOSS + strings), lalu dynamic di sandbox terisolasi, dan akhirnya memory forensics dengan Volatility. 80% incident response hanya butuh L0βL2; sisanya (L3-L4) untuk APT dan zero-day. Kuncinya: otomatisasi triage dengan YARA + CAPA, sandbox terisolasi untuk dynamic analysis, Volatility untuk post-infection memory artifacts. Investasi paling besar bukan di tool β tapi di lab yang reproducible (REMnux + FLARE VM + snapshots) dan playbook yang terdokumentasi sehingga setiap analyst (junior sekalipun) bisa melakukan triage konsisten dalam <30 menit.