🦠 Malware Analysis & Reverse Engineering β€” Playbook: Static, Dynamic, dan Memory Analysis

Panduan komprehensif analisis malware dan reverse engineering β€” dari triage cepat dan static analysis, sandbox dynamic analysis, memory forensics (Volatility), hingga binary instrumentation (Frida, Unicorn). Mencakup analisis PE (Portable Executable) dan ELF (Executable and Linkable Format), packing/unpacking detection, YARA rule authoring, serta incident-response triage menggunakan FLOSS, CAPA, dan IDA Pro/Ghidra workflow.

Hubungan ke Vault

Nota ini terkait dengan firmware-reverse-engineering-deepdive untuk RE tingkat firmware/hardware, endpoint-detection-playbook untuk triage forensik di host yang mungkin terinfeksi, blueteam-detection-matrix untuk deteksi behavioral malware, comprehensive-threat-directory untuk taksonomi jenis malware, ebpf-kernel-security dan ebpf-beyond-security untuk kernel-level detection of malware behavior, serta incident-response-framework untuk konteks IR yang lebih luas.


Daftar Isi


Foundation

Tingkat Analisis Malware

LevelTujuanAlatKecepatanKedalaman
L0 β€” TriageDetermine: malicious? family? IoC?VirusTotal, Hybrid Analysis, YARA, CAPA⚑ (5-10 menit)Dangkal
L1 β€” Static AnalysisExtract strings, imports, exports, sections, metadata tanpa eksekusiPEStudio, Detect It Easy (DiE), strings, FLOSS, Ghidra⚑⚑ (15-30 menit)Medium
L2 β€” Dynamic AnalysisObserve behavior in sandbox: network, filesystem, registry, processCuckoo Sandbox, CAPE, ANY.RUN, ProcMon, Wireshark⏱️ (30-60 menit)Medium-High
L3 β€” Memory AnalysisDump dan analisis RAM untuk malware artifactsVolatility 3, Rekall, LiME, winpmem⏱️⏱️ (1-2 jam)High
L4 β€” Full Reverse EngineeringDisassemble β†’ decompile β†’ understand full logicIDA Pro, Ghidra, Binary Ninja, x64dbg, GDB🧠 (hari-minggu)Full

Kapan berhenti? Jika tujuan adalah incident response, L0–L2 sudah cukup untuk containment dan remediation. Full RE (L4) diperlukan jika malware adalah zero-day, APT tool, atau butuh custom signature untuk EDR.

Format File β€” PE vs ELF vs Mach-O

FiturPE (Windows)ELF (Linux)Mach-O (macOS)
StrukturDOS Header β†’ PE Header β†’ Section Headers β†’ SectionsELF Header β†’ Program Headers β†’ Section Headers β†’ SectionsMach-O Header β†’ Load Commands β†’ Segments/Sections
Entry pointAddressOfEntryPoint (relatif ke ImageBase)e_entry (virtual address)LC_MAIN load command
ImportsIMAGE_DIRECTORY_ENTRY_IMPORT (IAT).dynsym + .dynstr sectionsLC_DYLD_INFO
ExportsIMAGE_DIRECTORY_ENTRY_EXPORT (EAT).dynsym (STB_GLOBAL)LC_DYLD_INFO (export trie)
Sections umum.text, .data, .rdata, .rsrc, .reloc.text, .data, .bss, .rodata, .plt, .got__TEXT, __DATA, __LINKEDIT
ASLR/DYNAMICBASE linker option-pie compiler flagDefault (PIE mandatory since 10.7)

Technical Deep-Dive

L0 β€” Triage Cepat

VirusTotal Automation (CLI)

# Submit file
curl -X POST "https://www.virustotal.com/api/v3/files" \
  -H "x-apikey: $VT_API_KEY" \
  -F "file=@sample.exe"
 
# Check hash
curl -X GET "https://www.virustotal.com/api/v3/files/$HASH" \
  -H "x-apikey: $VT_API_KEY" | jq '.data.attributes.last_analysis_stats'

YARA First Pass β€” Rule Authoring

rule APT_Malware_Generic {
    meta:
        description = "Generic APT malware detection β€” mutex + API patterns"
        author = "SOC Team"
        date = "2026-07-15"
        hash = "a1b2c3d4..."
    strings:
        // Mutex names (common APT families)
        $m1 = "Global\\{457224D0-1B01-11D3-BC1D-0090271B6B21}" ascii wide
        $m2 = "Global\\Mutex_MSWinUpdate" ascii wide
 
        // Suspicious API sequences
        $a1 = "VirtualAllocEx" ascii fullword
        $a2 = "WriteProcessMemory" ascii fullword
        $a3 = "CreateRemoteThread" ascii fullword
 
        // C2 indicators
        $c1 = "http://" ascii
        $c2 = "Command=" ascii
        $c3 = "&id=" ascii
    condition:
        (1 of ($m*)) and (2 of ($a*)) and (any of ($c*))
}
 
rule UPX_Packed {
    meta:
        description = "UPX packed executable"
    strings:
        $upx = "UPX!" ascii
        $upx0 = "UPX0" ascii
        $upx1 = "UPX1" ascii
    condition:
        $upx at 0 and ($upx0 or $upx1)
}

CAPA β€” Automatic Malware Capability Detection

CAPA (FireEye/Mandiant) mendeteksi kemampuan malware dari binary tanpa perlu eksekusi:

# Install
pip install flare-capa
 
# Run
capa sample.exe -j > capabilities.json
 
# Output sample
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ CAPA v7.0 β€” sample.exe       β”‚
β”‚ MD5: a1b2c3...               β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ ATT&CK Tactic: Execution     β”‚
β”‚   - T1059 Command & Scriptingβ”‚
β”‚ ATT&CK Tactic: Defense Evasion β”‚
β”‚   - T1027 Obfuscated Files   β”‚
β”‚   - T1140 Deobfuscate/Decode β”‚
β”‚ MBC Method: Process::Create  β”‚
β”‚   - CreateProcess API        β”‚
β”‚ Networking                   β”‚
β”‚   - HTTP communication       β”‚
β”‚   - Encode data with Base64  β”‚
β”‚ Persistence                  β”‚
β”‚   - Registry Run Key         β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

L1 β€” Static Analysis

PE File Structure

β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ DOS Header           β”‚ ← "MZ" magic, e_lfanew offset
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ DOS Stub             β”‚ ← "This program cannot be run in DOS mode"
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ PE Header (NT Header)β”‚
β”‚  β”œβ”€ Signature        β”‚ ← "PE\\0\\0"
β”‚  β”œβ”€ File Header      β”‚ ← machine, sections, timestamp, symbol info
β”‚  └─ Optional Header  β”‚ ← entry point, image base, subsystem, DLL characteristics
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Section Headers      β”‚ ← .text, .data, .rdata, .rsrc, .reloc
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Sections (raw data)  β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Anomali PE yang patut dicurigai:

AnomaliDeskripsiTingkat Kecurigaan
SizeOfHeaders abnormal> 0x1000 β€” kemungkinan overlay data🟑 Medium
Section name aneh.abc, .zdata, ..text β€” bukan nama standar🟑 Medium
Section RawSize β‰  VirtualSizePacker atau custom loader β€” data terkompresiπŸ”΄ High
EntryPoint di section non-.textCode execution dari .data atau .rdataπŸ”΄ High
Subsystem = IMAGE_SUBSYSTEM_NATIVEDriver atau bootkitπŸ”΄ High
DLL Characteristics = IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASENormal untuk legitimate β€” tapi banyak juga malware yang enable🟒 Low
Rich Header anehPadding anomali β€” bisa mengandung kompiler fingerprint🟑 Medium
Many sections (>12)Legit bisa, tetapi umum pada packer🟑 Medium
Import Address Table kosongResolved at runtime β€” dynamic loadingπŸ”΄ High

FLOSS β€” FireEye Labs Obfuscated String Solver

FLOSS mengekstrak string yang di-decode/de-obfuscate secara statis (tanpa eksekusi):

floss sample.exe --output floss-results.txt

Mendukung: stack strings, tight strings, decoded strings dari function arguments. Hasil:

-------------------
| FLOSS RESULTS    |
-------------------
Decoded Strings:
  - "http://malware-c2.example.com/gate.php"
  - "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
  - "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
  - "C:\\Users\\Public\\svchost.exe"
  - "x86_64-linux-gnu.so"   [suspicious β€” Windows binary with Linux string]
Stack Strings:
  - "WinExec"
  - "URLDownloadToFileA"
  - "CreateToolhelp32Snapshot" [process enumeration]
  - "OpenProcess"
  - "VirtualAllocEx"

Ghidra / IDA Workflow β€” Dasar

1. Load binary β†’ Select loader (PE/ELF)
2. Auto-analysis β†’ Wait for initial decompilation
3. Check entry point function (usually `start` or `entry`)
4. Identify main function (follow reference from entry)
5. Rename key variables and functions
6. Look for:
   - URL/domain strings β†’ C2 indicators
   - Decryption loops β†’ XOR, RC4, AES
   - Process injection APIs β†’ CreateRemoteThread, NtCreateThreadEx
   - COM object creation β†’ persistence or lateral movement
7. Create custom structs for configuration data
8. Export pseudo-code + notes β†’ write report

L2 β€” Dynamic Analysis (Sandbox)

Cuckoo Sandbox / CAPE Setup Minimal

CAPE (Cuckoo Augmented PE) β€” fork aktif dari Cuckoo:

# Install (Ubuntu 22.04)
sudo apt-get install python3-pip postgresql tcpdump genisoimage
git clone https://github.com/kevoreilly/CAPE/
cd CAPE
pip3 install -r requirements.txt
python3 cuckoo.py initdb
# Start
python3 cuckoo.py --debug

Untuk IR cepat β€” menggunakan ANY.RUN atau Joe Sandbox online:

# Submit ke ANY.RUN via API
curl -X POST "https://api.any.run/v1/analysis" \
  -H "Authorization: Bearer $ANY_RUN_KEY" \
  -F "file=@sample.exe" \
  -F "env_os=windows-10" \
  -F "env_bitness=64"

Analisis Sandbox β€” Yang Harus Diperhatikan

AspekIndikator MalwareTool/Catatan
Process treerundll32.exe spawns powershell.exe β†’ cmd.exe β†’ svchost.exeProcess Hacker, ProcMon
NetworkDNS query to DGA domain, HTTP POST to /gate.php, C2 beacon intervalWireshark, FakeNet, INetSim
RegistryRun key write, AppInit_DLLs modification, service creationProcMon, RegShot
FilesystemDrop file to %TEMP%, create hidden file, modify hosts fileFileSystem Scanner, ProcMon
Named pipesCreate named pipe for IPC (keylogger, backconnect)PipeList, Sysmon Event 17/18
MutexCreate unique mutex β€” bisa jadi [1] single-instance guard, [2] family fingerprintHandle, Process Explorer
InjectionWriteProcessMemory + CreateRemoteThread ke explorer.exe atau svchost.exeAPI Monitor, Sysmon Event 8/10
Anti-VMQuery SELECT * FROM Win32_ComputerSystem β†’ check Model = β€œVirtualBox”Wireshark + ProcMon

InetSim β€” Fake Network Services untuk Dynamic Analysis

# Install
sudo apt install inetsim
# Config: /etc/inetsim/inetsim.conf
start_service dns,http,https,smtp,pop3,imap,ftp,tftp,irc,nntp
# Run
sudo inetsim

Advanced

Memory Forensics dengan Volatility 3

Volatility 3 adalah framework memory analysis open-source. Tidak lagi memerlukan profile β€” auto-detect OS.

# Install
pip3 install volatility3
 
# Dapatkan memory dump (dari host yang dicurigai terinfeksi)
# Windows: winpmem (https://github.com/Velocidex/WinPmem)
winpmem_mini_x64_rc2.exe mem.dmp
 
# Linux: LiME (https://github.com/504ensicsLabs/LiME)
insmod lime.ko "path=mem.dmp format=lime"
 
# Dasar Volatility 3
vol -f mem.dmp windows.pslist.PsList
vol -f mem.dmp windows.psscan.PsScan     # hidden/unlinked processes
vol -f mem.dmp windows.netscan.NetScan   # network connections
vol -f mem.dmp windows.dlllist.DllList   # loaded DLLs per process
vol -f mem.dmp windows.cmdline.CmdLine   # command line arguments
vol -f mem.dmp windows.filescan.FileScan # file handles

Proses Mencurigakan β€” Checklist Memory Analysis

IndikatorVolatility PluginApa yang Dicari
Hidden processpsscan vs pslistProses ada di psscan tapi tidak di pslist = rootkit process hiding
No parentpstreePPID 0 atau PPID tidak ada = process didirectly injected
Suspicious offsetpsscan_EPROCESS offset tidak biasa antara pool tags
False binary pathcmdline, envarsC:\Windows\System32\rundll32.exe tapi DLL dari C:\Users\Public\
Injected codemalfind, vadinfoRWX memory region yang bukan image mapping β€” inject detection
API hookingapihooksInline hooks di ntdll.dll, kernel32.dll β€” userland rootkit
Suspicious handleshandlesHandle ke proses lain dengan PROCESS_ALL_ACCESS
Malfind outputmalfindMemory page dengan karakteristik VAD mismatch + execute permission
Driver signaturemodscan, driverirpDriver unsigned, IRP hooking
Registry hivehivelist, hivedumpAbnormal registry keys, persistence

MalFind β€” Deteksi Process Injection

vol -f mem.dmp windows.malfind.Malfind --pid 1234
 
# Output example:
# Process: lsass.exe PID: 672
# Address 0x7f3d0000 tag: VAD
# File: ???
# Protect: PAGE_EXECUTE_READWRITE
# --- Hex dump (16 bytes) ---
# 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 ...
# --- Disassembly ---
# 0x7f3d0000    jmp     0x7f3d0010
# 0x7f3d0002    nop
#
# β†’ MALICIOUS: PE header (MZ) mapped in lsass with RWX β€” classic process hollowing

Binary Instrumentation β€” Frida

Frida untuk dynamic instrumentation tanpa perlu reverse engineering penuh:

# hook.js
Interceptor.attach(Module.findExportByName("kernel32.dll", "CreateRemoteThread"), {
    onEnter: function(args) {
        console.log("[+] CreateRemoteThread called");
        console.log("    hProcess:", args[0]);
        console.log("    lpStartAddress:", args[2]);
        console.log("    lpParameter:", args[3]);
        this.startAddress = args[2];
    },
    onLeave: function(retval) {
        console.log("    Thread handle:", retval);
    }
});
 
# Run
frida "notepad.exe" -l hook.js --no-pause

Advanced Frida β€” Dekripsi Runtime

# intercept_decrypt.js
// Asumsikan malware punya fungsi decrypt di offset 0x401000
var decryptFunc = new NativePointer(ptr(Module.findBaseAddress("sample.exe")).add(0x1000));
Interceptor.attach(decryptFunc, {
    onEnter: function(args) {
        this.buffer = args[0];
        this.length = args[1].toInt32();
    },
    onLeave: function(retval) {
        // read decrypted data
        var decrypted = this.buffer.readByteArray(this.length);
        console.log("[+] Decrypted data:", hexdump(decrypted, { length: this.length }));
    }
});

YARA β€” Rule Authoring Advanced

YARA Module β€” PE-specific

import "pe"
 
rule APT_Malware_DLL {
    meta:
        description = "Detects APT malware DLL with specific PE characteristics"
    condition:
        pe.is_dll and
        pe.number_of_sections == 4 and
        pe.section_names[0] == ".text" and
        pe.section_names[1] == ".rdata" and
        pe.section_names[2] == ".data" and
        pe.section_names[3] == ".rsrc" and
        pe.entry_point >= 0x1000 and
        for any i in (0..pe.number_of_sections - 1):
            (
                pe.sections[i].raw_data_size >
                pe.sections[i].virtual_size and
                pe.sections[i].raw_data_size > 0
            )
}
 
rule C2_Domain_Regex {
    meta:
        description = "Mendeteksi C2 domain pattern dalam string"
    strings:
        // DGA-like domain patterns
        $dga1 = /http:\/\/[a-z]{8,12}\.(com|net|tk|cf|ga|ml)/
        // Base64-encoded C2
        $b64c2 = /[A-Za-z0-9+\/]{40,}={0,2}/
    condition:
        any of ($dga1) and #b64c2 > 3
}

YARA Module β€” Math (Entropy)

import "math"
 
rule High_Entropy_Section {
    meta:
        description = "Mendeteksi section dengan entropi tinggi β€” kemungkinan packed/encrypted"
    condition:
        for any i in (0..pe.number_of_sections - 1):
            (
                math.entropy(pe.sections[i].raw_data_offset, pe.sections[i].raw_data_size) > 7.0 and
                pe.sections[i].raw_data_size > 4096
            )
}

Packers vs Crypters β€” Detection

TypeKarakteristikDetection
UPXCompressed sections (UPX0, UPX1, UPX!), entry point OEP restoreYARA string β€œUPX!” + section names
ThemidaAnti-debug, anti-VM, imported code obfuscationSection .themida, high entropy, EP obfuscated
VMProtectCode virtualization, anti-debugLarge .text section with virtualized bytecode
CryptersEncrypt original PE β†’ decrypt at runtime in memoryEmulation detection, anti-sandbox, delayed execution
ConfuserEx.NET obfuscator β€” rename, constant encryption, control flowDetect via metadata + string patterns
Obfuscator-LLVMLLVM pass β†’ control flow flattening, bogus control flowNo specific section pattern; anomaly in instruction distribution

Unpacking β€” generic approach:

  1. Determine packer (Detect It Easy / DiE)
  2. Set hardware breakpoint on OEP (use x64dbg or OllyDbg)
  3. Dump process memory after OEP reached
  4. Rebuild IAT (Import Address Table) β€” use Scylla plugin
  5. Re-analyze with Ghidra/IDA

Sigma Rules untuk Malware Behavior Detection

Process Injection via CreateRemoteThread

title: CreateRemoteThread Detected
id: 4a1b2c3d-9e8f-7a6b-5c4d-3e2f1a0b9c8d
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 8 # CreateRemoteThread
    SourceImage|endswith:
      - '\rundll32.exe'
      - '\regsvr32.exe'
      - '\mshta.exe'
      - '\powershell.exe'
      - '\wmic.exe'
    TargetImage|endswith:
      - '\explorer.exe'
      - '\svchost.exe'
      - '\winlogon.exe'
      - '\lsass.exe'
    StartAddress|endswith:
      - '\ntdll.dll'
      - '\kernel32.dll'
  condition: selection
level: high

Malicious Service Installation

title: Suspicious Service Installed in User Temp
id: 7b8c9d0e-1f2a-3b4c-5d6e-7f8a9b0c1d2e
status: experimental
logsource:
  product: windows
  service: sysmon
detection:
  selection:
    EventID: 11 # FileCreate
    TargetFilename|contains:
      - '\AppData\Local\Temp\'
      - '\Users\Public\'
    TargetFilename|endswith: ".exe"
  filter:
    TargetFilename|contains:
      - '\Temp\Rar$'
      - '\Temp\7z'
  condition: selection and not filter
level: medium

Malware Analysis Virtual Lab Setup

Host (Linux/Kali)
β”œβ”€β”€ VirtualBox / VMware
β”‚   β”œβ”€β”€ REMnux v3 (malware analysis tools)
β”‚   β”œβ”€β”€ Windows 10 VM (isolated β€” FLARE VM + tools)
β”‚   β”‚   β”œβ”€β”€ FLARE VM (FireEye's Windows analysis distro)
β”‚   β”‚   β”œβ”€β”€ ProcMon, Process Explorer, RegShot
β”‚   β”‚   β”œβ”€β”€ x64dbg, IDA Pro, Ghidra
β”‚   β”‚   β”œβ”€β”€ Wireshark, FakeNet, TCPView
β”‚   β”‚   └── Frida, Python 3
β”‚   └── CAPE Sandbox (analysis engine)
β”œβ”€β”€ Host-only network (isolated β€” no internet to real world)
β”‚   └── InetSim (fake DNS, HTTP, SMTP)
└── Snapshot management (revert after each analysis)

Case Studies

Studi KasusKonteksTemuan KunciMitigasi Diimplementasi
NotPetya (2017)Destructive wiper disguised sebagai ransomware β€” serangan supply chain via M.E.Doc1. EternalBlue exploit + credential theft untuk lateral movement. 2. MBR overwrite + file encryption via SMB. 3. Static analysis: section name aneh, EP di section data. 4. Memory: lsass.exe credential dumping, volume shadow copy deletion.1. MS17-010 patch. 2. SMB v1 disable. 3. Endpoint detection untuk lateral movement via PsExec/WMI. 4. Air-gapped backup.
Emotet Banking Trojan (2018-2021)Modular loader β†’ spread via spam, menjadi dropper untuk ransomware1. PE: packed dengan custom crypter β†’ high entropy. 2. Static: DGA domain pattern (8 char + .com/.net). 3. Dynamic: process hollowing ke svchost.exe. 4. Memory: injected code di svchost.exe β†’ network beaconing.1. YARA rule untuk DGA domain. 2. Behavior block: Office macro + OLE embedding. 3. URL reputation + DNS sinkhole. 4. EDR alert: process hollowing pattern.
Cobalt Strike Beacon (2024 variant)Post-exploitation beacon β€” legitimate tool abused by ransomware gangs1. Artifact: pipe names contain β€œMSSE-”, named pipe impersonation. 2. Network: HTTPS beaconing with JA3 fingerprint 51c64c77f60c… 3. Memory: reflective DLL loading β€” tidak ada file di disk. 4. Process: inject into explorer.exe via CreateRemoteThread + queue user APC.1. JA3/JA3S fingerprint block. 2. Process creation monitoring β€” rundll32.exe β†’ explorer.exe (abnormal). 3. Memory scanning untuk reflective loader pattern.
PlugX RAT (2023)China-nexus RAT β€” USB propagation + encrypted C21. DLL side-loading via legitimate signed binary + malicious DLL. 2. RC4-encrypted C2 configuration embedded in .rsrc section. 3. USB autorun.inf + hidden directory for propagation. 4. Anti-analysis: checking for debugger via NtQueryInformationProcess.1. Autorun disable via GPO. 2. DLL load monitoring (Sysmon Event 7) + signature validation. 3. Encrypted traffic analysis. 4. Application whitelisting (WDAC/AppLocker).
Simulated Malware IR (Tabletop, 2024)Red team deploy custom backdoor β€” triage full cycle1. Triage (L0): VirusTotal 7/70 detection β†’ YARA match to β€œDCRat” family. 2. Static (L1): PEStudio β€” 2 suspicious sections, FLOSS decode base64 C2 URL. 3. Dynamic (L2): connects to C2 after 5-second sleep, downloads second-stage PowerShell payload. 4. Memory (L3): malfind mendeteksi hollowed svchost.exe. 5. Full RE (L4): Ghidra menemukan XOR key 0xAB untuk decrypt config.1. C2 domain block via DNS sinkhole. 2. Host isolation. 3. Custom YARA for IOC. 4. Memory scan for all endpoints in same subnet.

Koneksi ke Vault


Referensi

  1. Mandiant (FLARE). FLARE VM. https://github.com/mandiant/flare-vm
  2. Mandiant. FLOSS β€” Obfuscated String Solver. https://github.com/mandiant/floss
  3. Mandiant. CAPA β€” Malware Capability Detection. https://github.com/mandiant/capa
  4. VirusTotal. VirusTotal API Documentation. https://developers.virustotal.com/reference/overview
  5. YARA. YARA Documentation. https://yara.readthedocs.io/en/stable/
  6. Volatility Foundation. Volatility 3. https://volatility3.dev/
  7. Frida. Frida Dynamic Instrumentation. https://frida.re/docs/home/
  8. Ghidra (NSA). Ghidra RE Framework. https://ghidra-sre.org/
  9. IDA Pro (Hex-Rays). IDA Disassembler. https://hex-rays.com/ida-pro/
  10. CAPE Sandbox. CAPE β€” Malware Sandbox. https://github.com/kevoreilly/CAPE/
  11. ANY.RUN. Malware Analysis Platform. https://any.run/
  12. Cuckoo Foundation. Cuckoo Sandbox. https://cuckoosandbox.org/ (archived)
  13. InetSim. InetSim Documentation. https://www.inetsim.org/
  14. Monnappa, K A. Learning Malware Analysis. Packt Publishing, 2018.
  15. Sikorski, Michael & Andrew Honig. Practical Malware Analysis. No Starch Press, 2012.
  16. Ligh, Michael Hale et al. The Art of Memory Forensics. Wiley, 2014.
  17. Eagle, Chris. The IDA Pro Book, 2nd Ed. No Starch Press, 2011.
  18. MITRE ATT&CK. Malware Techniques. https://attack.mitre.org/techniques/enterprise/
  19. Sigma HQ. Sigma Malware Detection Rules. https://github.com/SigmaHQ/sigma/tree/master/rules/malware/
  20. OWASP. Malware Analysis Guide. https://owasp.org/www-community/Malware_Analysis
  21. SANS. FOR610: Reverse Engineering Malware. https://www.sans.org/cyber-security-courses/reverse-engineering-malware/
  22. Any.Run. Interactive Malware Analysis. https://app.any.run/
  23. Hybrid Analysis. Malware Analysis Platform. https://www.hybrid-analysis.com/
  24. Joe Security. Joe Sandbox. https://www.joesecurity.org/
  25. VirusShare. Malware Samples Collection. https://virusshare.com/

Bottom Line

Malware analysis adalah skill yang dibangun bertahap β€” mulai dari triage cepat (VirusTotal + YARA + CAPA), lanjut ke static analysis (PEStudio + FLOSS + strings), lalu dynamic di sandbox terisolasi, dan akhirnya memory forensics dengan Volatility. 80% incident response hanya butuh L0–L2; sisanya (L3-L4) untuk APT dan zero-day. Kuncinya: otomatisasi triage dengan YARA + CAPA, sandbox terisolasi untuk dynamic analysis, Volatility untuk post-infection memory artifacts. Investasi paling besar bukan di tool β€” tapi di lab yang reproducible (REMnux + FLARE VM + snapshots) dan playbook yang terdokumentasi sehingga setiap analyst (junior sekalipun) bisa melakukan triage konsisten dalam <30 menit.