Chapter 32 — Key Takeaways
The big idea
Malware forensics is a defensive, deliverable-driven discipline: you analyze a weapon that has already been used in order to scope the breach, evict the attacker, and produce detections — going only as deep as the case requires, and never one step into weaponization. A breach without malware analysis is a breach you cannot scope. The point is not to admire the code or to reverse-engineer every instruction (that is a different specialty, on a different budget); it is to extract six concrete deliverables — capabilities, persistence, communications, IOCs, attribution, scope — as fast and as defensibly as possible, and to stop when eviction and the report have what they need. You take the weapon the forensic process recovered and turn one infected host into a signature for the whole intrusion.
Safety is the foundation, not an afterthought
A live sample is a loaded weapon: assume it will go off and never point it at anything you are unwilling to destroy.
- Isolated by default. REMnux + FLARE-VM on a host-only network, no route to host/LAN/internet, no shared folders/clipboard/drag-and-drop.
- Snapshot, detonate, revert. The VM is disposable; never reuse a "dirty" one.
- Fake the internet (INetSim / FakeNet-NG) so C2 behavior is observable while no packet escapes.
- The original is sacred. Hash at acquisition, keep the evidentiary copy sealed with its chain of custody, work only on copies; defang filenames and store samples in a password-protected (
infected) zip. - Stay on the right side of the line. Possessing and analyzing malware under authorization is lawful; logging into the C2 to "hack back" can violate 18 U.S.C. § 1030 — foreign infrastructure runs through MLAT, not your keyboard.
Static then dynamic: the two passes
| Pass | Answers | Key moves |
|---|---|---|
| Static (safe, fast) | What can it do? | true file type (file), SHA-256 (identity) + imphash & ssdeep (clustering), hash-only reputation, strings (ASCII and UTF-16LE), PE/ELF header, import table = capability spec, section entropy (>7.0 ≈ packed/encrypted) |
| Dynamic (behavior) | What does it do? | snapshot → instrument the four domains (process, file, registry, network) → detonate → revert; Procmon, Regshot diff, Process Hacker, Wireshark; Cuckoo/CAPE self-hosted, ANY.RUN for commodity only |
OPSEC rule to carry: in a targeted incident, look up the hash, do not upload the sample — uploads are visible to actors who monitor for their own hashes. Self-host (CAPE/FLARE-VM); public services are for commodity malware.
Detection beats description: IOCs and the Pyramid of Pain
A finding that lives only in your notebook protects no one. Externalize it: YARA (files and memory), Sigma (logs), IOC lists (SIEM/firewall), shared via STIX/TAXII, MISP, OpenIOC — defanged (185[.]220[.]101[.]47, hxxps://).
| Pyramid tier | Example | Cost to attacker |
|---|---|---|
| TTPs (behavior) | "spawns cmd.exe→schtasks, then beacons" |
tough — relearn how to operate |
| Tools / Host & Network artifacts | mutex Global\MSCTF_x7f3a2b, WH/1.2 UA, /gate, task name |
challenging / annoying |
| Domains / IPs | api.cloudmetric-sync.net, 185.220.101.47 |
simple / easy — rotate |
| Hash values | b41c0e9a… |
trivial — recompile = new hash |
Collect the easy indicators, but invest your best detections (YARA on durable strings, Sigma on behaviors) high on the pyramid. Map capabilities to MITRE ATT&CK so your findings speak the common language: persistence (T1547.001 / T1543.003 / T1053.005 / T1546.003 WMI), injection (T1055), keylogging (T1056.001), C2 (T1071.001 / T1573), exfil (T1041), lateral movement (T1021 / T1570).
Say what the method supports
Static proves capability, not behavior ("the binary imports the injection API set," not "it injected"). Attribution is an intelligence assessment with a confidence level, not a forensic certainty. And sometimes the honest finding is "insufficient to fully characterize" — anti-VM, packing you cannot unpack, or environment-gated behavior bounds what you can establish. State the limits; that is theme five made concrete.
You can now…
- ☐ Build and operate a safe, isolated malware lab and handle a live sample without endangering your host, network, or the evidence.
- ☐ Run a static triage — true file type, identity and similarity hashing, OPSEC-aware reputation, strings, import-table reading, entropy detection of packing.
- ☐ Write YARA rules that target durable indicators and match both files and memory images.
- ☐ Detonate safely across the four monitoring domains — including faking the internet to reveal C2 — and tell capability from behavior in your wording.
- ☐ Produce a defanged, ATT&CK-mapped IOC package weighted by the Pyramid of Pain, and feed it back to triage to scope the whole breach.
Looking ahead
Chapter 33 — Cryptocurrency Investigation. When the WEB-07 operators or the ransomware crew of Chapter 12 demand payment in Bitcoin, you follow the money: trace the wallets, cluster the addresses, and turn the C2's profit motive into another evidentiary trail.
One sentence to carry forward: Analyze the weapon, distill it into durable detections, hunt with them, evict comprehensively — an analysis that does not end in shareable indicators has not finished its job.