Malware Analysis Workflow
Analyzing suspicious files and binaries to understand their capabilities, behavior, and indicators of compromise. Covers safe environment setup, static analysis, dynamic execution in sandboxes, behavioral monitoring, and IOC extraction for threat intelligence sharing.
Safe Environment Setup
Before touching the sample, prepare an isolated analysis environment. Use a dedicated VM with snapshots, no network access to production systems, and shared folders disabled. Install your analysis tools on the VM ahead of time. Take a clean snapshot so you can revert after dynamic analysis. The goal is zero risk of the malware escaping your lab.
Tip: Use a VM with host-only networking or an isolated virtual network. REMnux and FlareVM are purpose-built analysis VMs with tools pre-installed. Always work from a snapshot so you can revert to clean state. If analyzing ransomware or wipers, make sure your analysis files aren't on a shared drive the VM can reach.
Initial Triage and File Identification
Identify what you're working with before diving deep. Check the file type, hash it (MD5, SHA256), look up the hash in malware databases like VirusTotal, and get a first impression of whether it's packed, obfuscated, or a known family. This initial triage tells you what analysis approach to take and whether someone has already analyzed this sample.
Tools for this step
Detect It Easy
YARATip: Detect It Easy identifies file types, packers, compilers, and cryptographic signatures. Run YARA rules against the sample to check for matches against known malware families. Check the hash on VirusTotal for existing analysis, but don't upload sensitive samples to public services if the source is confidential.
Static Analysis
Analyze the binary without executing it. Extract strings, examine imports and exports, identify embedded resources, and look for suspicious API calls. Use automated capability detection to understand what the malware can do (file operations, network communication, persistence mechanisms, encryption). If the sample is packed, you may need to unpack it first.
capa
Ghidra
ImHex
PE-sieveTip: capa automatically identifies malware capabilities by analyzing the binary against a rule set - it tells you things like 'creates a service for persistence' or 'communicates via HTTP.' Ghidra provides full disassembly and decompilation for deep analysis. ImHex is excellent for hex-level inspection of file structures. PE-sieve detects code injection and hollowing in running processes.
Dynamic Analysis and Sandbox Execution
Execute the malware in your isolated environment and observe its behavior. Monitor process creation, file system changes, registry modifications, network connections, and DNS queries. Use network simulation tools to respond to the malware's C2 communication attempts so it proceeds through its execution flow rather than immediately exiting when it can't reach its server.
Radare2Tip: Use Process Monitor and Process Explorer (Sysinternals) on Windows VMs to capture all system activity. FakeNet-NG simulates network services so malware thinks it's connected. Take memory snapshots during execution for later analysis. Run the sample multiple times with different conditions - some malware checks the date, hostname, or installed software before activating.
Behavioral Analysis and C2 Decoding
Analyze the captured behavior to understand the malware's full execution chain. Decode any encrypted or encoded C2 communications, map the network infrastructure it contacts, and identify the complete list of persistence mechanisms it installs. If the malware downloads additional stages, capture and analyze those too. Reconstruct the full kill chain from initial execution to final payload.
oletoolsTip: oletools is essential if the initial vector is a malicious Office document - it extracts macros, embedded objects, and DDE links. Use Ghidra to reverse engineer the encryption or encoding used for C2 communication. Network captures from dynamic analysis often reveal the C2 protocol structure when combined with the decrypted communication flow.
IOC Extraction and YARA Rule Creation
Extract all indicators of compromise: file hashes, mutexes, registry keys, file paths, C2 domains and IPs, user agents, and unique strings. Write YARA rules that detect this specific malware family and its variants. Package the IOCs in a standard format (STIX, OpenIOC) for sharing with your threat intelligence platform and the broader community.
Tools for this step
Volatility 3Tip: Write YARA rules that match on behavioral characteristics (string combinations, byte patterns) rather than just hashes, so they catch variants too. Volatility3 can extract IOCs from memory dumps including injected code, hidden processes, and decrypted strings. Test your YARA rules against a clean system to avoid false positives before deploying them.
Report and Threat Intelligence Sharing
Write a comprehensive analysis report covering the malware's delivery mechanism, execution chain, capabilities, persistence methods, C2 infrastructure, and all extracted IOCs. Include detection guidance for defenders - what to look for in logs, what YARA rules to deploy, and what network signatures to monitor. Share actionable intelligence with relevant parties.
Tip: Structure the report around the MITRE ATT&CK framework so defenders can map the malware's techniques to their detection coverage. Include both human-readable analysis and machine-readable IOCs. If this is part of an incident response, prioritize the IOCs that enable immediate detection of the threat across the environment.
Other Workflows
OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.