Malware Triage

intermediate40 minWriteup

Quick analysis of suspicious files

Learning Objectives

  • Safely handle malware
  • Perform static analysis
  • Use online sandboxes
  • Extract indicators

Malware Triage is quick analysis of suspicious files to determine what they are and what they do. You're not writing a full reverse engineering report - you're answering: Is this malicious? What does it do? What are the IOCs?

Think of it like a doctor doing a quick exam. You check vital signs, look for obvious symptoms, and decide: Is this a cold or something serious? Malware triage checks hashes, strings, imports, and behavior to quickly categorize a threat.

Safety First

NEVER analyze malware on your regular work machine! Always use an isolated virtual machine or sandbox. Assume every sample is dangerous until proven otherwise.

Safe Handling

1Malware Analysis Safety:
2 
3ANALYSIS ENVIRONMENTS
4─────────────────────────────────────────────────────────────────
5Dedicated VM:
6├── Isolated network (host-only or disconnected)
7├── Snapshot before analysis
8├── Revert after each sample
9├── Limited resources (1-2 cores, 4GB RAM)
10└── No shared folders with host
11 
12Online Sandboxes:
13├── VirusTotal (hash/upload)
14├── Any.Run (interactive sandbox)
15├── Hybrid Analysis (automated)
16├── Joe Sandbox (automated)
17├── Tria.ge (automated)
18└── Intezer (code analysis)
19 
20SAFE HANDLING PRACTICES
21─────────────────────────────────────────────────────────────────
22├── Rename executable extensions (.exe → .exe_)
23├── Store in password-protected ZIP (password: 606070;">#a5d6ff;">"infected")
24├── Never double-click accidentally
25├── Disable autorun
26├── Use text editor, not native apps for docs
27├── Document everything you do
28└── Work in isolated environment only
29 
30BEFORE YOU START
31─────────────────────────────────────────────────────────────────
32□ VM snapshot taken
33□ Network isolated
34□ Analysis tools ready
35□ Documentation template open
36□ Time limit set (don't rabbit-hole)

Static Analysis

bash
1606070;"># Static Analysis - Without Executing
2 
3606070;"># 1. CALCULATE HASHES
4md5sum malware.exe
5sha1sum malware.exe
6sha256sum malware.exe
7606070;"># Use SHA256 for lookups
8 
9606070;"># 2. CHECK VIRUSTOTAL
10606070;"># Via API:
11curl --request POST \
12  --url 606070;">#a5d6ff;">'https://www.virustotal.com/vtapi/v2/file/report' \
13  --form 606070;">#a5d6ff;">'apikey=YOUR_API_KEY' \
14  --form 606070;">#a5d6ff;">'resource=<sha256>'
15 
16606070;"># Or use web interface: virustotal.com
17606070;"># Results show:
18606070;"># - Detection ratio (50/70 engines)
19606070;"># - Malware family names
20606070;"># - Community comments
21606070;"># - Behavior analysis
22 
23606070;"># 3. FILE TYPE IDENTIFICATION
24file malware.exe
25606070;"># Check if extension matches actual type!
26 
27606070;"># 4. STRINGS EXTRACTION
28strings -n 8 malware.exe | less
29606070;"># Look for:
30606070;"># - URLs, IPs, domains (C2)
31606070;"># - File paths
32606070;"># - Registry keys
33606070;"># - Error messages
34606070;"># - Encoded strings (base64)
35606070;"># - Cryptocurrency addresses
36 
37606070;"># Filter for interesting strings
38strings malware.exe | grep -iE 606070;">#a5d6ff;">"http|ftp|\.\/|password|admin|cmd"
39 
40606070;"># 5. PE HEADER ANALYSIS (Windows executables)
41606070;"># Using pestudio, pefile, or PE-bear
42python -c 606070;">#a5d6ff;">"import pefile; pe=pefile.PE('malware.exe'); print(pe.dump_info())"
43 
44606070;"># Check:
45606070;"># - Compile timestamp
46606070;"># - Import table (suspicious APIs)
47606070;"># - Section entropy (packed?)
48606070;"># - Digital signatures
1Suspicious Imports to Look For:
2 
3EXECUTION
4├── CreateProcess, WinExec, ShellExecute
5├── CreateThread, CreateRemoteThread
6└── LoadLibrary, GetProcAddress
7 
8PERSISTENCE
9├── RegSetValue, RegCreateKey
10├── CreateService
11└── SetWindowsHookEx
12 
13NETWORK
14├── WSAStartup, socket, connect
15├── InternetOpen, HttpSendRequest
16└── URLDownloadToFile
17 
18ANTI-ANALYSIS
19├── IsDebuggerPresent
20├── CheckRemoteDebuggerPresent
21├── GetTickCount, QueryPerformanceCounter
22└── VirtualProtect (code modification)
23 
24FILE OPERATIONS
25├── CreateFile, WriteFile, DeleteFile
26├── CopyFile, MoveFile
27└── FindFirstFile, FindNextFile
28 
29CREDENTIAL THEFT
30├── CredEnumerate
31├── LsaRetrievePrivateData
32└── CryptUnprotectData

Sandbox Analysis

1Online Sandbox Analysis:
2 
3VIRUSTOTAL
4─────────────────────────────────────────────────────────────────
5URL: virustotal.com
6Features:
7├── Multi-engine scanning (70+ AV)
8├── Behavior analysis
9├── Network activity
10├── File relationships
11├── Community comments
12└── Detections history
13 
14Note: Uploaded files may be shared with vendors!
15 
16ANY.RUN
17─────────────────────────────────────────────────────────────────
18URL: any.run
19Features:
20├── Interactive sandbox
21├── Watch execution live
22├── Click buttons, provide input
23├── Process tree visualization
24├── Network capture
25└── MITRE ATT&CK mapping
26 
27Best for: Samples needing interaction
28 
29HYBRID ANALYSIS
30─────────────────────────────────────────────────────────────────
31URL: hybrid-analysis.com
32Features:
33├── Detailed behavior reports
34├── Multiple environments (Win7/10)
35├── Memory analysis
36├── YARA rule matching
37└── API available
38 
39Best for: Comprehensive automated analysis
40 
41TRIA.GE
42─────────────────────────────────────────────────────────────────
43URL: tria.ge
44Features:
45├── Fast turnaround
46├── Good for volume
47├── Config extraction
48├── Family identification
49└── IOC extraction
50 
51Best for: Quick triage of many samples

Privacy Considerations

When uploading to public sandboxes, remember: the file becomes public! If you're analyzing a targeted attack on your organization, the attacker might monitor VirusTotal to know they've been caught. Consider this in your decision.

Behavioral Analysis

bash
1606070;"># Behavioral Analysis in Local VM
2 
3606070;"># PROCESS MONITORING
4─────────────────────────────────────────────────────────────────
5606070;"># Process Monitor (Windows)
6procmon.exe
7606070;"># Filter to your malware process
8606070;"># Watch: File, Registry, Process, Network activity
9 
10606070;"># Process Explorer
11procexp.exe
12606070;"># Tree view of processes
13606070;"># Properties show: DLLs, handles, strings
14 
15606070;"># NETWORK MONITORING
16─────────────────────────────────────────────────────────────────
17606070;"># Wireshark
18606070;"># Start capture BEFORE executing malware
19606070;"># Look for: DNS, HTTP/HTTPS, unusual ports
20 
21606070;"># Fiddler (for HTTP/HTTPS)
22606070;"># Can decrypt TLS if cert installed
23 
24606070;"># FakeNet-NG
25606070;"># Simulates network services
26606070;"># Captures requests even without internet
27 
28606070;"># FILE SYSTEM MONITORING
29─────────────────────────────────────────────────────────────────
30606070;"># Watch for:
31├── Files created in %TEMP%
32├── Files dropped in System32
33├── Files in startup locations
34└── Changes to existing files
35 
36606070;"># REGISTRY MONITORING
37─────────────────────────────────────────────────────────────────
38606070;"># Regshot
39606070;"># Snapshot before → Execute → Snapshot after → Compare
40 
41606070;"># Watch for changes in:
42├── Run/RunOnce keys
43├── Services
44├── Browser settings
45└── Security settings
46 
47606070;"># QUICK ANALYSIS WORKFLOW
48─────────────────────────────────────────────────────────────────
491. Start Process Monitor (filter to new processes)
502. Start Wireshark
513. Take Regshot snapshot
524. Execute malware
535. Wait 2-5 minutes
546. Take second Regshot snapshot
557. Stop captures
568. Analyze results

Extracting IOCs

1Indicators of Compromise (IOCs) to Extract:
2 
3HASH VALUES
4─────────────────────────────────────────────────────────────────
5SHA256: Primary hash for lookups
6SHA1:   Secondary
7MD5:    Legacy, but still used
8 
9FILE INDICATORS
10─────────────────────────────────────────────────────────────────
11├── File names (original and dropped)
12├── File paths
13├── File sizes
14├── Compilation timestamps
15└── PE characteristics
16 
17NETWORK INDICATORS
18─────────────────────────────────────────────────────────────────
19├── C2 IP addresses
20├── C2 domains
21├── URLs (full paths)
22├── User-Agent strings
23├── Ports used
24└── Protocol patterns
25 
26HOST INDICATORS
27─────────────────────────────────────────────────────────────────
28├── Registry keys created/modified
29├── Services installed
30├── Scheduled tasks
31├── Mutexes (anti-duplication)
32├── Process names
33└── Command line arguments
34 
35DOCUMENTING IOCS
36─────────────────────────────────────────────────────────────────
37Example IOC Report:
38{
39  606070;">#a5d6ff;">"name": "Trickbot Sample Analysis",
40  606070;">#a5d6ff;">"date": "2024-07-15",
41  606070;">#a5d6ff;">"hash": {
42    606070;">#a5d6ff;">"sha256": "abc123...",
43    606070;">#a5d6ff;">"md5": "def456..."
44  },
45  606070;">#a5d6ff;">"network": {
46    606070;">#a5d6ff;">"c2_ips": ["1.2.3.4", "5.6.7.8"],
47    606070;">#a5d6ff;">"c2_domains": ["evil.com", "bad.net"]
48  },
49  606070;">#a5d6ff;">"host": {
50    606070;">#a5d6ff;">"files": ["C:\Users\*\AppData\..."],
51    606070;">#a5d6ff;">"registry": ["HKLM\Software\..."],
52    606070;">#a5d6ff;">"mutex": "Global\TrickBotMutex"
53  }
54}

Document Malware

bash
1606070;"># Analyzing Malicious Documents
2 
3606070;"># OFFICE DOCUMENTS
4─────────────────────────────────────────────────────────────────
5606070;"># OLE Tools (python-oletools)
6pip install oletools
7 
8606070;"># Extract VBA macros
9olevba malicious.doc
10606070;"># Shows: Macro code, suspicious keywords
11 
12606070;"># Analyze OLE structure
13oleid malicious.doc
14606070;"># Shows: VBA presence, encryption, etc.
15 
16606070;"># Extract embedded objects
17oleobj malicious.doc
18 
19606070;"># LOOK FOR
20├── AutoOpen, Document_Open (auto-execute)
21├── Shell, WScript.Shell (execution)
22├── PowerShell, cmd.exe (spawn shell)
23├── URLDownloadToFile (download payload)
24├── Encoded strings (Base64)
25└── Environment variables (%TEMP%, etc.)
26 
27606070;"># PDF ANALYSIS
28─────────────────────────────────────────────────────────────────
29606070;"># pdf-parser
30pdf-parser.py malicious.pdf
31 
32606070;"># peepdf (interactive)
33peepdf malicious.pdf
34 
35606070;"># Check for:
36├── JavaScript
37├── /OpenAction (auto-execute)
38├── /Launch (run programs)
39├── /URI (fetch remote content)
40└── Embedded files/streams
41 
42606070;"># HTML/JS MALWARE
43─────────────────────────────────────────────────────────────────
44606070;"># De-obfuscate JavaScript
45606070;"># Use browser dev tools in safe environment
46606070;"># Or: box-js (JavaScript sandbox)
47 
48box-js malicious.js
49 
50606070;"># Look for:
51├── eval(), Function() (execution)
52├── document.write() (DOM manipulation)
53├── unescape(), atob() (decoding)
54├── ActiveXObject (IE exploitation)
55└── iframe injection

Triage Process

15-Minute Malware Triage Checklist:
2 
3□ MINUTE 1: HASH CHECK
4  ├── Calculate SHA256
5  ├── Check VirusTotal
6  └── Known? → Document and done
7      Unknown? → Continue
8 
9□ MINUTE 2: FILE BASICS
10  ├── File type (matches extension?)
11  ├── File size
12  └── Compile timestamp
13 
14□ MINUTE 3: STRINGS
15  ├── Extract strings
16  ├── Search for URLs/IPs
17  ├── Look for paths
18  └── Note suspicious keywords
19 
20□ MINUTE 4: QUICK SANDBOX
21  ├── Upload to Any.Run or Hybrid Analysis
22  ├── OR: Execute in local VM with monitoring
23  └── Note C2, dropped files, persistence
24 
25□ MINUTE 5: DOCUMENT
26  ├── Record all IOCs
27  ├── Classify malware type
28  ├── Note confidence level
29  └── Determine next steps
30 
31NEXT STEPS DECISION:
32─────────────────────────────────────────────────────────────────
33If known malware family:
34└── Document, block IOCs, standard cleanup
35 
36If sophisticated/targeted:
37└── Full analysis needed, engage experts
38 
39If uncertain:
40└── Submit for professional analysis

Malware Triage Methodology

Malware Triage Workflow

1
Safe SetupIsolated VM, tools ready, network controlled
2
Hash CheckCalculate SHA256, check VirusTotal
3
Static AnalysisStrings, imports, PE info
4
SandboxUpload to online sandbox OR local VM
5
BehaviorProcess, network, file, registry activity
6
Extract IOCsHashes, IPs, domains, paths
7
DocumentReport findings, recommend actions

Knowledge Check

Quick Quiz
Question 1 of 3

Why should you check VirusTotal before doing manual analysis?

Challenges

Analyze a Sample

Challenge
🔥 intermediate

Find a safe malware sample (e.g., EICAR test file or sample from MalwareBazaar) and perform triage: calculate hash, check VirusTotal, extract strings. Document your findings.

Need a hint? (4 available)

Key Takeaways

  • Always analyze malware in isolated environments - VMs or sandboxes
  • Check hashes against VirusTotal first - no need to reinvent the wheel
  • Static analysis (strings, imports) reveals intent without execution
  • Suspicious imports: CreateRemoteThread, URLDownloadToFile, RegSetValue
  • Extract and document IOCs: hashes, C2 IPs/domains, file paths, registry
  • 5-minute triage: hash → basics → strings → sandbox → document