PriyamvadaNule/Malware-Analysis-Using-Virtual-Machine-for-Static-and-Dynamic-Analysis-

# Malware Analysis Using Virtual Machine for Static and Dynamic Analysis ## Overview This project demonstrates how to build a secure malware analysis lab using virtual machines and perform malware investigation using both static and dynamic analysis techniques. The environment is isolated to ensure safe experimentation while studying suspicious files and their behavior. The project uses a Windows Virtual Machine for malware execution and monitoring, and a Kali Linux Virtual Machine for supporting analysis, reconnaissance, and network observation. ## Objectives - Understand malware behavior in a safe environment - Learn static and dynamic malware analysis techniques - Use industry-relevant cybersecurity tools - Identify Indicators of Compromise (IOCs) - Practice incident detection and response - Build hands-on cybersecurity lab skills ## Project Architecture - **Host Machine** – Main physical system - **VMware Workstation / Player** – Virtualization platform - **Windows VM** – Malware execution and monitoring - **Kali Linux VM** – Analysis and network tools - **Isolated Network** – Safe testing environment ## Tools and Technologies ### Virtualization - VMware Workstation / VMware Player ### Operating Systems - Windows 10 / 11 - Kali Linux ### Static Analysis Tools - PE Studio - Hex Editor - PEiD - Ghidra - Radare2 ### Dynamic Analysis Tools - Process Monitor (ProcMon) - Process Explorer - Wireshark - Regshot - Process Hacker ### Network / Security Tools - Nmap - Netstat - tcpdump - Splunk - FakeNet-NG - ApateDNS ### Advanced / Optional Tools - Volatility - Cuckoo Sandbox - x64dbg - YARA - Binwalk ## Methodology ## 1. Virtual Lab Setup - Install VMware - Create Windows VM - Create Kali Linux VM - Configure Host-Only / NAT networking - Disable shared folders - Take clean snapshots ## 2. Static Analysis Malware is examined **without execution**. ### Activities - Check file headers - Inspect binary structure - View strings and imports - Detect suspicious patterns - Identify file signatures like `MZ (4D5A)` ### Tools Used - PE Studio - Hex Editor - PEiD ## 3. Dynamic Analysis Malware is executed inside an isolated VM and monitored in real time. ### Activities - Observe running processes - Detect registry/file changes - Monitor network traffic - Analyze persistence attempts ### Tools Used - ProcMon - Process Explorer - Wireshark - Regshot ## 4. Simulated Attack Scenario A disguised malicious executable named: `resume.pdf.exe` was used to simulate an attack lifecycle. ### Steps Covered - Reconnaissance using Nmap - Payload creation using msfvenom - File delivery via Python HTTP server - Reverse shell connection - Detection using netstat - Log analysis using Splunk ## Results ### Indicators of Compromise (IOCs) - Suspicious file: `resume.pdf.exe` - Reverse shell connection on port `8081` - Unauthorized external connection - Suspicious command execution: - `ipconfig` - `whoami` - `dir` ### Key Findings - Malware can disguise itself using double extensions - Network monitoring helps detect suspicious traffic - VM snapshots allow safe rollback - Dynamic analysis reveals hidden behavior ## Security Recommendations 1. Block double-extension files (`.pdf.exe`) 2. Enable continuous network monitoring 3. Keep antivirus and tools updated 4. Train users against phishing and unsafe downloads 5. Enable command and event logging 6. Use isolated environments for malware research ## Repository Structure Malware-Analysis-Lab/ │── README.md │── Report/ │ ├── Cybersecurity internship report.pdf │ └── Cybersecurity internship report.docx │── Screenshots/ │── Tools/ │── Results/ │── Resources/--- ## Future Improvements - Automated IOC extraction using Python - Malware classification using Machine Learning - Web dashboard for findings - Cloud sandbox integration - Real-time threat intelligence feeds ## Author **Priyamvada Nule** Electronics & Telecommunication Engineering Cybersecurity Project ## Disclaimer This project is created strictly for **educational and research purposes** inside a controlled virtual lab environment. Do not run suspicious files on a real system or misuse any techniques described here.

标签：ApateDNS, APT检测, Binwalk, BurpSuite集成, Conpot, Cuckoo Sandbox, DAST, FakeNet-NG, Ghidra, Hex Editor, IOC检测, Netstat, Nmap, PEiD, PE Studio, Process Explorer, Process Hacker, Process Monitor, Radare2, Regshot, TLS指纹, VMware, Windows安全, Wireshark, YARA, 云安全监控, 云资产可视化, 云资产清单, 句柄查看, 合规性检查, 威胁情报, 安全实验室, 开发者工具, 恶意软件分析, 端点安全, 虚拟机分析, 虚拟驱动器, 补丁管理, 逆向工具, 逆向工程, 静态分析