henokkaraya/malware-analysis-lab1

\# Malware Analysis Lab 1 This repository documents a malware analysis lab focused on static and dynamic analysis of suspicious Windows executables. \## Purpose The goal of this lab was to analyze potentially malicious files in an isolated environment and identify suspicious behavior such as: \- Network activity \- Registry persistence \- Payload download behavior \- PowerShell execution \- File creation and execution \- Anti-debugging indicators \## Lab Environment The analysis was performed in an isolated VMware lab environment using: \- REMnux for static analysis \- Windows VM for dynamic analysis \- Ghidra for reverse engineering \- peframe, exiftool and strings for PE analysis \- Procmon, Wireshark and FakeNet-NG for dynamic analysis No malware binaries are included in this repository. \## Key Findings Static analysis of `evltool.exe` showed downloader and persistence behavior. Important indicators included: \- `http://192.168.1.1/test.exe` \- `C:\\temp\\payload.exe` \- `Software\\Microsoft\\Windows\\CurrentVersion\\Run` \- `SimulatedMalware` \- `powershell.exe -NoProfile -EncodedCommand` \- `URLDownloadToFileA` Ghidra analysis identified the functions: \- `download\_payload` \- `modify\_registry` \## Disclaimer This repository is for educational purposes only. No executable malware samples are included. ## Analysis Workflow ### Static Analysis Workflow Sample Collection ↓ Hash Analysis (SHA256/MD5) ↓ PE Analysis (peframe, exiftool) ↓ Strings Analysis ↓ Import/API Analysis ↓ Reverse Engineering in Ghidra ↓ IoC Extraction ## Example Findings ### Suspicious URL http://192.168.1.1/test.exe ### Registry Persistence HKCU\Software\Microsoft\Windows\CurrentVersion\Run ### Payload Path C:\temp\payload.exe ### Suspicious PowerShell Execution powershell.exe -NoProfile -EncodedCommand ## Lessons Learned During this lab I improved my understanding of: - PE file analysis - Windows persistence mechanisms - Malware downloader behavior - Registry-based persistence - Reverse engineering with Ghidra - Static malware analysis methodology - Safe malware handling in isolated environments