LAB L03 · MALWARE REVERSE ENGINEERING · INTERMEDIATE

Static Malware Analysis
with AI Investigation

Analyze a suspicious Windows executable using REMnux and Flare-VM. Perform static analysis, extract indicators, and use the AI Analyst to interpret findings, map to MITRE ATT&CK, and generate detection rules.

⏱ 60–90 min

🖥️ REMnux + Flare-VM

🔧 FLOSS · Capa · pefile · Ghidra

🤖 AI-Assisted Analysis

🚨 Incident Scenario

Your SOC received an alert: a file named invoice_Q4.exe was downloaded from an email attachment on a finance workstation. The endpoint agent blocked execution, but the file is on disk. Your job is to determine whether it's malicious, what it does, and generate IOCs and detection rules before it spreads.

The sample has been placed in your REMnux VM at /home/remnux/labs/L03/invoice_Q4.exe. (For this lab, download the practice sample from MalwareBazaar using the hash below.)

Phase 0 — Environment Setup

Prepare your isolated analysis environment before touching the sample

Boot REMnux and verify isolation

Confirm REMnux has no internet access before handling samples

Start your REMnux VM. Set the network adapter to Host-Only or Internal Network (malware-net) — no NAT. Verify no internet access:

curl -s --max-time 5 https://google.com # Should timeout/fail

ping -c 2 8.8.8.8                           # Should fail

# If these succeed, disconnect the internet adapter first

🚫

Never analyze malware with internet access. Many samples phone home to C2 servers when executed, and even static analysis can trigger network requests from some tools.

Take a VM snapshot

Create a clean restore point before any analysis

In VirtualBox: Machine → Take Snapshot → "Pre-Lab L03 Analysis". If anything goes wrong or the sample modifies your system during dynamic analysis later, you can revert instantly.

# Or via CLI on your host:

vboxmanage snapshot "REMnux" take "Pre-Lab-L03" --live

Download the practice sample

Fetch a known malware sample from MalwareBazaar for analysis

We'll use a real (but old and well-documented) malware sample from MalwareBazaar. This is a standard CTF/training sample — studying it is legal and educational.

mkdir -p ~/labs/L03 && cd ~/labs/L03

# Download sample from MalwareBazaar (password: infected)

curl -o sample.zip "https://mb-api.abuse.ch/api/v1/" \

  --data 'query=get_file&sha256_hash=4f5401cb5e64806c21175632eda4382a55551961f4986439fc9e48fa76dd452' \

  --output sample.zip

# Unzip (password is always "infected" on MalwareBazaar)

unzip -P infected sample.zip

mv *.exe invoice_Q4.exe 2>/dev/null || true

ls -la

⚠️

Alternatively, use any PE file from your host machine (notepad.exe is fine for practicing commands). The technique is the same regardless of the sample.

Phase 1 — Quick Triage

First 5 minutes: identify the file and check threat intel before deep analysis

Get file hashes

Hashes are your primary identifier — check them against threat intel

Generate MD5, SHA1, and SHA256 hashes. You'll use these to search VirusTotal, MalwareBazaar, and Hybrid-Analysis. Record the hashes in the Findings table below.

md5sum invoice_Q4.exe

sha1sum invoice_Q4.exe

sha256sum invoice_Q4.exe

# Or all at once:

python3 -c "import hashlib; data=open('invoice_Q4.exe','rb').read(); print('MD5:   ',hashlib.md5(data).hexdigest()); print('SHA1:  ',hashlib.sha1(data).hexdigest()); print('SHA256:',hashlib.sha256(data).hexdigest())"

🤖 AI Analyst — Step Guidance

Paste your hash output here. The AI will search for context, explain if these hashes are known malware families, and tell you what threat intelligence says about this sample.

Identify the file type

Malware often masquerades as another file type — verify what it actually is

Use file and Detect-It-Easy (die) to identify the true file type, architecture, and whether it's packed or obfuscated.

file invoice_Q4.exe

die invoice_Q4.exe          # Detect-It-Easy: packer/compiler detection

exiftool invoice_Q4.exe     # Metadata: compile time, author, version info

# Check if it's actually a PE file:

python3 -c "import pefile; pe=pefile.PE('invoice_Q4.exe'); print('Valid PE:', pe.FILE_HEADER.Machine)"

Phase 2 — Static Analysis

Deep examination without executing the file — strings, PE headers, imports, entropy

Extract human-readable strings

Strings reveal URLs, registry keys, file paths, and error messages

The strings command extracts printable characters. FLOSS (FLARE Obfuscated String Solver) also decodes obfuscated and dynamically constructed strings that strings misses.

# Basic strings (wide + ascii)

strings -a -n 6 invoice_Q4.exe | head -80

strings -a -n 6 -el invoice_Q4.exe | head -40   # Unicode strings

# FLOSS: extracts obfuscated/decoded strings too

floss invoice_Q4.exe | tee floss_output.txt

# Filter for interesting indicators

grep -iE "(http|ftp|cmd|powershell|reg|HKEY|\\\\Users|%APPDATA%|CreateRemoteThread|VirtualAlloc)" floss_output.txt

🤖 AI Analyst — String Analysis

Copy the most interesting strings you found (URLs, paths, suspicious function names, encoded data) and paste them in the AI chat. The AI will explain what each string suggests about the malware's behavior.

Analyze PE headers and sections

PE structure reveals compilation info, sections, and packing indicators

Use pefile to examine the Portable Executable structure: sections, their entropy (high entropy = packed/encrypted), timestamps, and version information.

python3 << 'EOF'

import pefile, math

pe = pefile.PE('invoice_Q4.exe')

print(f"Machine:    {hex(pe.FILE_HEADER.Machine)}")

print(f"Compiled:   {pe.FILE_HEADER.TimeDateStamp}")

print(f"Subsystem:  {pe.OPTIONAL_HEADER.Subsystem}")

print("\n=== SECTIONS ===")

for s in pe.sections:

    data = s.get_data()

    freq = {b: data.count(bytes([b])) for b in set(data)}

    entropy = -sum((c/len(data))*math.log2(c/len(data)) for c in freq.values() if c)

    print(f"  {s.Name.decode().strip(chr(0)):10} Size:{s.SizeOfRawData:8} Entropy:{entropy:.2f} {'⚠ PACKED' if entropy > 6.5 else ''}")

EOF

📊

Entropy > 6.5 on a section strongly suggests packing or encryption. Entropy close to 8.0 means the section is almost certainly encrypted or compressed — classic ransomware and RAT behavior.

Examine imports and exports

API imports tell you what the malware is capable of doing

Windows API imports are the fingerprint of malware capability. Look for: process injection APIs (VirtualAlloc, WriteProcessMemory), network APIs (WSAStartup, InternetOpen), anti-analysis APIs (IsDebuggerPresent).

python3 << 'EOF'

import pefile

pe = pefile.PE('invoice_Q4.exe')

suspicious = ['VirtualAlloc','WriteProcessMemory','CreateRemoteThread',

              'ShellExecute','WinExec','CreateService','RegSetValue',

              'InternetOpen','WSAStartup','HttpSendRequest',

              'IsDebuggerPresent','CheckRemoteDebuggerPresent',

              'CryptEncrypt','GetAsyncKeyState','SetWindowsHookEx']

if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):

    for lib in pe.DIRECTORY_ENTRY_IMPORT:

        print(f"\n[{lib.dll.decode()}]")

        for fn in lib.imports:

            name = fn.name.decode() if fn.name else f"ord_{fn.ordinal}"

            flag = " ⚠️  SUSPICIOUS" if any(s in name for s in suspicious) else ""

            print(f"  {name}{flag}")

EOF

🤖 AI Analyst — Import Analysis

Paste your flagged imports into the AI chat. The AI will explain what each suspicious API enables, what malware families commonly use these combinations, and what this tells us about the sample's capabilities.

Run Capa for capability detection

Capa automatically maps binary behaviors to MITRE ATT&CK techniques

Capa is a tool from Mandiant that identifies capabilities in executables by matching against thousands of rules. It provides automatic MITRE ATT&CK mapping.

capa invoice_Q4.exe

# For verbose output with evidence:

capa -v invoice_Q4.exe 2>&1 | tee capa_results.txt

# JSON output for programmatic processing:

capa -j invoice_Q4.exe > capa_results.json

🤖 AI Analyst — Capa Results

Paste your Capa output into the AI chat. The AI will explain each ATT&CK technique identified, what the malware is capable of doing, and how it compares to known malware families.

Phase 3 — AI Investigation Synthesis

Let the AI Analyst synthesize all findings into IOCs, ATT&CK mapping, and detection rules

Compile IOC findings

Record all indicators in structured format for threat intel sharing

Fill in the IOC table below with what you've found. Then paste all IOCs into the AI Analyst to get STIX/TAXII-ready threat intel.

IOC Type	Value	Confidence
SHA256 Hash		HIGH
MD5 Hash		HIGH
C2 Domain/IP		MED
Registry Key		MED
File Path		MED
Mutex Name		LOW
YARA String		HIGH

AI generates YARA detection rule

Auto-generate a detection rule based on your analysis findings

Use the AI Analyst to generate a YARA rule based on the unique strings, byte patterns, and PE characteristics you've identified. Then test it:

# After AI generates a YARA rule, save it and test:

nano ~/labs/L03/detect_invoice.yar    # Paste AI-generated rule

yara ~/labs/L03/detect_invoice.yar invoice_Q4.exe

# Test against benign files (should NOT match):

yara ~/labs/L03/detect_invoice.yar /usr/bin/ls

🤖 AI Analyst — Generate YARA Rule

Paste your unique strings, suspicious imports, and Capa results. The AI will write a YARA rule with proper meta, strings, and condition sections ready to deploy.

AI generates Sigma detection rule

Create a SIEM rule that detects execution of this malware in Windows event logs

Based on the API imports and behaviors identified, the AI will generate a Sigma rule for detecting this malware if it executes — detectable via Windows Event Logs and Sysmon.

🤖 AI Analyst — Generate Sigma Rule

Tell the AI what process behaviors, registry modifications, and network indicators you found. It will generate a Sigma rule compatible with Splunk, Elastic, and other SIEMs.

AI maps all findings to MITRE ATT&CK

Generate the complete ATT&CK Navigator layer for this malware

🤖 AI Analyst — MITRE ATT&CK Mapping

Share all your findings: Capa results, suspicious APIs, strings, and observed behaviors. The AI will map each behavior to ATT&CK techniques and generate a complete adversary profile.

Phase 4 — Incident Report

Document your analysis in a professional analyst report

📄 Malware Analysis Report

Analyst Name

Sample SHA256

Malware Classification

Key Findings (bullet points)

Recommended Actions

Lab complete — review and submit

Mark this step when you have a completed analysis report

Lab completion checklist:
✅ All file hashes recorded
✅ PE structure analyzed (sections, entropy, imports)
✅ Strings extracted with FLOSS
✅ Capa run and results interpreted
✅ YARA detection rule written and tested
✅ Sigma rule generated
✅ MITRE ATT&CK mapping completed
✅ Professional analysis report drafted

Revert your REMnux VM to the "Pre-Lab L03" snapshot to restore a clean state.

💡

Next: Lab L04 — Dynamic Malware Analysis — execute the sample in Flare-VM, monitor process/network behavior in real time, and use the AI to synthesize behavioral IOCs.

🤖

CyberSec AI Analyst

L03 — Malware Analysis Mode

Lab Context: Static malware analysis using REMnux. Analyzing a suspicious Windows PE executable (invoice_Q4.exe) for IOCs, capabilities, and ATT&CK mapping.

AI Analyst

I'm your malware analysis AI analyst for Lab L03. I can:

Interpret tool output (strings, FLOSS, pefile, Capa)
Identify malware family and capabilities
Map behaviors to MITRE ATT&CK
Generate YARA and Sigma detection rules
Extract and structure IOCs
Draft your analysis report

Paste any terminal output below to get started.

Quick Analysis

Static Malware Analysiswith AI Investigation

📄 Malware Analysis Report

Connect AI Analyst

Static Malware Analysis
with AI Investigation