Lab Progress
0%0 / 12 steps
LabsMalware RE › L04
LAB L04 · MALWARE RE · ADVANCED

Dynamic Malware Analysis + Behavioral Sandbox

Execute malware in an isolated Flare-VM environment. Monitor process creation, registry changes, file drops, and network behavior in real time. Use AI to synthesize behavioral IOCs and map to ATT&CK.

120 min
🖥️ Flare-VM + REMnux
🔧 ProcMon · Wireshark · FakeNet-NG · Regshot
🤖 AI Behavioral Analysis
🔥 Lab Scenario

Static analysis of invoice_Q4.exe (Lab L03) revealed suspicious API imports but the sample is packed. Dynamic analysis is needed to observe actual runtime behavior. Execute in a monitored sandbox and capture everything the malware does.

0
Phase 0 — Sandbox Preparation
Configure monitoring tools BEFORE executing any malware
Revert Flare-VM to clean snapshot
Never analyze on a dirty machine — always start from clean state
In VirtualBox: Machine → Snapshots → select "Flare-VM Clean" → Restore. Verify you're at a clean baseline before proceeding.
🚫
Flare-VM should be on an isolated network only — Internal Network "malware-net" with REMnux providing simulated DNS/HTTP responses. No internet access.
Start FakeNet-NG on REMnux for network simulation
FakeNet responds to all DNS/HTTP/HTTPS requests so malware thinks it has internet
# On REMnux (run before executing sample on Flare-VM)
sudo fakenet &
# FakeNet listens on all ports and logs all connections
# Logs saved to: /tmp/fakenet.log
tail -f /tmp/fakenet.log
Configure monitoring tools on Flare-VM
Set up ProcMon, Regshot baseline, and Wireshark BEFORE detonation
# 1. Start Wireshark: capture on the malware-net interface
# 2. Launch Process Monitor (ProcMon) — start capture, apply filters:
# Filter: Process Name is [sample.exe] — add AFTER detonation
# 3. Take Regshot "1st shot" BEFORE execution:
# Open Regshot → 1st shot → Scan (captures full registry state)
# 4. Start API Monitor if you want API-level logging
1
Phase 1 — Detonation & Live Monitoring
Execute the sample and capture all behavior in real time
Execute the sample and begin monitoring
Run the malware and watch all tools simultaneously
# In PowerShell on Flare-VM (Defender already disabled):
cd C:\Users\flare\Desktop\samples
# Run and monitor for 5 minutes
.\invoice_Q4.exe
# Immediately: filter ProcMon by process name
# Watch: Wireshark for outbound connections
# Watch: Process Hacker for child processes spawned
Let it run for at least 2-3 minutes. Some malware has time delays or checks before executing payload. Then take Regshot "2nd shot" and stop all captures.
Capture Regshot diff — registry changes
See every registry key created, modified, or deleted
# After malware runs 2-3 min: Regshot → 2nd shot → Compare
# Export comparison as text file
# Key sections to look at:
# Keys added: new persistence mechanisms
# Values modified: configuration changes
# Keys deleted: anti-forensics cleanup
🤖 AI Analyst

Paste your Regshot diff (especially newly created keys). The AI will identify persistence mechanisms, configuration storage, and map each registry change to ATT&CK techniques.

Analyze ProcMon output — process and file activity
Every file created, process spawned, and network connection attempted
# In ProcMon — apply these filters after stopping capture:
# Operation is WriteFile → files created/modified
# Operation is CreateFile AND Path contains .exe → dropped executables
# Operation is Process Create → child processes spawned
# Export as CSV: File → Save → CSV format
Analyze Wireshark/FakeNet network traffic
What domains and IPs did the malware try to contact?
# On REMnux — review FakeNet logs
cat /tmp/fakenet.log | grep -iE "(dns|http|https|connect)" | head -50
# In Wireshark on Flare-VM:
# Filter: dns → see all domain lookups
# Filter: http.request → see all HTTP requests and User-Agents
# Filter: tcp.flags.syn==1 → see all connection attempts
🤖 AI Analyst

Paste the DNS queries, HTTP requests, and connection attempts from FakeNet. The AI will identify C2 domains, explain the communication protocol, and classify the malware's network behavior.

2
Phase 2 — Advanced Analysis
Debug the sample to understand evasion and payload delivery
Attach x64dbg and step through packer stub
Watch the malware unpack itself in memory
# Open x64dbg and load sample: File → Open
# The packer stub runs first — watch for the OEP (Original Entry Point)
# Set breakpoints on these APIs to catch key moments:
# VirtualAlloc — memory allocation for unpacked code
# WriteProcessMemory — process injection
# CreateProcess — spawning child processes
# When VirtualAlloc fires: note the new memory region
# Run until OEP is reached, then dump the unpacked binary
🤖 AI Analyst

Paste the disassembly near the OEP or the API calls you've observed in x64dbg. The AI will explain what the code is doing, identify the packer type, and guide your next debugging steps.

Identify dropped files and secondary payloads
Many malware samples are loaders that drop the real payload
# Check common drop locations for newly created files
dir %TEMP% /o-d /t:c # Files sorted by creation time
dir %APPDATA% /o-d /t:c
dir %USERPROFILE% /o-d /t:c
# Hash any suspicious files found
Get-FileHash -Path "C:\Users\flare\AppData\*.exe" -Algorithm SHA256
3
Phase 3 — AI IOC Synthesis & Detection
Compile behavioral IOCs and generate detection rules
AI compiles complete behavioral IOC report
All registry, file, network, and process indicators in structured format
🤖 AI Analyst — IOC Synthesis

Share all your findings: registry keys created, files dropped, DNS queries, HTTP requests, child processes spawned, and API calls observed. The AI will compile a complete IOC table and generate both a YARA rule and Sigma detection rule.

Generate EDR/SIEM detection rules
Rules based on behavioral patterns that survive malware updates
🤖 AI Analyst

Behavioral detections based on WHAT the malware does are more durable than hash-based detections. Ask the AI to write Sigma rules based on process behavior, registry changes, and network patterns.

Lab complete — document and restore snapshot
Revert Flare-VM to clean state
✅ Sandbox environment properly isolated
✅ FakeNet-NG captured all network attempts
✅ Regshot diff captured registry changes
✅ ProcMon captured file and process activity
✅ x64dbg used to observe unpacking
✅ Dropped files identified and hashed
✅ Behavioral IOCs compiled
✅ Detection rules generated

Revert Flare-VM to clean snapshot before next lab.

Next: Lab L05 — Phishing Detection with NLP

Build a machine learning model to detect phishing emails with 95%+ accuracy.

Start L05 →
🤖
CyberSec AI Analyst
L04 — Dynamic Analysis Mode
Lab Context: Dynamic malware analysis on Flare-VM — monitoring with ProcMon, Regshot, Wireshark, FakeNet-NG, and x64dbg. Behavioral IOC extraction.

→ Connect AI Analyst — add your Claude API key

Quick Actions