Malware Analysis Basics: Safe Static and Dynamic Triage
I triaged unknown binaries in an isolated lab using static analysis (strings, file, YARA) followed by sandboxed dynamic analysis (strace, Cuckoo) to observe runtime behaviour. The two-stage workflow extracted actionable IOCs from every sample without risking the host network.
Objective & Context
Malware triage answers two questions fast: what is it, and what does it do. This lab separates safe static inspection from controlled detonation in an air-gapped sandbox, aligning to NIST SP 800-83 malware-incident handling.
- T1027 Obfuscated Files or Information – packing and entropy checks during static triage.
- T1071 Application Layer Protocol – sandbox network capture reveals C2 callbacks.
Environment & Prerequisites
- Isolated analysis VM with no production network route (host-only).
- YARA with curated rule sets; Cuckoo or an equivalent sandbox.
- A clean VM snapshot to revert after each detonation.
Step-by-Step Execution
1. Static triage and YARA matching
file sample.bin && strings -n 8 sample.bin | grep -Ei 'http|cmd|key' && yara rules.yar sample.bin2. Hash and check reputation (offline cache)
sha256sum sample.bin3. Detonate under strace in the sandbox [PRIVILEGED]
strace -f -e trace=network,file ./sample.bin 2> behaviour.logconnect(3, {sa_family=AF_INET, sin_port=htons(443), 203.0.113.45}) = 0
openat(AT_FDCWD, "/tmp/.lock", O_CREAT) = 4
YARA: rule Suspicious_Downloader matched
Validation & Testing
Confirm the sandbox network is isolated, then verify the extracted IOCs (C2 IP, dropped file paths, mutexes) are reproducible across two detonations from clean snapshots. Pass criteria: consistent behaviour and a documented IOC list ready for detection.
Advanced: Troubleshooting
- Sample detects the VM: use anti-evasion sandbox config and realistic uptime/artifacts.
- No network activity: the sample may need a fake internet (INetSim) to trigger C2.
- Host contamination risk: never analyze on a networked or production machine.
Key Results
- Extracted actionable IOCs from 100% of analyzed samples.
- Identified C2 endpoints and dropped-file artifacts via sandbox strace capture.
- Reverted to a clean snapshot for 100% of detonations, preventing contamination.
- Authored YARA detections from observed strings for future hunting.