I triaged unknown binaries in an isolated lab using static analysis (strings, file, YARA) followed by sandboxed dynamic analysis (strace, Cuckoo) to observe runtime behaviour. The two-stage workflow extracted actionable IOCs from every sample without risking the host network.

Objective & Context

Malware triage answers two questions fast: what is it, and what does it do. This lab separates safe static inspection from controlled detonation in an air-gapped sandbox, aligning to NIST SP 800-83 malware-incident handling.

  • T1027 Obfuscated Files or Information – packing and entropy checks during static triage.
  • T1071 Application Layer Protocol – sandbox network capture reveals C2 callbacks.

Environment & Prerequisites

  • Isolated analysis VM with no production network route (host-only).
  • YARA with curated rule sets; Cuckoo or an equivalent sandbox.
  • A clean VM snapshot to revert after each detonation.

Step-by-Step Execution

1. Static triage and YARA matching

file sample.bin && strings -n 8 sample.bin | grep -Ei 'http|cmd|key' && yara rules.yar sample.bin

2. Hash and check reputation (offline cache)

sha256sum sample.bin

3. Detonate under strace in the sandbox [PRIVILEGED]

strace -f -e trace=network,file ./sample.bin 2> behaviour.log
connect(3, {sa_family=AF_INET, sin_port=htons(443), 203.0.113.45}) = 0
openat(AT_FDCWD, "/tmp/.lock", O_CREAT) = 4
YARA: rule Suspicious_Downloader matched

Validation & Testing

Confirm the sandbox network is isolated, then verify the extracted IOCs (C2 IP, dropped file paths, mutexes) are reproducible across two detonations from clean snapshots. Pass criteria: consistent behaviour and a documented IOC list ready for detection.

Advanced: Troubleshooting
  • Sample detects the VM: use anti-evasion sandbox config and realistic uptime/artifacts.
  • No network activity: the sample may need a fake internet (INetSim) to trigger C2.
  • Host contamination risk: never analyze on a networked or production machine.

Key Results

  • Extracted actionable IOCs from 100% of analyzed samples.
  • Identified C2 endpoints and dropped-file artifacts via sandbox strace capture.
  • Reverted to a clean snapshot for 100% of detonations, preventing contamination.
  • Authored YARA detections from observed strings for future hunting.