MALWARE TRIAGE & STATIC ANALYSIS
NETWORK SECURITY — EXPERT REVERSE ENGINEERING LAB
PE HEADER · IMPORTS · STRINGS · ENTROPY · YARA · IOC EXTRACTION
Loading sample: svch0st.exe (SHA256: 4a8a08f0...)

OBJECTIVES

Inspect file metadata and AV results
Identify PE header anomalies
Analyse high-entropy sections (packing)
Find process injection APIs in imports
Extract C2 IOCs from strings
Identify the persistence mechanism
Write a YARA detection rule
Submit the malware report
🗂️
File Info
📦
Import Table
🔤
Strings
🔢
Hex Viewer
🛡️
YARA Editor
📖
Reference
📋
Report
MALWARE TRIAGE
File Info
Imports
Strings
Hex
YARA
Reference
Report
--:--:--
PHASE 1 — FILE TRIAGE
MISSION BRIEF
EXPERT — STATIC MALWARE ANALYSIS

MALWARE TRIAGE

SAMPLE: svch0st.exe — Submitted by EDR (WKSTN-016)

SCENARIO

The EDR on WKSTN-016 flagged a suspicious binary: svch0st.exe running from AppData\Local\Temp\. The binary is suspected malware. Perform static analysis — do NOT execute the sample. Extract all possible indicators and write a YARA detection rule.

STATIC ANALYSIS WORKFLOW

  • File Info — hash, PE header, AV results, entropy
  • Import Table — what APIs does it call? Injection? Crypto? Network?
  • Strings — URLs, IPs, domains, registry keys, mutex names
  • Hex Viewer — inspect raw bytes, look for embedded artifacts
  • YARA Editor — write detection rule from IOCs

STATIC vs DYNAMIC

Static analysis examines a binary without running it. It is safe — no malware can execute. Dynamic analysis (sandboxing, debugging) runs the sample in a controlled environment. This lab covers static analysis only.

FILE INFO — svch0st.exe
PE SECTIONS
Name
VirtAddr
VirtSize
RawSize
Entropy
Characteristics
AV SCAN RESULTS (VirusTotal)
IMPORT TABLE — svch0st.exe
All
Suspicious
Network
Injection
Click an import to see its description and threat relevance
STRINGS — svch0st.exe (847 strings)
All
IOCs
Registry
API Calls
Misc
HEX VIEWER — svch0st.exe
Go to offset: Key offsets: 0x00 (MZ), 0x3C (PE offset), 0x1000 (.text), 0x5000 (.packed)
YARA RULE EDITOR
REFERENCE — STATIC ANALYSIS
PE HEADER ANOMALIES
Compile timestamp in the future or very old (1970, 1992)
Subsystem mismatch — GUI binary acting as console app
Section names not matching content (e.g. .text with no code)
Very few imports — packed/obfuscated binary
Overlay data after last section — embedded payload
Entry point not in .text section
ENTROPY
Entropy measures randomness. Range 0-8 (bits per byte).

0-4: Plaintext / code (low entropy)
5-6: Compressed / mixed
6.5-7: Likely compressed
7+: Encrypted or packed — strong indicator of obfuscation

Legitimate .text sections: 5.0-6.5
Encrypted payloads: 7.5-8.0
SUSPICIOUS IMPORTS
// Process Injection VirtualAlloc / VirtualAllocEx WriteProcessMemory CreateRemoteThread OpenProcess / NtOpenProcess // Anti-analysis IsDebuggerPresent CheckRemoteDebuggerPresent GetTickCount (timing) // Network WSAStartup / connect / send InternetOpenA / HttpSendRequest // Crypto CryptAcquireContext BCryptEncrypt
YARA TIPS
Use strings unique to this malware family
Add filesize condition to reduce FPs
Check PE magic: uint16(0) == 0x5A4D
Combine 2-3 strings with AND for precision
Use hex patterns for binary sequences
Use nocase modifier for case-insensitive
NOTEPAD
MALWARE ANALYSIS REPORT
STATIC ANALYSIS FINDINGS
Score: 0 / 8