Malware Analysis: [Malware Name]

Summary / Introduction

[Provide a high-level introduction to the malware and your analysis.]

Malware Overview

• Name: [Malware name or variant]
• Type: [Infostealer, RAT, Crypto Miner, etc.]
• Platform: [Target OS]
• File Type: [PE32 EXE/DLL, script, etc.]
• File Size: [Size in bytes or KB]
• SHA-256: [Hash]
• MD5: [Hash]
• Initial Infection Vector: [e.g., Phishing Email, Exploit Kit]
• Packer/Obfuscation: [e.g., UPX, Custom, None]
• Campaign: [If known]

Static Analysis

• Examine file structure and sections
• Extract strings (e.g., with strings or FLOSS)
• Analyze imported functions/APIs
• Disassemble/decompile with IDA/Ghidra
• Identify obfuscation/encryption/config

Dynamic Analysis

• Execution Behavior: What happens when executed?
• File System Changes: Files created/modified
• Registry Changes: Persistence or config storage
• Network Activity: Domains/IPs, protocols, payloads
• Anti-analysis Behavior: VM checks, debugger evasion

C2 Communication

• Protocol: [HTTP, HTTPS, etc.]
• Domains/IPs: [List of C2 addresses]
• Ports: [e.g., 443]
• Traffic Characteristics: User-Agent, URL path
• Commands Supported: [If applicable]

Persistence Mechanisms

• Registry Run Keys
• Scheduled Tasks
• Services
• Startup Folder
• DLL Hijacking/WMI/Other

Capabilities / Behavior

• Info Stealing
• Keylogging / Clipboard Monitoring
• Remote Access / RAT Features
• Crypto Mining
• File Encryption / Ransomware
• Evasion Techniques

Indicators of Compromise (IoCs)

• File Hashes: SHA-256, MD5
• File Names / Paths
• Registry Keys
• Domains / IPs
• Mutexes / Artifacts

YARA Rules

rule ExampleMalware {
    meta:
        author = "YourName"
        description = "Detects [Malware Name]"
        date = "2025-03-28"
    strings:
        $a = "suspicious_string" ascii
        $b = { E8 ?? ?? ?? ?? 83 C4 04 }
    condition:
        all of them
}