Malware Analysis¶
This guide provides comprehensive examples for analyzing malware with friTap, covering C&C communications, data exfiltration, and advanced persistent threats (APTs).
Safety Notice
Always analyze malware in isolated environments (VMs, sandboxes) with no network access to production systems. Use test networks and proper containment procedures.
Malware Analysis Setup¶
Isolated Environment¶
Virtual Machine Setup:
# Create isolated VM network
# Disable internet access or use honeypot network
# Install friTap in VM
pip install fritap
# Verify isolation
ping 8.8.8.8 # Should fail or route to honeypot
Container Analysis:
# Docker isolation
docker run -it --network none --name malware-analysis ubuntu:latest
docker exec -it malware-analysis bash
# Install friTap and analyze malware
Network Monitoring Setup¶
Capture All Network Traffic:
# Start network capture before malware execution
tcpdump -i any -w network_baseline.pcap &
TCPDUMP_PID=$!
# Run friTap analysis
fritap -k malware_keys.log --pcap malware_traffic.pcap ./malware_sample
# Stop network capture
kill $TCPDUMP_PID
C&C Communication Analysis¶
Basic C&C Analysis¶
Capture C&C Communications:
# Comprehensive malware analysis with JSON metadata
fritap -k cc_keys.log --pcap cc_traffic.pcap --json cc_metadata.json ./malware_sample
# Monitor for typical C&C patterns
tcpdump -r cc_traffic.pcap -A | grep -E "(POST|GET|PUT)" | head -20
# Analyze JSON metadata for connection patterns
cat cc_metadata.json | jq '.connections[] | select(.dst_port == 443) | .dst_addr' | sort | uniq
C&C Traffic Patterns:
# Look for beaconing behavior
tcpdump -r cc_traffic.pcap -t | awk '{print $1, $3, $5}' | sort | uniq -c
# Check for encrypted C&C
tcpdump -r cc_traffic.pcap 'port 443' -A | grep -E "(Host:|User-Agent:)"
Advanced C&C Analysis¶
Multi-Stage Malware:
# Capture initial dropper
fritap -k dropper_keys.log --pcap dropper_traffic.pcap ./dropper.exe
# Enable spawn gating for downloaded payloads
fritap --enable_spawn_gating -k all_keys.log --pcap all_traffic.pcap ./dropper.exe
Domain Generation Algorithm (DGA) Detection:
# Extract DNS queries from traffic
tcpdump -r malware_traffic.pcap 'port 53' -A | grep -E "\.com|\.net|\.org"
# Look for algorithmically generated domains
tcpdump -r malware_traffic.pcap 'port 53' -A | grep -E "[a-z]{20,}\.com"
Data Exfiltration Analysis¶
Credential Harvesting¶
Banking Trojan Analysis:
# Analyze banking trojan with comprehensive logging
fritap -k banking_keys.log --pcap banking_traffic.pcap --json banking_analysis.json ./banking_trojan.exe
# Search for financial data patterns
tcpdump -r banking_traffic.pcap -A | grep -iE "(password|login|account|balance)"
# Analyze connection metadata
cat banking_analysis.json | jq '.connections[] | select(.data_length > 100) | {dst_addr, dst_port, timestamp}'
Browser Credential Theft:
# Monitor browser data access with metadata collection
fritap --enable_spawn_gating -k browser_keys.log --pcap browser_traffic.pcap --json browser_theft.json ./browser_stealer.exe
# Look for stolen credentials in traffic
tcpdump -r browser_traffic.pcap -A | grep -E "(username|password|cookie)"
# Analyze exfiltration patterns from JSON
cat browser_theft.json | jq '.statistics.total_bytes_captured, .connections | length'
Data Exfiltration Patterns¶
File Upload Detection:
# Monitor for file uploads
tcpdump -r malware_traffic.pcap 'port 80 or port 443' -A | grep -E "(Content-Type: multipart|boundary=)"
# Extract uploaded filenames
tcpdump -r malware_traffic.pcap -A | grep -E "(filename=|Content-Disposition:)"
Database Exfiltration:
# Look for database connection strings
tcpdump -r malware_traffic.pcap -A | grep -iE "(SELECT|INSERT|UPDATE|DELETE)"
# Monitor for SQL injection attempts
tcpdump -r malware_traffic.pcap -A | grep -E "(UNION|SELECT|DROP|INSERT)"
Ransomware Analysis¶
Ransomware Communication¶
Ransomware C&C Analysis:
# Analyze ransomware communications with session tracking
fritap -k ransomware_keys.log --pcap ransomware_traffic.pcap --json ransomware_analysis.json ./ransomware.exe
# Look for key exchange communications
tcpdump -r ransomware_traffic.pcap -A | grep -E "(key|encrypt|ransom)"
# Extract C&C server information
cat ransomware_analysis.json | jq '.connections[] | .dst_addr' | sort | uniq
Payment Infrastructure:
# Monitor cryptocurrency communications
tcpdump -r ransomware_traffic.pcap -A | grep -iE "(bitcoin|btc|cryptocurrency|wallet)"
# Look for payment gateway communications
tcpdump -r ransomware_traffic.pcap 'port 443' -A | grep -iE "(payment|gateway|transaction)"
File Encryption Monitoring¶
Encryption Activity:
# Monitor file system access during encryption
fritap --enable_spawn_gating -k encryption_keys.log --pcap encryption_traffic.pcap ./ransomware.exe
# Check for network-based key storage
tcpdump -r encryption_traffic.pcap -A | grep -E "(encrypt|decrypt|key|cipher)"
APT Analysis¶
Advanced Persistent Threat Tactics¶
Initial Access Analysis:
# Analyze spear-phishing payload with timeline tracking
fritap -k apt_keys.log --pcap apt_traffic.pcap --json apt_timeline.json ./phishing_payload.exe
# Look for initial C&C beaconing
tcpdump -r apt_traffic.pcap -t | head -50
# Analyze initial contact timeline
cat apt_timeline.json | jq '.connections[] | {timestamp, dst_addr, dst_port}' | head -10
Lateral Movement Detection:
# Monitor for lateral movement attempts
fritap --enable_spawn_gating -k lateral_keys.log --pcap lateral_traffic.pcap ./apt_tool.exe
# Check for internal network scanning
tcpdump -r lateral_traffic.pcap 'icmp or port 22 or port 3389'
Living-off-the-Land Analysis¶
PowerShell-based Attacks:
# Analyze PowerShell-based malware with detailed logging
fritap -k powershell_keys.log --pcap powershell_traffic.pcap --json powershell_analysis.json powershell.exe -File malicious_script.ps1
# Look for encoded commands
tcpdump -r powershell_traffic.pcap -A | grep -E "(FromBase64String|EncodedCommand)"
# Check for command execution patterns
cat powershell_analysis.json | jq '.connections[] | select(.data_length > 500)'
WMI-based Attacks:
# Monitor WMI-based persistence
fritap --enable_spawn_gating -k wmi_keys.log --pcap wmi_traffic.pcap ./wmi_backdoor.exe
# Check for WMI network communications
tcpdump -r wmi_traffic.pcap 'port 135 or port 445'
Mobile Malware Analysis¶
Android Malware¶
Mobile Banking Trojan:
# Analyze Android banking malware with comprehensive tracking
fritap -m -k android_malware_keys.log --pcap android_malware_traffic.pcap --json android_banking.json com.malware.banking
# Look for SMS interception
tcpdump -r android_malware_traffic.pcap -A | grep -iE "(sms|message|text)"
# Analyze mobile communication patterns
cat android_banking.json | jq '.connections[] | select(.dst_port != 443) | {dst_addr, dst_port}'
Android Spyware:
# Monitor spyware communications
fritap -m --enable_spawn_gating -k spyware_keys.log --pcap spyware_traffic.pcap com.malware.spy
# Check for data exfiltration
tcpdump -r spyware_traffic.pcap -A | grep -iE "(location|contact|call|photo)"
iOS Malware¶
iOS Malware Analysis:
# Analyze iOS malware (requires jailbreak)
fritap -m -k ios_malware_keys.log --pcap ios_malware_traffic.pcap com.malware.ios
# Monitor for certificate abuse
tcpdump -r ios_malware_traffic.pcap 'port 443' -A | grep -E "(certificate|cert|ssl)"
Cryptocurrency Mining Malware¶
Cryptojacking Analysis¶
Mining Pool Communication:
# Analyze cryptocurrency miner with pool tracking
fritap -k mining_keys.log --pcap mining_traffic.pcap --json mining_analysis.json ./cryptominer.exe
# Look for mining pool connections
tcpdump -r mining_traffic.pcap | grep -E "(stratum|pool|mining)"
# Extract mining pool IPs and statistics
cat mining_analysis.json | jq '.connections[] | select(.dst_port == 4444 or .dst_port == 14444) | .dst_addr'
Resource Consumption:
# Monitor system resource usage
fritap -k miner_keys.log --pcap miner_traffic.pcap ./miner.exe &
FRITAP_PID=$!
# Monitor CPU/memory usage
watch -n 1 "ps -p $FRITAP_PID -o pid,ppid,cmd,%mem,%cpu"
Advanced Analysis Techniques¶
Behavioral Analysis¶
Dynamic Analysis Integration:
# Combine with behavioral analysis
fritap -k behavior_keys.log --pcap behavior_traffic.pcap ./malware.exe &
FRITAP_PID=$!
# Monitor file system changes
inotifywait -m -r --format '%w%f %e' /tmp /var/tmp &
INOTIFY_PID=$!
# Stop monitoring
kill $FRITAP_PID $INOTIFY_PID
Anti-Analysis Evasion¶
Packed Malware:
# Analyze packed malware
fritap --enable_spawn_gating -k packed_keys.log --pcap packed_traffic.pcap ./packed_malware.exe
# Monitor for unpacking behavior
tcpdump -r packed_traffic.pcap -A | grep -E "(unpack|decode|decrypt)"
Anti-VM Detection:
# Bypass VM detection
fritap --enable-anti-detection -k vm_keys.log --pcap vm_traffic.pcap ./vm_aware_malware.exe
# Check for VM detection attempts
tcpdump -r vm_traffic.pcap -A | grep -iE "(vmware|virtualbox|qemu|hyperv)"
Malware Family Analysis¶
Family-Specific Analysis¶
Emotet Analysis:
# Emotet-specific patterns
fritap -k emotet_keys.log --pcap emotet_traffic.pcap ./emotet_sample.exe
# Look for Emotet C&C patterns
tcpdump -r emotet_traffic.pcap -A | grep -E "(POST.*HTTP/1\.[01])" | head -10
TrickBot Analysis:
# TrickBot banking module
fritap --enable_spawn_gating -k trickbot_keys.log --pcap trickbot_traffic.pcap ./trickbot.exe
# Monitor for web injection attempts
tcpdump -r trickbot_traffic.pcap -A | grep -iE "(inject|webinject|banking)"
RAT Analysis¶
Remote Access Trojan:
# Analyze RAT communications
fritap -k rat_keys.log --pcap rat_traffic.pcap ./rat_client.exe
# Look for remote control commands
tcpdump -r rat_traffic.pcap -A | grep -E "(cmd|command|execute|shell)"
Automated Malware Analysis¶
Analysis Pipeline¶
#!/bin/bash
# Automated malware analysis pipeline
MALWARE_SAMPLE="$1"
OUTPUT_DIR="malware_analysis_$(date +%Y%m%d_%H%M%S)"
mkdir -p "$OUTPUT_DIR"
cd "$OUTPUT_DIR"
echo "Starting malware analysis of $MALWARE_SAMPLE"
# System baseline
ps aux > baseline_processes.txt
netstat -an > baseline_network.txt
# Start network capture
tcpdump -i any -w network_capture.pcap &
TCPDUMP_PID=$!
# friTap analysis with comprehensive logging
fritap -k malware_keys.log \
--pcap malware_traffic.pcap \
--json malware_metadata.json \
-v "$MALWARE_SAMPLE" 2>&1 | tee malware_analysis.log
# Stop network capture
kill $TCPDUMP_PID
# Post-analysis comparison
ps aux > post_processes.txt
netstat -an > post_network.txt
# Generate analysis report
echo "Malware Analysis Report" > analysis_report.txt
echo "Sample: $MALWARE_SAMPLE" >> analysis_report.txt
echo "Date: $(date)" >> analysis_report.txt
echo "TLS Keys: $(grep -c CLIENT_RANDOM malware_keys.log)" >> analysis_report.txt
echo "Network Connections: $(tcpdump -r malware_traffic.pcap | wc -l)" >> analysis_report.txt
echo "SSL Sessions: $(cat malware_metadata.json | jq '.statistics.total_connections')" >> analysis_report.txt
echo "Total Bytes: $(cat malware_metadata.json | jq '.statistics.total_bytes_captured')" >> analysis_report.txt
echo "Analysis complete. Results in $OUTPUT_DIR"
IOC Extraction¶
#!/bin/bash
# Extract Indicators of Compromise
PCAP_FILE="$1"
OUTPUT_FILE="iocs.txt"
echo "Extracting IOCs from $PCAP_FILE"
# Extract IP addresses
tcpdump -r "$PCAP_FILE" -n | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" | sort -u > ips.txt
# Extract domains
tcpdump -r "$PCAP_FILE" -A | grep -oE "\b[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b" | sort -u > domains.txt
# Extract URLs
tcpdump -r "$PCAP_FILE" -A | grep -oE "https?://[^\s]+" | sort -u > urls.txt
# Extract file hashes (if present in traffic)
tcpdump -r "$PCAP_FILE" -A | grep -oE "\b[a-f0-9]{32}\b" | sort -u > md5_hashes.txt
tcpdump -r "$PCAP_FILE" -A | grep -oE "\b[a-f0-9]{40}\b" | sort -u > sha1_hashes.txt
# Combine all IOCs
{
echo "# IP Addresses"
cat ips.txt
echo -e "\n# Domains"
cat domains.txt
echo -e "\n# URLs"
cat urls.txt
echo -e "\n# MD5 Hashes"
cat md5_hashes.txt
echo -e "\n# SHA1 Hashes"
cat sha1_hashes.txt
} > "$OUTPUT_FILE"
echo "IOCs extracted to $OUTPUT_FILE"
Threat Intelligence Integration¶
IOC Matching¶
# Check extracted IOCs against threat intelligence
#!/bin/bash
IOC_FILE="$1"
TI_FEED="$2"
echo "Matching IOCs against threat intelligence"
# Match IP addresses
grep -f <(grep -E "^[0-9]+\." "$IOC_FILE") "$TI_FEED" > matched_ips.txt
# Match domains
grep -f <(grep -E "\.[a-zA-Z]{2,}$" "$IOC_FILE") "$TI_FEED" > matched_domains.txt
echo "Matches found:"
echo "IPs: $(wc -l < matched_ips.txt)"
echo "Domains: $(wc -l < matched_domains.txt)"
Best Practices¶
1. Isolation and Containment¶
# Always use isolated environments
# Disable network access to production systems
# Use honeypots for network analysis
# Document all analysis activities
2. Comprehensive Data Collection¶
# Collect multiple data sources with JSON metadata
fritap -k keys.log --pcap traffic.pcap --json metadata.json malware.exe
tcpdump -i any -w full_network.pcap &
strace -f -o syscalls.txt malware.exe
# Analyze collected JSON data
cat metadata.json | jq '.session_info, .statistics'
3. Timeline Analysis¶
# Correlate events across time
grep -E "^\[.*\]" malware_analysis.log | sort
tcpdump -r malware_traffic.pcap -t | sort
4. Evidence Preservation¶
# Create forensic images
md5sum malware.exe > evidence.md5
sha256sum malware.exe > evidence.sha256
tar -czf evidence.tar.gz malware_analysis_*
Safety Considerations¶
Environment Security¶
- Use air-gapped networks
- Implement proper containment
- Regular VM snapshots
- Network traffic monitoring
Legal and Ethical¶
- Obtain proper authorization
- Follow responsible disclosure
- Document analysis procedures
- Maintain chain of custody
Next Steps¶
- Advanced Features: Learn about Pattern-based Hooking
- Automation: Explore Python API for automated analysis
- Incident Response: Use
-lflag for live analysis and real-time monitoring - Platform-Specific: Review Platform Guides for OS-specific analysis