Malware Analysis & Reverse Engineering Cheat Sheet
Cheat sheet for building a local, isolated sandbox for malware analysis and reverse engineering. This concise guide walks you through setting up with Windows 10 VM, installing and configuring FLARE-VM, and applying network isolation best practices. With step-by-step instructions and screenshots, you’ll have a secure lab to practice malware analysis and improve your reverse-engineering skills.
1. Malware Analysis Process
Behavioural Analysis
Use virtualisation tools for system snapshots:
- Clonezilla
- PXE
- FOG
Monitor local interactions:
- Process Hacker
- Process Monitor
- ProcDOT
- Noriben
Detect system changes:
- RegShot
- Autoruns
Monitor network traffic:
- Wireshark
- Fiddler
Redirect traffic:
- fakedns
- accept-all-ips
Simulate services:
- INetSim
- actual service setup
Ghidra for Static Code Analysis
| Action | Shortcut |
|---|---|
| Go to location | g |
| Show references | Ctrl+Shift+F |
| Insert comment | ; |
| Follow jump or call | Enter |
| Previous/Next location | Alt+Left / Alt+Right |
| Undo | Ctrl+Z |
| Define data type | t |
| Add bookmark | Ctrl+D |
| Text search | Ctrl+Shift+E |
| Add/edit label | l |
| Disassemble | d |
x64dbg/x32dbg for Dynamic Code Analysis
| Action | Shortcut |
|---|---|
| Run code | F9 |
| Step into / over | F7 / F8 |
| Execute until instruction | F4 |
| Execute until return | Ctrl+F9 |
| Previous/Next location | - / + |
| Return to previous view | * |
| Go to expression | Ctrl+G |
| Comment / Label | ; / : |
| Show current function graph | g |
| Set breakpoint (instruction/API) | F2 / SetBPX APIName |
| Highlight occurrences | h |
| Assemble instruction | Spacebar |
| Edit data in memory | Ctrl+E |
| Extract API call references | Right-click → Search for → Current module → Intermodular calls |
Unpacking Malicious Code
Detect packing:
- Detect It Easy (DIE)
- Exeinfo PE
- Bytehist
- peframe
Precise unpack:
- Find OEP (Original Entry Point) via debugger
- Use
OllyDumpEx - Set breakpoints on APIs:
LoadLibrary,VirtualAlloc - Use memory breakpoints at stack entry
Rebuild dumped file
- Scylla
- pe_unmapper
Bypassing Other Analysis Defences
Decode obfuscated strings:
- FLOSS
- xorsearch
- Balbuzard
Hide analysis tools: Use ScyllaHide plugin for x64dbg Watch for tricky control flows
- TLS
- SEH
- RET
- CALL
Use
scdbgandrunscfor shellcode Disable ASLR - setdllcharacteristics
- CFF Explorer
2. Analyzing Malicious Documents
Microsoft Office Format Notes
-
OLE2 Format(.doc, .xls, etc.) -
OOXML Format(.docx, .xlsm, etc.)
XLM Macros: Excel formulas, even without binary OLE2 stream.
RTF: No macros, but supports embedded malicious objects.
Risky Windows API Calls
Code injection
CreateRemoteThreadWriteProcessMemory
DLL loading
LoadLibraryGetProcAddress
Data theft
GetClipboardDataGetWindowText
Keylogging:
GetAsyncKeyStateSetWindowsHookEx
Self-injection:
VirtualAllocVirtualProtect
Execution:
CreateProcessWinExec
Web traffic
InternetOpenHttpSendRequest
3. Get Started with Sandbox
Windows Malware Sandbox with FLARE
-
Use your own Virtual Machine such as VirtualBox or VMWare
-
Use Windows 10 from the official website: Windows ISO Download Link
-
Disable Windows Update
go to services.msc
- Disable Windows Defender
and then go to gpedit.msc
Administrative Templates -> Windows Component -> Microsoft Antivirus Defender -> Real Time Protection. Enable Turn off-real time protection
Set the same things for Microsoft Defender Antivirus
Dont forget to reboot!
- Show Hidden Files and Folders
- Create a snapshot
FLARE-VM is a purpose-built virtual machine created & maintained by FireEye, a cybersecurity company. It comes pre-configured with a variety of tools, software, and scripts commonly used for malware analysis and reverse engineering tasks. These tools include disassemblers, debuggers, memory analysis tools, and various utilities for analyzing and dissecting malware samples.
-
Download chrome browser for smooth experience
-
Download and Install FlareGitHub Repo or we can use scripting to fastest our way with this install.ps1
Before you run the ps.1 please read carefully the documentaion such as
Unblock-File .\install.ps1 and
Set-ExecutionPolicy Unrestricted -Force
and then you can execute the installer .\install.ps1
- Change network adapter to
Host-Only🖥️
Linux Malware Sandbox with REMnux
- Install REMnux via VM, dedicated system, or on existing distro
- Documention
- Keep updated with
remnux upgradeandremnux update - Use Docker-based tools
-
Default login:
remnux/malware - Use Docker Containers for Analysis
1. emnux/thug
2. remnux/jsdetox
3. remnux/retdec
4. remnux/viper
5. remnux/radare2