Practice with national-level exam (FACT, FACT Plus, NET, CUET, etc.) mocks, learn from structured notes, and get your doubts solved in one place.
PE headers, ImpHash, YARA, Cuckoo and Any.Run, Volatility 3 and MemProcFS, IoCs and persistence, walked through the AIIMS Delhi ransomware incident and CERT-In's malware advisory workflow.
The AIIMS Delhi ransomware incident of November 2022 took five of the hospital's main servers offline for nearly two weeks, disrupted patient registration and laboratory reporting for a flagship public hospital, and pulled in CERT-In, NIA, Delhi Police and the Indian Cyber Crime Coordination Centre at once. The publicly attributed family was a BlackCat/ALPHV variant, and a recurring observation in the after-action notes was that the affected systems had not been imaged in a way that preserved volatile state, so the malware-forensic team rebuilt the timeline from disk artefacts and backup metadata rather than from a clean memory image of the running infection. That gap is the practical reason this topic exists: the malware-forensic playbook has to be rehearsed before the incident, not assembled during it.
Malware forensics is four disciplines stitched together. Static analysis reads the binary without running it: PE headers, imports, strings, hashes, YARA matches. Dynamic analysis runs the binary in an instrumented host and watches behaviour: process tree, registry writes, network beacons, dropped files. Sandbox analysis runs the same exercise inside an isolated VM with telemetry baked in (Cuckoo, Any.Run, Joe Sandbox, Triage). Memory analysis reconstructs the state of an already-infected machine from a RAM image with Volatility 3 or MemProcFS, often catching what disk and sandbox both miss (injected code, hollowed processes, fileless payloads). This topic walks each discipline with Indian context, the tool versions in current use at CFSL Hyderabad and NFSU, and the CERT-In advisory and reporting workflow that the analysis feeds into.
Naming a sample correctly halves the rest of the work.
A malware sample is rarely a single category. A modern banker is also a dropper, a downloader, a credential-stealer and often a coin-miner in a fallback branch. The taxonomy below is still useful because it pins the primary behaviour the analyst should look for first.
| Family | Primary behaviour | Persistence tendency | Indian-case examples |
|---|---|---|---|
| Virus | Infects host files; spreads by file copy. | Patches existing binaries. | Largely historical; some classic Indian college-network outbreaks (2000s). |
| Worm | Self-propagating across networks. | Service or scheduled task on each new host. | WannaCry impact on Indian state agencies in 2017; Conficker in the late 2000s. |
| Trojan | Pretends to be benign; delivers payload. | Run key or service after first execution. | Bundle of cracked software from Indian forums; banking-app lookalikes on third-party Android stores. |
| Ransomware | Encrypts files, demands payment. | Service or scheduled task; sometimes none (single-shot detonators). |
Everything you can learn without pressing Run.
Static analysis costs nothing in execution risk. The trade-off is that obfuscated, packed or encrypted samples reveal less; the analyst still gets enough to plan dynamic analysis and to start clustering against known families.
The PE header is the first stop on Windows samples. PEview, PEStudio, CFF Explorer and Detect It Easy (DIE) all parse it. The analyst reads:
Strings extraction is the second stop. The default strings utility prints printable ASCII; strings -e l prints UTF-16LE which Windows malware uses for most user-visible strings. Florian Roth's floss (FireEye Labs Obfuscated String Solver) goes further, deobfuscating stack strings and simple XOR-encoded strings by running the binary symbolically. A high-value strings hit is a C2 domain, a ransom-note template, a debug PDB path that contains an attacker username, or an unusual user-agent.
Hashes are next, in three flavours.
Run it, watch what it touches, write down everything.
Dynamic analysis observes behaviour as the sample executes. The instrumentation stack on a Windows analyst workstation is well-established:
The sandbox sits a tier above the analyst workstation: a fully-isolated VM with snapshot revert, full telemetry, and a controlled network. The current open-source standard is Cuckoo Sandbox (the maintained fork CAPE Sandbox in modern deployments), which orchestrates VM snapshots, drops the sample, runs it for a configured time, collects Procmon-equivalent telemetry, captures a memory image at the end, and writes a single JSON report with file, registry, network and process events.
| Sandbox |
|---|
When the sandbox stops giving you new behaviour, open the binary.
Static and dynamic together answer the surface questions. The deeper questions (what algorithm is the ransomware using to encrypt, what is the format of the C2 protocol, what is the configuration block decoded by stage 2) need disassembly and debugging.
The disassembler choices in Indian labs:
The debugger choices:
Unpacking is the most common reverse-engineering subtask. The simple case is UPX, which has a public unpacker (upx -d). The harder case is custom packers, where the analyst sets a breakpoint at the original entry point of the unpacked code (the standard trick is to break on VirtualAlloc with EXECUTE_READWRITE protection and watch the unpacker write into the allocated region), then dumps the unpacked image and reconstructs the import address table with Scylla. Commercial packers like Themida and VMProtect virtualise the original code into a custom bytecode and present the analyst with a much harder problem; these are normally handled by family-specific scripts and by tracing rather than by unpacking.
The artefact the sandbox writes at the end is also the artefact the live host can give you.
Memory analysis is the only discipline that catches code which never lands on disk. Fileless malware writes its payload directly into another process's address space, and a disk forensic image shows nothing. A RAM image of the running infection shows everything.
Acquisition first. Windows tools: winpmem (Rekall), DumpIt (Comae), Magnet RAM Capture. Each produces a raw memory dump (.raw or .mem) or a Microsoft crash dump (.dmp). The acquisition should be performed from a verified clean tool on removable media; the output should be written to that same removable media to avoid touching the suspect disk. Linux: AVML (Microsoft, AppArmor-aware); LiME (LKM-based, traditional). macOS: OSXPmem (legacy), with modern macOS being harder due to SIP and lacking maintained tools for the latest releases.
Volatility 3 is the current analysis framework. The Python 3 rewrite of the original Volatility, symbol-driven rather than profile-driven. The relevant plugin set:
| Plugin | Question answered | Notable on Indian incidents |
|---|---|---|
| windows.info | Which Windows build, kernel base, DTB. | Confirms the symbol package matches the dump; mismatched symbols silently produce wrong results. |
| windows.pslist | Live processes from EPROCESS active links. | Standard process list; missing the hidden ones by design. |
| windows.pstree |
Findings only matter if they ship in a form other defenders can use.
Indicators of Compromise are the deliverables that travel beyond the original investigation. The accepted IoC types and their canonical formats:
STIX (Structured Threat Information eXpression) is the data model that wraps these into objects (Indicator, Malware, ThreatActor, AttackPattern, Relationship). TAXII (Trusted Automated eXchange of Intelligence Information) is the transport that carries STIX between organisations. CERT-In publishes advisories that include STIX bundles for the larger campaigns; an Indian SOC consumes these and contributes back when the lab produces new IoCs.
Persistence mechanisms are the host-indicator subset that an investigation almost always documents.
| Mechanism | Where it lives | Detection artefact |
|---|---|---|
| Run / RunOnce keys | HKCU\Software\Microsoft\Windows\CurrentVersion\Run (per user); HKLM\Software\Microsoft\Windows\CurrentVersion\Run (machine). | Registry hive parse (RegRipper, Volatility printkey); often the first place malware drops. |
Which static-analysis signal most reliably indicates a packed or encrypted PE section?
| AIIMS Delhi (Nov 2022); Oil India (2022); Tata Power (2022). |
| Spyware / Info-stealer | Exfiltrates credentials, browser data, crypto wallets. | Run key, scheduled task, or fileless (PowerShell in registry). | RedLine, Vidar, Raccoon distributed via Indian-language phishing kits. |
| RAT (Remote Access Trojan) | Interactive remote control. | Service, scheduled task, WMI subscription. | AsyncRAT, njRAT, Remcos used in Indian SOHO targeting; Cobalt Strike beacons in APT cases. |
| Rootkit / Bootkit | Hides at OS or boot level. | Boot record (bootkit), kernel driver (rootkit), UEFI firmware. | Less common in Indian incidents but documented in advanced APT cases targeting defence sector. |
| Crypto-miner | Mines cryptocurrency on the victim's CPU/GPU. | Service or scheduled task; sometimes injected into long-running process. | WMI-based XMRig deployments on Indian college servers (2019-2022). |
| Fileless malware | Payload lives only in memory or in registry blobs; no executable on disk. | PowerShell in Run key, WMI event consumer, scheduled task with -EncodedCommand. | Astaroth-style PowerShell loaders seen in Indian banking-malware reports. |
| Banker | Targets banking sessions; web injects, overlays. | Service or scheduled task. | Drinik (Android, Indian tax-themed) is a notable Indian-targeted banker. |
The taxonomy guides the first triage. A ransomware sample is run in a network-isolated sandbox with a writable file tree to observe the encryption routine and look for the configuration data that drives the ransom note. An info-stealer is run with realistic browser profiles and credential stores so the data-exfil path lights up. A RAT is run with an outbound C2 that the analyst controls (INetSim or a real handler in a controlled environment). The mismatch between expected family and observed behaviour is the first hint that an automated AV label is wrong.
Entropy is the fourth stop. Shannon entropy per section of the PE measures information density. A code section sits around 5.5 bits per byte; packed or encrypted sections sit above 7.0. DIE plots entropy by section; a single high-entropy section in an otherwise normal PE is a packer signature. The standard packers (UPX, MPRESS, Themida, VMProtect, ASPack) leave additional fingerprints in the entry point and the section names that DIE matches.
YARA is the fifth stop and the one the analyst writes themselves. A YARA rule is a small declarative file: meta block, strings block (literal, hex with wildcards, or regex), and a condition. A small example rule for a Cobalt Strike default beacon configuration reads:
rule CobaltStrike_DefaultBeacon_Config {
meta:
author = "ForensicSpot"
family = "Cobalt Strike"
reference = "Sentinel One default profile"
strings:
$sleep = { 69 68 69 68 69 68 69 68 }
$sig1 = "%s as %s\\%s: %d" wide
$sig2 = "ReflectiveLoader" ascii
condition:
uint16(0) == 0x5A4D and 2 of them
}
VirusTotal Retrohunt, Hybrid Analysis and any local malware archive (CFSL Hyderabad maintains one, and most state cyber-forensic labs collect samples through CERT-In feeds) run YARA at scale and surface clusters. The professional rule is: never tender a YARA hit alone as conclusive identification; tender it as one corroborating signal among several.
| Hosted |
|---|
| Strengths |
|---|
| Indian-lab use |
|---|
| Cuckoo / CAPE | Self-hosted, open source | Free, customisable, integrates with INetSim, supports Windows/Linux/macOS/Android VMs. | Standard at NFSU, IIIT Hyderabad, several state cyber-forensic units. |
| Any.Run | Cloud, interactive | Real-time UI, analyst clicks through prompts as the malware runs; excellent for documents with macros. | Used by NPCI's FRM and several Indian private SOCs for fast triage. |
| Hybrid Analysis (Falcon Sandbox) | Cloud, CrowdStrike | Strong YARA + ML scoring, large historical corpus. | Cross-referenced by CERT-In advisories; not a primary detonation lab. |
| Joe Sandbox | Cloud or on-premises commercial | Detailed behavioural graphs, strong anti-evasion. | Procured by some Indian central agencies. |
| Triage (Recorded Future / Hatching) | Cloud | Massive throughput, family detection, IoC extraction. | Used by Indian financial-sector CSIRT-Fin for batch detonation. |
| MalwareBazaar / VirusTotal Sandbox | Cloud | Free, broad family coverage; less depth. | Public, used for first-look triage. |
Sandbox setup has three connectivity tiers. The strictest is no internet: the VM is completely air-gapped, and only the sample's behaviour against the local filesystem and process tree is observed. The next tier is simulated internet via INetSim: the malware sees a "working" internet that records every request without forwarding it; this exposes the C2 domains and URLs the sample tries without giving the attacker any feedback. The loosest tier is live internet through an anonymising VPN: the malware reaches the real C2 server, which is necessary when the sample's later stages will not download unless the C2 sees a real callback. Live-internet detonation is the right call only when the operational gain outweighs the risk of revealing the analyst's interest to the attacker, and is normally done from infrastructure that cannot be attributed back to the analyst's organisation.
Anti-sandbox detection is the cat-and-mouse layer. Modern malware checks for VirtualBox or VMware MAC OUI prefixes, the absence of mouse movement, an unreasonably high CPU clock, a recently-booted machine with no installed applications, debugger-present flags (IsDebuggerPresent, CheckRemoteDebuggerPresent), and timing-side-channel anomalies (RDTSC delta over a sleep). Anti-sandbox bypass is the corresponding sandbox-engineering response: realistic MAC randomisation, simulated user activity, aged VM snapshots with documents and browsing history, debugger hiding.
| Process tree with parent-child relationships. |
| Powershell.exe launched by winword.exe is the macro-loader signature. |
| windows.psxview | Multiple process-listing sources cross-referenced. | Discrepancies between pslist, psscan and thrdproc reveal DKOM rootkits hiding processes. |
| windows.malfind | Pages with PAGE_EXECUTE_READWRITE and no backing file. | Catches injected shellcode and unpacker stubs. |
| windows.hollowfind (community plugin) | Process hollowing detection. | RegSvr32 with anomalous memory layout is the classic process-hollowing target. |
| windows.netscan | Open and recently-closed network connections. | C2 endpoints not visible in firewall logs because the connection was already torn down. |
| windows.dlllist | Loaded DLLs per process. | Side-by-side compare with reference image catches DLL search-order hijack. |
| windows.cmdline / windows.cmdscan | Command-line arguments of processes / console history. | Catches -EncodedCommand PowerShell payloads from fileless malware. |
| windows.registry.hivelist / printkey | Registry hives in memory. | Persistence under Run keys, RunOnce, scheduled-task ATs, WMI event subscriptions. |
| windows.filescan / dumpfiles | Files referenced from memory; dump them. | Recover the on-disk malware sample even if the malware deleted itself. |
MemProcFS is the modern alternative, presenting the memory image as a virtual filesystem. The analyst mounts the dump as a drive letter and walks /proc/, /sys/, /forensic/ paths to read process address spaces, kernel structures, file contents and YARA hits as files. The mental model is friendlier for analysts coming from a system-administration background, and many of the heavy plugins (PE reconstruction, browser-history parsing from process memory) are built in.
| Windows services | HKLM\SYSTEM\CurrentControlSet\Services; service binary path under ImagePath. | Service binary path pointing to an unusual location (%TEMP%, %APPDATA%) is a red flag. |
| Scheduled tasks | C:\Windows\System32\Tasks (XML); registry mirror under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks. | Task XML with -EncodedCommand PowerShell is the classic fileless signature. |
| WMI permanent event subscription | ROOT\subscription namespace; EventFilter, EventConsumer, FilterToConsumerBinding classes. | Tools: KANSA, wmi-persistence detection; advanced operators use these for stealth. |
| COM hijacking | HKCU\Software\Classes\CLSID; per-user CLSID overrides the per-machine entry. | User-writable CLSID pointing to a malicious DLL; loads inside legitimate Microsoft processes. |
| AppInit_DLLs | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. | Old technique; blocked by default on Windows 8+ with secure boot, but still seen on older Indian government endpoints. |
| Browser extensions | Chromium: User Data\Default\Extensions; Firefox: extensions.json; Edge: same as Chromium. | Extension manifest with broad permissions (web request rewrite) is a credential-stealer pattern. |
For deeper coverage of registry-side artefacts see our Windows Forensic Artifacts topic.
Network behaviour analysis closes the IoC loop. Modern malware uses a C2 channel that almost always has one or more of: a DGA (Domain Generation Algorithm) producing daily fallback domains, beacon timing with a small jitter, a JA3 fingerprint, and a recognisable URI shape. DGA analysis takes a list of resolved domains from the host, regresses against the family's known generation seed, and confirms or rules out the family. Beacon timing analysis (look for a periodic inter-flow gap with low variance) is the strongest behavioural signal when payload inspection is impossible. JA3/JA3S fingerprints survive C2 infrastructure rotation. Together these give the analyst a network signature for the family even when the per-incident IPs and domains have already been rotated.
The report that ships to CERT-In has a defined shape: organisation, point of contact, incident type, time first noticed, time of compromise (where determinable), affected systems, malware family if identified, IoCs (hashes, IPs, domains, mutexes), mitigations applied, and supporting artefacts (PCAP, memory image hashes, YARA rules). CFSL Hyderabad maintains a sandbox lab that produces these reports; the cross-link to Cloud Forensics becomes relevant when the infected systems were cloud-hosted and jurisdictional questions on log retrieval enter the picture.
Evidence preservation rules for malware samples specifically: handle the sample only on an analysis VM with no path back to the corporate network or to the analyst's primary workstation; transfer via password-protected ZIP with the password "infected"; never plug a malware-bearing USB into a production machine; never run a sample on a host that has access to the lab's authentication infrastructure; never enable live internet unless the operational case is documented and approved. Anti-forensic techniques that malware uses (timestomping, log clearing, anti-debug, packed payloads) are previewed here and developed in our Anti-Forensic Techniques topic.