π Daftar Isi
1. Pengenalan Malware Analysis
Malware Analysis adalah proses mempelajari bagaimana malware (malicious software) bekerja β tujuannya, cara penyebaran, dampak terhadap sistem, dan bagaimana cara menghapus/memblokirnya. Ini adalah salah satu skill paling berharga dalam bidang cybersecurity, khususnya dalam incident response, threat intelligence, dan forensic investigation.
Malware analyst bertugas untuk mengidentifikasi sample malware baru, memahami mekanisme serangan, mengembangkan tanda deteksi (signature/IOCs), dan memberikan rekomendasi mitigasi. Ada tiga pendekatan utama dalam menganalisis malware:
Tiga Pendekatan Malware Analysis
| Pendekatan | Deskripsi | Kesulitan | Waktu |
|---|---|---|---|
| Static Analysis | Menganalisis file tanpa menjalankannya β memeriksa binary, strings, headers, metadata | π’ Mudah | β‘ Cepat |
| Dynamic Analysis | Menjalankan malware dalam environment terisolasi dan memantau perilakunya | π‘ Menengah | β³ Sedang |
| Reverse Engineering | Menganalisis kode assembly/machine code untuk memahami logika internal malware | π΄ Sulit | π Lama |
Diagram: Proses Malware Analysis
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β MALWARE ANALYSIS WORKFLOW β β β β ββββββββββββββββ β β β Sample β (File mencurigakan dari email/endpoint) β β β Malware β β β ββββββββ¬ββββββββ β β β β β βΌ β β ββββββββββββββββ ββββββββββββββββββββ β β β Triage βββββΆβ Hash & Reputationβ β β β (Awal) β β (VirusTotal) β β β ββββββββ¬ββββββββ ββββββββββββββββββββ β β β β β ββββββ΄βββββ β β βΌ βΌ β β ββββββββββ ββββββββββββββββββ β β βStatic β βDynamic β β β βAnalysisβ βAnalysis β β β β β β(Sandbox) β β β βββββ¬βββββ βββββββββ¬βββββββββ β β β β β β βΌ βΌ β β ββββββββββββββββββββββββββββββ β β β Reverse Engineering β β β β (Assembly / Decompiler) β β β βββββββββββββ¬βββββββββββββββββ β β β β β βΌ β β ββββββββββββββββββββββββββββββ β β β Report & IOCs β β β β - Hash, IP, Domain, URL β β β β - MITRE ATT&CK mapping β β β β - Detection signatures β β β ββββββββββββββββββββββββββββββ β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β οΈ PERINGATAN KESELAMATAN
- JANGAN PERNAH menjalankan malware di mesin utama (host) Anda!
- Selalu gunakan Virtual Machine (VM) atau sandbox yang terisolasi
- Pastikan VM tidak terhubung ke jaringan (disable network adapter)
- Simpan sample malware di password-protected ZIP (password standar: "infected" atau "malware")
- Jangan upload malware ke layanan cloud tanpa pertimbangan β sample bisa bocor
- Gunakan analisis offline jika memungkinkan untuk static analysis
2. Jenis-Jenis Malware
Kategori Utama Malware
| Jenis | Deskripsi | Contoh Terkenal |
|---|---|---|
| Virus | Menempelkan diri ke file lain dan menyebar saat file dieksekusi | ILOVEYOU, Mydoom |
| Worm | Menyebar sendiri tanpa interaksi manusia melalui jaringan | WannaCry, Conficker |
| Trojan | Berpenampilan sebagai software legitimate tapi berbahaya | Emotet, Zeus |
| Ransomware | Mengenkripsi data korban dan meminta tebusan | LockBit, Conti, REvil |
| Spyware | Mengumpulkan informasi korban secara diam-diam | Pegasus, FinSpy |
| Rootkit | Sembunyi di level OS yang dalam, sulit dideteksi | ZeroAccess, Alureon |
| Backdoor | Memberikan akses jarak jauh kepada penyerang | PlugX, Gh0st RAT |
| Keylogger | Merekam setiap ketikan keyboard | Ardamax, Actual Keylogger |
| Botnet | Menginfeksi banyak mesin dan mengendalikannya secara terpusat | Mirai, Necurs |
| Fileless Malware | Beroperasi di memory tanpa menyentuh disk β sulit dideteksi | PowerShell Empire, Cobalt Strike |
| Wiper | Menghancurkan data tanpa meminta tebusan | NotPetya, Shamoon |
| Cryptominer | Menggunakan resource korban untuk menambang cryptocurrency | XMRig, Coinhive |
MITRE ATT&CK Framework
MITRE ATT&CK adalah framework yang mendokumentasikan taktik, teknik, dan prosedur (TTP) yang digunakan oleh penyerang. Malware analyst menggunakan framework ini untuk mengkategorikan perilaku malware.
Teks β Contoh MITRE ATT&CK Mapping
# ============================================= # Contoh: Mapping Malware ke MITRE ATT&CK # ============================================= # Malware: Contoh Ransomware "CryptoLock" # Tactic: Initial Access (TA0001) # - T1566.001: Phishing: Spearphishing Attachment # β Mengirim dokumen Word berisi macro # Tactic: Execution (TA0002) # - T1204.002: User Execution: Malicious File # β User membuka file .docm dan meng-enable macro # - T1059.001: Command and Scripting Interpreter: PowerShell # β Menjalankan PowerShell payload dari macro # Tactic: Persistence (TA0003) # - T1547.001: Boot or Logon Autostart Execution: Registry Run Keys # β Menambah registry startup entry # Tactic: Privilege Escalation (TA0004) # - T1068: Exploitation for Privilege Escalation # β Exploit CVE-2023-XXXXX untuk admin access # Tactic: Defense Evasion (TA0005) # - T1027: Obfuscated Files or Information # β Base64 + XOR encoded payload # - T1070.004: Indicator Removal: File Deletion # β Menghapus log dan artifact # Tactic: Discovery (TA0007) # - T1083: File and Directory Discovery # β Enumerasi file untuk dikompresi # - T1135: Network Share Discovery # β Mencari network shares untuk penyebaran # Tactic: Impact (TA0040) # - T1486: Data Encrypted for Impact # β Mengenkripsi file dengan AES-256 + RSA # - T1490: Inhibit System Recovery # β Menghapus shadow copies: vssadmin delete shadows
3. Setup Lab Analisis Aman
Sebelum menganalisis malware, Anda HARUS menyiapkan environment yang aman dan terisolasi. Menganalisis malware di mesin utama sangat berbahaya β bisa menginfeksi sistem Anda dan jaringan.
Rekomendasi Lab Setup
| Komponen | Rekomendasi | Fungsi |
|---|---|---|
| Virtualization | VirtualBox / VMware Workstation Pro | Menjalankan VM terisolasi |
| Windows VM | FlareVM (Windows + tools security) | Analisis malware Windows |
| Linux VM | REMnux (Linux + tools malware analysis) | Analisis malware Linux & memory forensics |
| Snapshot | Buat clean snapshot sebelum analisis | Kembalikan ke keadaan bersih setelah analisis |
| Network | Host-only / NAT + INetSim / FakeNet | Simulasi internet tanpa koneksi nyata |
| Shared Folder | Encrypted shared folder | Transfer sample ke VM dengan aman |
Bash β Setup FlareVM & REMnux
# ============================================= # FlareVM Setup (Windows VM) # ============================================= # 1. Install Windows 10/11 di VirtualBox/VMware # 2. Matikan Windows Defender dan Windows Update # 3. Download FlareVM installer dari GitHub: # https://github.com/mandiant/flare-vm # 4. Buka PowerShell sebagai Administrator, jalankan: # Set-ExecutionPolicy Unrestricted # [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 # iex (iwr -Uri https://raw.githubusercontent.com/mandiant/flare-vm/master/install.ps1) # FlareVM akan menginstal otomatis: # - PE analysis tools (PEStudio, PEiD, Detect It Easy) # - Disassemblers (IDA Free, Ghidra, x64dbg) # - Debuggers (WinDbg, x64dbg) # - Network tools (Wireshark, FakeNet-NG) # - Hex editors (HxD, 010 Editor) # - Utilities (7-Zip, Python, Sysinternals) # - Detection tools (YARA, ClamAV) # ============================================= # REMnux Setup (Linux VM) # ============================================= # Opsi 1: Download pre-built OVA # https://remnux.org β Download OVA β Import ke VirtualBox # Opsi 2: Install di Ubuntu # wget https://REMnux.org/remnux-cli # mv remnux-cli remnux # chmod +x remnux # sudo ./remnux install # REMnux menginstal: # - Static analysis tools (ssdeep, yara, pefile) # - Network analysis (Wireshark, INetSim) # - Document analysis (oletools, pdf-parser) # - JavaScript analysis (JSBeautifier, JSDetox) # - Memory forensics (Volatility) # - Sandbox tools (Docker, CAPE) # ============================================= # Network Simulation # ============================================= # INetSim (di REMnux) β Simulasi layanan internet # Menyimulasikan: HTTP, HTTPS, DNS, SMTP, FTP, dll # Sample malware "berpikir" terhubung ke internet # Padahal semua traffic diredam di lab # Jalankan INetSim: sudo inetsim # FakeNet-NG (di FlareVM) β Alternatif Windows # Simulasi network untuk dynamic analysis FakeNet-NG.exe # ============================================= # Security Tips Lab # ============================================= # 1. Jangan pernah share clipboard antara host dan VM # 2. Disable drag-and-drop ke/dari VM # 3. Matikan network adapter VM atau set Host-only # 4. Selalu buat snapshot SEBELUM menjalankan sample # 5. Kembalikan snapshot SETELAH selesai analisis # 6. Jangan simpan sample malware di host # 7. Encrypt shared folder untuk transfer sample # 8. Jangan koneksikan VM ke internet (kecuali perlu)
4. Static Analysis
Static Analysis adalah proses menganalisis malware tanpa menjalankannya. Ini adalah langkah pertama yang aman dalam triage malware. Static analysis mencakup pemeriksaan file properties, hash, strings, imports, headers, dan metadata.
Langkah 1: Hashing & Reputation Check
Bash β File Hashing
# =============================================
# Generate Hash dari Sample Malware
# =============================================
# MD5 hash (legacy, tapi masih banyak dipakai di DB)
md5sum suspicious_file.exe
# Output: d41d8cd98f00b204e9800998ecf8427e suspicious_file.exe
# SHA-1 hash
sha1sum suspicious_file.exe
# SHA-256 hash (REKOMENDASI β standar industri)
sha256sum suspicious_file.exe
# Output: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
# ssdeep β Fuzzy hashing (untuk menemukan malware mirip)
ssdeep suspicious_file.exe
# Output: 384:abc123def456...:xyz789...
# Berguna untuk menemukan variant dari malware yang sama
# Di Windows (PowerShell):
Get-FileHash .\suspicious_file.exe -Algorithm SHA256
# =============================================
# Cek Hash di VirusTotal
# =============================================
# Cara 1: Browser
# Buka: https://www.virustotal.com
# Upload file atau paste hash
# Cara 2: API (Python)
import requests
API_KEY = "YOUR_VIRUSTOTAL_API_KEY"
file_hash = "e3b0c44298fc1c149afbf4c8996fb924..."
url = f"https://www.virustotal.com/api/v3/files/{file_hash}"
headers = {"x-apikey": API_KEY}
response = requests.get(url, headers=headers)
data = response.json()
stats = data['data']['attributes']['last_analysis_stats']
print(f"Malicious: {stats['malicious']}")
print(f"Suspicious: {stats['suspicious']}")
print(f"Clean: {stats['clean']}")
print(f"Undetected: {stats['undetected']}")
# Contoh output: Malicious: 58, Clean: 3, Undetected: 10
# =============================================
# Online Scanners Alternatif
# =============================================
# VirusTotal: https://www.virustotal.com (70+ AV engines)
# Hybrid Analysis: https://www.hybrid-analysis.com (sandbox + static)
# Any.Run: https://any.run (interactive sandbox)
# Joe Sandbox: https://www.joesandbox.com
# MalwareBazaar: https://bazaar.abuse.ch (sample repository)
# Malpedia: https://malpedia.caad.fkie.fraunhofer.de
Langkah 2: File Type & Magic Bytes
Bash β File Type Identification
# ============================================= # Identifikasi Tipe File Sebenarnya # ============================================= # file command β identifikasi berdasarkan magic bytes file suspicious_file.exe # Output: PE32+ executable (GUI) x86-64, for MS Windows file suspicious_document.docm # Output: Microsoft Word 2007+ (macro-enabled) file disguised_as_image.jpg.exe # Output: PE32 executable β BUKAN gambar! # ============================================= # Magic Bytes (File Signatures) # ============================================= # Contoh magic bytes yang umum: # 4D 5A (MZ) β PE executable (Windows .exe/.dll) # 50 4B 03 04 β ZIP / DOCX / XLSX / APK # 25 50 44 46 2D β PDF # 89 50 4E 47 0D 0A β PNG image # FF D8 FF β JPEG image # D0 CF 11 E0 A1 B1 β OLE2 (old .doc, .xls) # 7F 45 4C 46 (.ELF) β ELF executable (Linux) # Hexdump untuk cek magic bytes xxd suspicious_file.exe | head -5 # 00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ.............. # β Magic bytes "MZ" menunjukkan ini PE executable # Detect It Easy (DIE) β di FlareVM # GUI tool yang mengidentifikasi compiler, packer, protector die suspicious_file.exe # PEiD β identifikasi packer/compiler (legacy) # ExeinfoPE β alternatif PEiD
Langkah 3: Strings Extraction
Bash β Extract Strings
# =============================================
# Extract Strings dari Binary
# =============================================
# Basic strings extraction
strings suspicious_file.exe
# Minimum string length
strings -n 8 suspicious_file.exe # Minimal 8 karakter
# Export ke file
strings -n 6 suspicious_file.exe > strings_output.txt
# =============================================
# Yang Dicari dalam Strings:
# =============================================
# 1. URL dan Domain (C2 server)
grep -iE 'https?://' strings_output.txt
# Contoh: http://malicious-c2.com/beacon
# Contoh: https://pastebin.com/raw/abc123
# 2. IP Address
grep -oE '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' strings_output.txt
# Contoh: 185.220.101.45
# 3. Email addresses
grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}' strings_output.txt
# 4. File paths
grep -iE 'C:\\|/tmp/|/etc/|AppData|Temp|System32' strings_output.txt
# Contoh: C:\Users\victim\AppData\Local\Temp\malware.exe
# Contoh: C:\Windows\System32\cmd.exe
# 5. Registry keys
grep -iE 'HKEY_|\\\\Registry\\\\' strings_output.txt
# Contoh: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
# 6. Commands
grep -iE 'cmd\.exe|powershell|wscript|cscript|mshta|certutil|bitsadmin' strings_output.txt
# Contoh: powershell -enc BASE64_ENCODED_COMMAND
# 7. Crypto-related
grep -iE 'AES|RSA|encrypt|decrypt|ransom|bitcoin|wallet|\.onion' strings_output.txt
# 8. API calls
grep -iE 'CreateRemoteThread|VirtualAllocEx|WriteProcessMemory|WinExec|ShellExecute' strings_output.txt
# 9. Mutex names (unik per malware family)
grep -iE 'mutex|Global\\\\|Local\\\\' strings_output.txt
# 10. Base64 encoded strings
grep -oE '[A-Za-z0-9+/]{20,}={0,2}' strings_output.txt | while read line; do
echo "$line" | base64 -d 2>/dev/null && echo " β decoded from: $line"
done
# =============================================
# FLOSS β Advanced String Extraction
# =============================================
# FlareVM sudah include FLOSS
# Bisa decode obfuscated strings yang strings biasa tidak bisa
floss suspicious_file.exe > floss_output.txt
# FLOSS mendeteksi:
# - Stack strings (string yang dibangun karakter per karakter)
# - Decoded strings (string yang di-decode di runtime)
# - Tight strings (string pendek yang strings biasa lewat)
Langkah 4: PE Header Analysis
Python β PE Analysis dengan pefile
# =============================================
# PE (Portable Executable) Header Analysis
# =============================================
# Install pefile: pip install pefile
import pefile
import hashlib
def analyze_pe(filepath):
pe = pefile.PE(filepath)
print("=== PE Header Analysis ===")
print(f"Entry Point: 0x{pe.OPTIONAL_HEADER.AddressOfEntryPoint:08X}")
print(f"Image Base: 0x{pe.OPTIONAL_HEADER.ImageBase:016X}")
print(f"Subsystem: {pe.OPTIONAL_HEADER.Subsystem}")
print(f"Machine: {pe.FILE_HEADER.Machine}")
print(f"Number of Sections: {pe.FILE_HEADER.NumberOfSections}")
print(f"Timestamp: {pe.FILE_HEADER.TimeDateStamp}")
# Sections β anomali di sini bisa mengindikasikan packing
print("\n=== Sections ===")
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
virtual_size = section.Misc_VirtualSize
raw_size = section.SizeOfRawData
entropy = section.get_entropy()
# High entropy (>7.0) β kemungkinan di-encrypt/pack
status = "β οΈ HIGH ENTROPY - mungkin packed!" if entropy > 7.0 else "β
Normal"
print(f" {name:10} | Virtual: {virtual_size:10} | "
f"Raw: {raw_size:10} | Entropy: {entropy:.2f} | {status}")
# Imported DLLs dan Functions
print("\n=== Imports (DLLs) ===")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
dll_name = entry.dll.decode()
funcs = [imp.name.decode() if imp.name else 'ordinal'
for imp in entry.imports]
print(f" {dll_name}:")
for func in funcs[:10]: # Tampilkan 10 pertama
print(f" - {func}")
if len(funcs) > 10:
print(f" ... dan {len(funcs) - 10} fungsi lainnya")
# Suspicious imports
suspicious_apis = {
'CreateRemoteThread': 'Process injection',
'VirtualAllocEx': 'Memory allocation di process lain',
'WriteProcessMemory': 'Menulis ke memory process lain',
'WinExec': 'Menjalankan program',
'ShellExecute': 'Menjalankan program',
'URLDownloadToFile': 'Download file dari internet',
'InternetOpenUrl': 'Mengakses URL',
'RegSetValueEx': 'Mengubah registry',
'CreateService': 'Membuat Windows service',
'GetAsyncKeyState': 'Keyboard hook (keylogger)',
'CryptEncrypt': 'Enkripsi data (ransomware)',
'SetWindowsHookEx': 'Windows hook (keylogger/spyware)',
}
print("\n=== Suspicious API Calls ===")
if hasattr(pe, 'DIRECTORY_ENTRY_IMPORT'):
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name:
func_name = imp.name.decode()
if func_name in suspicious_apis:
print(f" β οΈ {func_name}: {suspicious_apis[func_name]}")
# Jalankan analisis
analyze_pe('suspicious_file.exe')
# =============================================
# PEStudio β GUI Tool (di FlareVM)
# =============================================
# PEStudio memberikan:
# - Indicators (suspicious flags)
# - Imports analysis
# - Section analysis (entropy, anomalies)
# - VirusTotal integration
# - Blacklisted strings/IPs/URLs
# - Manifest analysis
# - Version info
5. Dynamic Analysis
Dynamic Analysis adalah proses menganalisis malware dengan menjalankannya dalam environment yang terisolasi (VM/sandbox) dan memantau semua aktivitasnya. Dynamic analysis memberikan wawasan yang tidak bisa didapat dari static analysis β seperti network traffic aktual, file system changes, registry modifications, dan process behavior.
Apa yang Dipantau Saat Dynamic Analysis
| Aspek | Tools Pemantau | Yang Dicari |
|---|---|---|
| File System | Process Monitor (ProcMon) | File baru, modifikasi, penghapusan |
| Registry | Process Monitor, RegShot | Registry key baru/diubah (persistence) |
| Network | Wireshark, FakeNet-NG | C2 communication, DNS queries, data exfil |
| Process | Process Explorer, Process Hacker | Process creation, injection, termination |
| Memory | Volatility, Process Hacker | Memory artifacts, injected code |
| API Calls | API Monitor, x64dbg | Win32 API calls yang mencurigakan |
Dynamic Analysis Tools
Panduan β Dynamic Analysis dengan Sysinternals
# ============================================= # Dynamic Analysis Workflow # ============================================= # LANGKAH 1: Buat Snapshot VM bersih # LANGKAH 2: Matikan network / set ke Host-only + INetSim # LANGKAH 3: Siapkan monitoring tools # --- Process Monitor (ProcMon) --- # Filter: # - Process Name β contains β "suspicious_file.exe" # - Operation β is β "CreateFile", "WriteFile", "RegSetValue" # - Result β is β "SUCCESS" # β Rekam semua file/registry activity malware # --- Process Explorer --- # - Tampilkan tree proses # - Cek parent-child relationship # - Lihat handles dan DLLs yang di-load # - Cek strings di memory proses # - VirusTotal check (Properties β VirusTotal tab) # --- RegShot (Perbandingan Registry) --- # 1. "Take 1st shot" β snapshot registry SEBELUM malware # 2. Jalankan malware # 3. Tunggu beberapa menit # 4. "Take 2nd shot" β snapshot registry SETELAH malware # 5. "Compare" β tampilkan semua perubahan registry # β Menemukan persistence mechanism, config changes # --- Wireshark (Network Capture) --- # Start capture sebelum menjalankan malware # Filter yang berguna: # dns β DNS queries (C2 domains) # http.request β HTTP requests # tcp.stream eq 5 β Follow TCP stream # ip.addr == 10.0.0.100 β Traffic dari/ke malware # β Identifikasi C2 server, data exfiltration, download # ============================================= # Behavioral Indicators (Yang Dicari) # ============================================= # 1. Persistence Mechanisms: # - Registry Run keys # - Scheduled tasks (schtasks) # - Windows services # - Startup folder # - WMI event subscriptions # - DLL hijacking # 2. Network Activity: # - C2 beacon (regular callback intervals) # - DNS queries ke domain mencurigakan # - Data exfiltration (upload besar) # - Download additional payloads # 3. Defense Evasion: # - Process injection (membunuh proses AV) # - Timestomping (mengubah timestamp file) # - Log deletion # - Disabling security tools # 4. Impact: # - File encryption (ransomware) # - Data theft # - Lateral movement # - Privilege escalation
6. Sandboxing & Automated Analysis
Sandboxing adalah teknik menjalankan malware dalam environment terisolasi yang aman dan terkontrol. Sandbox modern melakukan static + dynamic analysis secara otomatis dan menghasilkan laporan lengkap tentang perilaku malware. Ini sangat menghemat waktu untuk triage malware dalam jumlah besar.
Online Sandboxes
| Sandbox | Gratis? | Fitur Utama |
|---|---|---|
| Any.Run | β (limit) | Interactive sandbox β bisa berinteraksi dengan malware |
| Hybrid Analysis | β | Static + dynamic analysis, MITRE mapping |
| Joe Sandbox | β οΈ (limited) | Multi-OS support, deep analysis |
| VirusTotal | β (limit) | 70+ AV engines + behavioral analysis |
| Cuckoo Sandbox | β (self-hosted) | Open-source, customizable |
| CAPE Sandbox | β (self-hosted) | Fork Cuckoo, focus malware config extraction |
| Triage | β | Modern UI, family detection, signatures |
Cuckoo Sandbox Setup
Bash β Cuckoo Sandbox Installation
# =============================================
# Cuckoo Sandbox β Automated Malware Analysis
# =============================================
# Cuckoo adalah open-source sandbox yang bisa di-host sendiri
# Mendukung: Windows, Linux, macOS, Android samples
# Instalasi (di Ubuntu/Debian):
sudo apt update
sudo apt install python3 python3-pip python3-venv \
mongodb libffi-dev libssl-dev
# Buat virtual environment
python3 -m venv cuckoo-env
source cuckoo-env/bin/activate
# Install Cuckoo
pip3 install cuckoo
# Setup dependencies
cuckoo
# Konfigurasi:
# ~/.cuckoo/conf/cuckoo.conf
# ~/.cuckoo/conf/virtualbox.conf (jika pakai VirtualBox)
# ~/.cuckoo/conf/processing.conf
# ~/.cuckoo/conf/reporting.conf
# Buat VM analysis (guest):
# 1. Install Windows di VirtualBox
# 2. Install Cuckoo agent (agent.py) di dalam VM
# 3. Buat snapshot VM
# 4. Konfigurasi di ~/.cuckoo/conf/virtualbox.conf
# Jalankan Cuckoo:
cuckoo # Start daemon
cuckoo web runserver 0.0.0.0:8080 # Web interface
# Submit sample:
cuckoo submit suspicious_file.exe
# Atau via web interface: http://localhost:8080
# Hasil analisis meliputi:
# - Behavioral analysis (file, registry, network, process)
# - Network capture (PCAP)
# - Screenshots
# - Memory dumps
# - Static analysis
# - YARA matches
# - MITRE ATT&CK mapping
# - PDF/HTML report
# =============================================
# YARA Rules β Detection Signatures
# =============================================
# YARA adalah tool untuk membuat pattern matching rules
# untuk mendeteksi malware berdasarkan karakteristiknya
# Contoh YARA rule:
# rule Emotet_Dropper {
# meta:
# description = "Detects Emotet dropper"
# author = "BeebaneLabs"
# date = "2026-06-26"
#
# strings:
# $s1 = "powershell" nocase
# $s2 = "Invoke-WebRequest" nocase
# $s3 = "New-Object Net.WebClient" nocase
# $m1 = { 4D 5A 90 00 03 00 00 00 }
# $api1 = "VirtualAlloc" ascii
# $api2 = "CreateRemoteThread" ascii
#
# condition:
# uint16(0) == 0x5A4D and
# ($m1 at 0) and
# (2 of ($s*) or 2 of ($api*))
# }
# Simpan sebagai emotet.yar
# Jalankan: yara emotet.yar suspicious_file.exe
# Atau scan direktori:
yara -r emotet.yar /path/to/samples/
7. Tools Malware Analysis Lengkap
Daftar Tools Berdasarkan Kategori
| Kategori | Tool | Fungsi | Platform |
|---|---|---|---|
| Static Analysis | PEStudio | PE header & import analysis | Windows |
| Detect It Easy (DIE) | Identifikasi compiler, packer, protector | Cross-platform | |
| pestudio / PE-bear | Lightweight PE analyzer | Windows | |
| Disassemblers | IDA Pro / IDA Free | Disassembly & decompilation β industri standar | Cross-platform |
| Ghidra (NSA) | Open-source reverse engineering β decompiler bawaan | Cross-platform | |
| Debuggers | x64dbg / x32dbg | Windows user-mode debugger | Windows |
| WinDbg | Kernel-mode debugging | Windows | |
| Network | Wireshark | Network traffic analysis & PCAP | Cross-platform |
| FakeNet-NG / INetSim | Network simulation untuk sandbox | Windows / Linux | |
| Monitoring | Process Monitor (ProcMon) | Real-time file/registry/process monitoring | Windows |
| Process Explorer | Advanced process viewer | Windows | |
| RegShot | Registry comparison (before/after) | Windows | |
| Detection | YARA | Malware pattern matching rules | Cross-platform |
| ClamAV | Open-source antivirus engine | Cross-platform | |
| ssdeep | Fuzzy hashing (similarity detection) | Cross-platform | |
| Automated | Cuckoo / CAPE | Automated sandbox analysis | Linux host |
| Volatility | Memory forensics | Cross-platform | |
| Rizin / Cutter | Open-source RE framework + GUI | Cross-platform |
Python β Quick Malware Triage Script
# =============================================
# Quick Malware Triage β Python Script
# =============================================
import hashlib
import os
import math
from collections import Counter
def calculate_hashes(filepath):
"""Hitung MD5, SHA1, SHA256 dari file"""
with open(filepath, 'rb') as f:
data = f.read()
return {
'MD5': hashlib.md5(data).hexdigest(),
'SHA1': hashlib.sha1(data).hexdigest(),
'SHA256': hashlib.sha256(data).hexdigest(),
'Size': len(data)
}
def calculate_entropy(filepath):
"""Hitung entropy file β tinggi = kemungkinan terenkripsi/packed"""
with open(filepath, 'rb') as f:
data = f.read()
if not data:
return 0
byte_counts = Counter(data)
length = len(data)
entropy = -sum(
(count / length) * math.log2(count / length)
for count in byte_counts.values()
)
return entropy
def extract_interesting_strings(filepath, min_length=6):
"""Extract dan filter strings yang menarik"""
import re
with open(filepath, 'rb') as f:
data = f.read()
# ASCII strings
ascii_strings = re.findall(rb'[\x20-\x7e]{%d,}' % min_length, data)
# Unicode strings
unicode_strings = re.findall(rb'(?:[\x20-\x7e]\x00){%d,}' % min_length, data)
all_strings = [s.decode('ascii', errors='ignore') for s in ascii_strings]
all_strings += [s.decode('utf-16-le', errors='ignore') for s in unicode_strings]
results = {'urls': [], 'ips': [], 'emails': [], 'paths': [], 'commands': []}
for s in all_strings:
if re.search(r'https?://', s, re.I):
results['urls'].append(s)
if re.search(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', s):
results['ips'].append(s)
if re.search(r'@\w+\.\w+', s):
results['emails'].append(s)
if re.search(r'C:\\|/tmp/|/etc/', s, re.I):
results['paths'].append(s)
if re.search(r'cmd|powershell|bash|wget|curl', s, re.I):
results['commands'].append(s)
return results
def triage(filepath):
"""Quick triage analysis"""
print(f"{'='*60}")
print(f"MALWARE TRIAGE REPORT")
print(f"File: {filepath}")
print(f"{'='*60}")
# Hashes
hashes = calculate_hashes(filepath)
print(f"\n[+] Hashes:")
for k, v in hashes.items():
print(f" {k}: {v}")
# Entropy
entropy = calculate_entropy(filepath)
status = "β οΈ HIGH β kemungkinan packed/encrypted!" if entropy > 7.0 else "β
Normal"
print(f"\n[+] Entropy: {entropy:.4f} {status}")
# Magic bytes
with open(filepath, 'rb') as f:
magic = f.read(16)
print(f"\n[+] Magic Bytes: {magic.hex()}")
if magic[:2] == b'MZ':
print(" β PE Executable (Windows)")
elif magic[:4] == b'\x7fELF':
print(" β ELF Executable (Linux)")
elif magic[:2] == b'PK':
print(" β ZIP-based (DOCX/XLSX/APK)")
# Strings
strings = extract_interesting_strings(filepath)
print(f"\n[+] Interesting Strings:")
for category, items in strings.items():
if items:
print(f" {category}: {len(items)} found")
for item in items[:5]:
print(f" - {item[:80]}")
print(f"\n{'='*60}")
# Jalankan triage
triage('suspicious_file.exe')
8. Quiz: Uji Pemahamanmu!
Setelah membaca tutorial di atas, jawablah 5 pertanyaan berikut untuk menguji pemahamanmu tentang Malware Analysis: