Malware Analysis & Reverse Engineering

CHAPTER 01

🦠 Malware পরিচিতি ও ধরনIntroduction to Malware & Types

Malicious Software-এর সব ধরন ও তাদের কাজের পদ্ধতিAll types of malicious software and how they work

Malware কী?What is Malware?

Malware (Malicious Software) হলো যেকোনো সফটওয়্যার যা কোনো সিস্টেমের ক্ষতি করে, অনুমতি ছাড়া ডেটা চুরি করে, বা সিস্টেমের নিয়ন্ত্রণ নেয়। Malware Analyst-রা এই সফটওয়্যার বিশ্লেষণ করে বোঝেন এটা কী করে, কীভাবে ছড়ায় এবং কীভাবে রোধ করা যায়।Malware (Malicious Software) is any software that damages a system, steals data without permission, or takes control of a system. Malware Analysts analyze this software to understand what it does, how it spreads, and how it can be stopped.

Malware-এর ধরনTypes of Malware

🦠

Virus

নিজেকে অন্য ফাইলে inject করে ছড়ায়। Host file দরকার।Spreads by injecting itself into other files. Requires a host file.

Self-replicating File infector

🐛

Worm

নেটওয়ার্কে নিজে নিজে ছড়ায়, Host file লাগে না। WannaCry এটা।Spreads across networks on its own, no host file needed. WannaCry is this.

Self-propagating Network

🐴

Trojan

বৈধ সফটওয়্যার সেজে আসে, ভেতরে malicious code। Backdoor খোলে।Disguises as legitimate software, malicious code inside. Opens a backdoor.

Disguised Backdoor

💰

Ransomware

ফাইল encrypt করে মুক্তিপণ চায়। WannaCry, LockBit, REvil বিখ্যাত।Encrypts files and demands ransom. WannaCry, LockBit, REvil are famous.

Encryption Ransom

🖥️

RAT

Remote Access Trojan — পূর্ণ নিয়ন্ত্রণ দেয় attacker-কে। Keylog, Screenshot।Remote Access Trojan — gives attacker full control. Keylog, Screenshot.

Remote Control C2

🕵️

Rootkit

OS-এর গভীরে লুকিয়ে থাকে, নিজেকে hide করে। Detection কঠিন।Hides deep in the OS, conceals itself. Detection is difficult.

Stealth Kernel level

🔑

Keylogger

Keyboard-এর সব keystroke record করে পাঠায়। Password চুরি।Records all keystrokes and sends them. Steals passwords.

Keystroke Credential theft

🤖

Botnet/Bot

Infected machines C2 server-এর command follow করে। DDoS, spam।Infected machines follow C2 server commands. DDoS, spam.

C2 server DDoS

📊

Spyware/Infostealer

Browser password, cookie, credit card চুরি করে। Redline, Raccoon।Steals browser passwords, cookies, credit cards. Redline, Raccoon.

Data theft Stealer

Malware Analysis-এর লক্ষ্যGoals of Malware Analysis

🎯 Analyst কী জানতে চায়?What Does an Analyst Want to Know?

Malware কী কী করে? (Capability)What does the malware do? (Capability)
C2 server কোথায়? (IOC)Where is the C2 server? (IOC)
কীভাবে ছড়িয়েছে? (Infection vector)How did it spread? (Infection vector)
কোন ফাইল/Registry বদলেছে?Which files/registry were changed?
কীভাবে Persistence রক্ষা করে?How does it maintain persistence?
কোন family-র malware?What malware family is it?

⚠️ IOC — Indicator of CompromiseIndicator of Compromise

IP address / Domain (C2 server)
File hash (MD5, SHA-256)
File path, Registry key
Mutex name
Network signature
Dropped files
User-Agent string
YARA rule match

🦠 মনে রাখোRemember

✅ Ransomware → File encrypt করে | RAT → Remote control | Rootkit → নিজেকে hide করে
✅ IOC → IP, Domain, Hash, File path — এগুলো খোঁজোIP, Domain, Hash, File path — look for these
✅ Malware বিশ্লেষণ করো, নিজে তৈরি করো না — শুধু শিক্ষামূলক উদ্দেশ্যেAnalyze malware, don't create it — for educational purposes only

CHAPTER 02

🔬 Safe Lab Setup

Malware বিশ্লেষণের জন্য নিরাপদ isolated environment তৈরিCreating a safe isolated environment for malware analysis

⚠️ সতর্কতা — প্রথমে পড়ো!Warning — Read First!

Real malware কখনো তোমার main machine-এ চালাবে না! সবসময় isolated VM-এ চালাবে — Network বন্ধ করে, Snapshot নিয়ে। একটি ভুলে তোমার পুরো সিস্টেম infected হতে পারে। Never run real malware on your main machine! Always run it in an isolated VM — with Network off and a Snapshot taken. One mistake can infect your entire system.

আদর্শ Lab ArchitectureIdeal Lab Architecture

⚠️  ISOLATED NETWORK — Internet থেকে বিচ্ছিন্ন!

┌─────────────────────────────────────────────────┐
│              Host Machine (তোমার PC)             │
│                                                  │
│  ┌────────────────┐    ┌────────────────────┐   │
│  │  REMnux / Kali │    │   Windows 10 VM    │   │
│  │  (Analyst)     │◄──►│   (Victim/Run)     │   │
│  │                │    │   FlareVM tools    │   │
│  │  Wireshark     │    │   Fakenet-NG       │   │
│  │  INetSim       │    │   Process Monitor  │   │
│  │  FakeNet-NG    │    │   Regshot          │   │
│  └────────────────┘    └────────────────────┘   │
│                                                  │
│  🔴 Host-only / Internal Network (No Internet!) │
└─────────────────────────────────────────────────┘

Snapshot নাও → Malware চালাও → বিশ্লেষণ করো → Revert!

REMnux — Linux Analysis VMLinux Analysis VM

# REMnux: https://remnux.org — Free, VMware/VirtualBox # Pre-installed tools: # Static: strings, file, hexdump, binwalk, upx, pefile # Dynamic: strace, ltrace, inetsim, fakedns # Network: Wireshark, tcpdump, NetworkMiner # RE: Ghidra, Cutter, radare2 # Memory: Volatility, rekall # Setup করো: # 1. VirtualBox/VMware-এ import করো # 2. Network → Host-only Adapter # 3. Snapshot নাও remnux upgrade # সব tool update

FlareVM — Windows Analysis VMWindows Analysis VM

# FlareVM (Mandiant): Windows 10-এ install করো # https://github.com/mandiant/flare-vm # PowerShell (Admin)-এ: Set-ExecutionPolicy Unrestricted iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1')) # Pre-installed করে দেয়: # x64dbg, OllyDbg — Debugger # Ghidra, IDA Free — Disassembler # pestudio, CFF Explorer — PE Analysis # Process Hacker, Process Monitor — Process # Wireshark, FakeNet-NG — Network # HxD — Hex editor # Python, pefile — Scripting

INetSim — Fake Internet SimulatorFake Internet Simulator

# REMnux-এ INetSim চালাও — Malware-এর network call intercept করো # Fake HTTP, DNS, SMTP সার্ভার চালায় # /etc/inetsim/inetsim.conf: service_bind_address 0.0.0.0 dns_default_ip 192.168.56.101 # REMnux-এর IP start_service dns start_service http start_service https start_service smtp inetsim # চালু করো # Windows VM-এ DNS → REMnux IP দাও # এখন Malware যা-ই connect করুক → REMnux-এ যাবে # Wireshark দিয়ে দেখো: sudo wireshark -i eth0 &

🔬 Lab Setup মনে রাখোRemember

✅ সবসময় Snapshot নিয়ে তারপর Malware চালাওAlways take a Snapshot before running Malware
✅ Network → Host-only — Internet বন্ধ!— No Internet!
✅ REMnux = Linux analysis | FlareVM = Windows analysis
✅ INetSim → Fake internet, network call দেখোFake internet, see network calls

CHAPTER 03

🔬 Static Analysis

Malware না চালিয়েই বিশ্লেষণ — নিরাপদ প্রথম পদক্ষেপAnalyzing malware without running it — safe first step

Static Analysis কী?What is Static Analysis?

Malware execute না করেই বিশ্লেষণ করা। File structure, strings, imports দেখে অনেক তথ্য পাওয়া যায়। এটা সবসময় প্রথম করো — নিরাপদ এবং দ্রুত।Analyzing malware without executing it. File structure, strings, and imports reveal a lot of information. Always do this first — it's safe and fast.

Basic File Analysis — প্রথম ধাপFirst Steps

══════════ File Type Identification ══════════ file suspicious.exe # File type (magic bytes দেখে) file -b suspicious.exe # Brief output # → PE32 executable (GUI) Intel 80386, UPX compressed ══════════ Hash — আসল পরিচয় ══════════ md5sum suspicious.exe # MD5 sha256sum suspicious.exe # SHA-256 (সবচেয়ে গুরুত্বপূর্ণ) sha1sum suspicious.exe # SHA-1 # Hash দিয়ে VirusTotal-এ সার্চ: curl "https://www.virustotal.com/api/v3/files/HASH" \ -H "x-apikey: YOUR_API_KEY" ══════════ Strings — Hidden Information ══════════ strings suspicious.exe # সব ASCII strings strings -n 8 suspicious.exe # Min 8 char strings suspicious.exe | grep -i "http\|ftp\|cmd\|power" strings suspicious.exe | grep -i "pass\|login\|key\|secret" strings suspicious.exe | grep -E "[0-9]{1,3}\.[0-9]{1,3}" # IP address strings suspicious.exe | grep -i "HKEY\|SOFTWARE\|Run" # Registry ══════════ Hex Dump ══════════ xxd suspicious.exe | head -30 # Hex + ASCII hexdump -C suspicious.exe | head -20 # PE file → MZ (4D 5A) দিয়ে শুরু # ELF file → 7F 45 4C 46 দিয়ে শুরু ══════════ Entropy — Packing/Encryption ══════════ # High entropy (7.0+) → Packed বা Encrypted! python3 -c " import math, collections data = open('suspicious.exe','rb').read() cnt = collections.Counter(data) entropy = -sum(v/len(data)*math.log2(v/len(data)) for v in cnt.values() if v) print(f'Entropy: {entropy:.2f}') "

PE File Analysis — Windows Executable

# PE (Portable Executable) Structure: # MZ Header → PE Header → Section Headers → Sections # Python pefile দিয়ে: import pefile pe = pefile.PE('suspicious.exe') # Compile time: import datetime print(datetime.datetime.fromtimestamp(pe.FILE_HEADER.TimeDateStamp)) # Sections দেখো (entropy চেক করো): for section in pe.sections: print(section.Name, hex(section.VirtualAddress), section.SizeOfRawData, section.get_entropy()) # Imports — কোন Windows API call করে? for entry in pe.DIRECTORY_ENTRY_IMPORT: print(entry.dll.decode()) for imp in entry.imports: print(' ', imp.name) # Suspicious imports: CreateRemoteThread # → Code injection! VirtualAllocEx # → Inject করার আগে memory allocate WriteProcessMemory # → অন্য process-এ write WinExec / ShellExecute # → Program চালানো URLDownloadToFile # → Internet থেকে download RegSetValueEx # → Registry বদলানো (Persistence!) CryptEncrypt # → Ransomware!

pestudio — GUI Static Analysis

# pestudio (Windows) — সবচেয়ে সহজ PE analysis tool # Drag & drop করো → সব দেখাবে # দেখবে: # ✓ Virus Total score # ✓ Imports (highlighted suspicious ones) # ✓ Strings (URLs, IPs, Registry keys) # ✓ Sections ও entropy # ✓ Certificates # ✓ Resources (hidden files?) # Detect-It-Easy (DIE) — Packer detect: die suspicious.exe # → UPX (3.95) [Packer] # → .NET(v4.0.30319) [Linker]

Suspicious Strings — কী দেখলে সতর্ক হবে?Suspicious Strings — What Should Alert You?

StringString	সম্ভাব্য মানেPossible Meaning	ধরনType
`http://`, `https://`	C2 server বা download URLC2 server or download URL	HIGH
`cmd.exe`, `powershell`	Shell executionShell execution	HIGH
`HKEY_`, `\Run\`	Registry persistence	CRITICAL
`encrypt`, `ransom`	Ransomware	CRITICAL
`bitcoin`, `.onion`	Ransom payment	CRITICAL
`keylog`, `screenshot`	Spyware/RAT	HIGH
`VirtualAlloc`, `CreateRemoteThread`	Code injection	CRITICAL
IP address pattern	Hardcoded C2	HIGH

🔬 Static Analysis মনে রাখোRemember

✅ file → file type | file type | strings → hidden text | hidden text | sha256sum → hashhash
✅ High entropy (7+) → packed বা encryptedHigh entropy (7+) → packed or encrypted
✅ Imports: CreateRemoteThread, URLDownloadToFile → বিপজ্জনকDangerous
✅ pestudio + DIE = Windows-এ সবচেয়ে সহজ toolEasiest tools on Windows

CHAPTER 04

🏃 Dynamic Analysis

Malware চালিয়ে behavior পর্যবেক্ষণ — VM-এ, Snapshot নিয়ে!Observing malware behavior while running — in VM, with Snapshot taken!

Dynamic Analysis কী?What is Dynamic Analysis?

Malware সত্যিই চালিয়ে তার behavior monitor করা। Static Analysis-এ যা বোঝা যায় না — packed বা obfuscated malware — সেগুলো Dynamic Analysis-এ ধরা যায়।Actually running malware and monitoring its behavior. What can't be understood in Static Analysis — packed or obfuscated malware — can be caught in Dynamic Analysis.

Process Monitor (Procmon) — সব কিছু দেখোSee Everything

# Process Monitor (Sysinternals) — Windows-এ সেরা dynamic tool # File, Registry, Network, Process সব কার্যক্রম দেখায় # Filter করো (malware process শুধু): # Filter → Process Name → is → malware.exe → Include # দেখবে: # File Created: C:\Users\Public\backdoor.exe ← dropped file! # Registry SetValue: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ← Persistence! # TCP Connect: 192.168.1.100:4444 ← C2 connection! # Process Created: cmd.exe ← Shell! # Linux-এ: strace ও ltrace strace -f ./malware 2>&1 | tee strace_output.txt strace -f -e trace=network ./malware # শুধু network call strace -f -e trace=file ./malware # শুধু file operation ltrace ./malware # Library call

Regshot — Registry পরিবর্তন দেখোMonitor Changes

# Regshot — Registry snapshot before/after malware # 1st Shot → Malware চালাও → 2nd Shot → Compare! # দেখতে পাবে কোন Registry key: # Added: HKCU\Software\Evil\C2Server = "http://evil.com" # Modified: HKLM\...\Run\malware = "C:\Windows\backdoor.exe" # Deleted: ... # Common Persistence Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SYSTEM\CurrentControlSet\Services\ # Service install HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Wireshark — Network Traffic AnalysisNetwork Traffic Analysis

# Wireshark দিয়ে malware-এর network activity ধরো # Capture filter (malware VM শুধু): host 192.168.56.102 # VM-এর IP # Display filter: http # HTTP traffic dns # DNS query (C2 domain name!) tcp.port == 4444 # Metasploit default port ip.addr == 192.168.56.1 # Malware network IOC: # DNS query: evilc2server.ru → C2 domain! # HTTP POST /beacon → C2 beacon! # User-Agent: Mozilla/5.0 (unusual) → Hardcoded! # Large upload → Data exfiltration! # FakeNet-NG — REMnux-এ fakenet # Fake internet, log করে সব request # → Log দেখো: /var/log/fakenet/ # tcpdump — CLI-তে capture: sudo tcpdump -i eth0 -w malware_traffic.pcap sudo tcpdump -i eth0 'host 192.168.56.102' -w capture.pcap

Process Hacker / API Monitor

# Process Hacker — Process ও Memory দেখো # Malware-এর process সঠিক location-এ আছে কিনা? # svchost.exe কিন্তু C:\Users\-এ → Suspicious! # Parent process: Word.exe → cmd.exe → malware.exe (macro!) # Memory strings (runtime decryption ধরো): # Process Hacker → Process → Memory → Strings # Packed malware unpack হওয়ার পরে এখানে আসল strings দেখা যাবে! # API Monitor — কোন API call হচ্ছে? # Hook করে সব Windows API call দেখায় # Linux: ltrace, strace strace -p PID # চলমান process-এর syscall cat /proc/PID/maps # Memory map cat /proc/PID/net/tcp # Network connection ls -la /proc/PID/fd/ # Open files

🏃 Dynamic Analysis মনে রাখোRemember

✅ Procmon → File/Registry/Network সব কার্যক্রম দেখোsee all activity
✅ Regshot → Before/After Registry compareRegistry compare
✅ Wireshark → C2 domain, IP, beacon pattern ধরোcatch beacon pattern
✅ Snapshot নিয়ে চালাও, Revert করো — কখনো ভুলো না!Run with Snapshot, Revert — never forget!

CHAPTER 05

🛡️ Sandbox Analysis

Online automated analysis — দ্রুত প্রথম তথ্য পাওয়ার পদ্ধতিOnline automated analysis — the fastest way to get initial information

Online Sandbox — কখন ব্যবহার করবে?Online Sandbox — When to Use?

⚠️ সতর্কতাWarning

Online sandbox-এ sample upload করলে সেটা public হয়ে যায়! Sensitive/confidential malware upload করো না। শুধু public malware বা CTF challenge-এ ব্যবহার করো। Uploading samples to an online sandbox makes them public! Don't upload sensitive/confidential malware. Use only for public malware or CTF challenges.

সেরা Sandbox PlatformsBest Sandbox Platforms

🌐 VirusTotal

URL: virustotal.com
৭০+ AV engine দিয়ে scan করেScans with 70+ AV engines
Hash দিয়ে search করো (upload না করে)Search by hash (without uploading)
Import, Strings, Behavior দেখায়
Similar files, community commentsSimilar files, community comments
Free

🔴 Any.run

URL: any.run
Interactive sandbox — real-time দেখোInteractive sandbox — watch in real-time
Process tree, Network, Registry
MITRE ATT&CK mapping
IOC extract করেExtracts IOCs
Free (public) Paid (private)

🔬 Hybrid Analysis

URL: hybrid-analysis.com
Falcon Sandbox (CrowdStrike)Falcon Sandbox (CrowdStrike)
YARA match, Suricata alerts
Detailed report, IOC export
Free

🦅 Cuckoo Sandbox

Self-hosted — Private!
নিজের server-এ চালাওRun on your own server
Windows/Linux/Android support
Network PCAP, Memory dump
Free, Open Source

VirusTotal API — Automated AnalysisAutomated Analysis

# Hash দিয়ে VT check (কমান্ড লাইনে): curl --request GET \ --url "https://www.virustotal.com/api/v3/files/HASH_HERE" \ --header "x-apikey: YOUR_API_KEY" # Python দিয়ে: import requests API_KEY = "your_api_key" file_hash = "d41d8cd98f00b204e9800998ecf8427e" url = f"https://www.virustotal.com/api/v3/files/{file_hash}" r = requests.get(url, headers={"x-apikey": API_KEY}) data = r.json() stats = data["data"]["attributes"]["last_analysis_stats"] print(f"Malicious: {stats['malicious']}/{sum(stats.values())}") # Threat Intelligence Tools: # MalwareBazaar: bazaar.abuse.ch — Free malware samples # ThreatFox: threatfox.abuse.ch — IOC database # URLhaus: urlhaus.abuse.ch — Malicious URLs # OTX AlienVault: otx.alienvault.com — Threat intel

🛡️ Sandbox মনে রাখোRemember

✅ প্রথমে Hash দিয়ে VT-তে search করো — upload করো নাFirst search by Hash on VT — don't upload
✅ Any.run → Interactive, real-time দেখোInteractive, watch in real-time
✅ Cuckoo → Private/sensitive sample-এর জন্য self-hostedSelf-hosted for private/sensitive samples
✅ MalwareBazaar → Real malware sample practice-এর জন্যFor real malware sample practice

CHAPTER 06

⚙️ Reverse Engineering — Disassembly

Binary থেকে source code বের করার কৌশল — Ghidra ও x64dbgTechniques for extracting source code from binaries — Ghidra & x64dbg

Assembly মূল ধারণা — RE-তে যা জানতে হবেCore Concepts — What You Need to Know for RE

# x86 Registers (32-bit): EAX # Accumulator — return value, math EBX # Base — general purpose ECX # Counter — loop counter EDX # Data — general purpose ESP # Stack Pointer — stack top EBP # Base Pointer — function frame ESI/EDI # Source/Destination — string ops EIP # Instruction Pointer — next instruction # x64: RAX, RBX, RCX... (64-bit) # Common Instructions: MOV EAX, 1 # EAX = 1 PUSH EAX # Stack-এ push POP EBX # Stack থেকে pop CALL func # Function call RET # Return JMP addr # Unconditional jump JE / JZ # Jump if equal/zero JNE / JNZ # Jump if not equal CMP EAX, EBX # Compare (flags set করে) XOR EAX, EAX # EAX = 0 (zero out) LEA EAX, [EBP-4] # Load Effective Address NOP # No operation (0x90)

Ghidra — Free Disassembler (NSA)Free Disassembler (NSA)

# Ghidra: https://ghidra-sre.org — Free, NSA developed # Java required # Workflow: # 1. New Project → Import File (drag & drop) # 2. Analysis চালাও (Auto Analysis) # 3. Symbol Tree → Functions → main খোঁজো # 4. Decompiler window দেখো (C-like code!) # Ghidra-তে কী দেখবে: # Left panel: Symbol Tree (functions, imports) # Middle: Disassembly (Assembly code) # Right: Decompiler (C-like pseudocode) ← সবচেয়ে গুরুত্বপূর্ণ # Script দিয়ে automate: # Ghidra → Window → Script Manager → Python # Command line (headless): ./analyzeHeadless /project proj_name -import malware.exe \ -postScript PrintStrings.py

x64dbg — Windows DebuggerWindows Debugger

# x64dbg: https://x64dbg.com — Free Windows debugger # Important Shortcuts: F2 # Breakpoint set/remove F7 # Step Into (function-এ ঢোকো) F8 # Step Over (function skip করো) F9 # Run (next breakpoint পর্যন্ত) F4 # Run to cursor Ctrl+G # Go to address # Common Breakpoints: # bp CreateFileA → ফাইল তৈরির আগে থামো # bp URLDownloadToFileA → Download-এর আগে # bp RegSetValueExA → Registry write-এর আগে # bp VirtualAlloc → Memory allocation # bp WSASend/send → Network send # API call-এ breakpoint: # Plugins → APIBreak → Add API name # Memory dump (unpacked malware বের করো): # OEP (Original Entry Point) খোঁজো → Dump → Rebuild PE # Scylla plugin → Dump → Fix Imports → Save

radare2 / Cutter — Linux RELinux RE

# radare2 — CLI disassembler r2 suspicious.elf # Open aaa # Analyze all afl # List functions pdf @ main # Disassemble main VV # Visual/graph mode s main; pdf # Seek to main, print iz # Strings ii # Imports q # Quit # Cutter = radare2 GUI version cutter suspicious.elf # objdump (basic, pre-installed): objdump -d suspicious.elf | head -50 objdump -t suspicious.elf # Symbol table objdump -x suspicious.elf # Headers # GDB — Linux debugger: gdb ./suspicious break main run disas main info registers x/10x $esp # Stack দেখো

⚙️ RE মনে রাখোRemember

✅ Ghidra → Decompiler = C-like code, বোঝা সহজC-like code, easier to understand
✅ x64dbg → F2 Breakpoint, F7 Step, F9 Run
✅ EAX = return value | ESP = stack top | EIP = next instruction
✅ JE/JNE → condition check — license check bypass এখানেcondition check — license check bypass is here

CHAPTER 07

📦 Packing & Obfuscation

Malware কীভাবে নিজেকে লুকায় — এবং কীভাবে বের করবেHow malware hides itself — and how to uncover it

Packing কী?What is Packing?

Packer হলো একটি tool যা executable-কে compress বা encrypt করে, যাতে AV detection কঠিন হয়। Runtime-এ নিজেকে memory-তে unpack করে চলে। সবচেয়ে সাধারণ packer হলো UPX।A packer is a tool that compresses or encrypts an executable to make AV detection harder. It unpacks itself into memory at runtime. The most common packer is UPX.

UPX Unpacking

# UPX detect করো: die suspicious.exe # → UPX(3.96) [Packer] strings suspicious.exe | grep UPX # UPX! string থাকে # UPX unpack (সহজ): upx -d suspicious.exe -o unpacked.exe upx -d suspicious.exe # In-place # Verify: file unpacked.exe strings unpacked.exe | head -50 # এখন আসল strings দেখা যাবে # Custom packer (UPX নয়) → Manual unpacking দরকার: # 1. x64dbg-তে open করো # 2. ESP trick: Entry point-এ PUSHAD → VirtualAlloc → copy → POPAD → JMP OEP # 3. OEP (Original Entry Point) খোঁজো # 4. Scylla দিয়ে dump করো # Memory dump করো (x64dbg): # OEP-এ breakpoint → run → Memory Map → Right-click → Dump

Anti-Analysis Techniques — Malware কীভাবে বাধা দেয়How Malware Resists Analysis

কৌশলTechnique	কীভাবে কাজ করেHow It Works	কীভাবে bypass করবেHow to Bypass
Anti-Debugging	`IsDebuggerPresent()` check করেchecks	x64dbg ScyllaHide plugin
VM Detection	VM artifact check করে (VMware registry)Checks VM artifacts (VMware registry)	VM artifact মুছো, patch করোRemove VM artifacts, patch
Timing Check	`GetTickCount()` দিয়ে slow execution detectdetects slow execution	Patch the check, NOP it
String Obfuscation	XOR/Base64 দিয়ে strings encodeencodes strings with XOR/Base64	Dynamic analysis, deobfuscate
API Hashing	API name hash দিয়ে call করে, string নেইcalls by hash, no strings	HashDB plugin (IDA/Ghidra)
Process Injection	অন্য process-এ code injectInjects code into another process	Process Hacker, breakpoint

String Obfuscation — Decode করোDecode It

# XOR obfuscation — সবচেয়ে সাধারণ # Malware: XOR key দিয়ে strings encode করে রাখে # Runtime-এ decode করে ব্যবহার করে # Python দিয়ে XOR decode: encoded = [0x48, 0x65, 0x6c, 0x6c, 0x6f] # Example key = 0x05 decoded = bytes([b ^ key for b in encoded]) print(decoded.decode()) # xortool: xortool suspicious.bin # XOR key guess করে xortool -x -k 05 file.bin # Key 0x05 দিয়ে XOR # CyberChef (Web UI): # XOR → Base64 → ROT13 → chain করে decode # Base64 encoded strings: echo "SGVsbG8=" | base64 -d python3 -c "import base64; print(base64.b64decode('SGVsbG8='))"

📦 Packing মনে রাখোRemember

✅ UPX → upx -d file.exe দিয়ে unpackto unpack
✅ High entropy → packed | strings নেই → obfuscatedHigh entropy → packed | no strings → obfuscated
✅ Anti-debug → ScyllaHide plugin ব্যবহার করোuse
✅ XOR decode → xortool বাor CyberChef

CHAPTER 08

🔎 YARA Rules

Malware চেনার Pattern Matching — Threat Hunting-এর মূল অস্ত্রPattern Matching for Identifying Malware — the core weapon of Threat Hunting

YARA কী?What is YARA?

YARA হলো malware researcher-দের জন্য pattern matching tool। বিশেষ string, hex pattern বা condition দিয়ে malware চেনা যায়। AV, SIEM, Threat Intel platform-এ ব্যাপকভাবে ব্যবহৃত।YARA is a pattern matching tool for malware researchers. It identifies malware using specific strings, hex patterns, or conditions. Widely used in AV, SIEM, and Threat Intel platforms.

YARA Rule লেখার পদ্ধতিHow to Write YARA Rules

# Basic YARA Rule Structure: rule RuleName { meta: description = "কী detect করবে" author = "তোমার নাম" date = "2025-01-01" severity = "high" strings: $s1 = "http://c2server.evil" # ASCII string $s2 = "password.exe" nocase # Case insensitive $s3 = "ransom" wide # Unicode (wide char) $h1 = { 4D 5A 90 00 03 00 00 00 } # Hex pattern (PE header) $h2 = { 60 ?? ?? ?? 61 } # ?? = wildcard byte $r1 = /https?:\/\/[a-z0-9]+\.ru\// # Regex condition: # সব string থাকলে match: all of them # অথবা যেকোনো একটি থাকলে: any of ($s*) # File size check সহ: filesize < 1MB and $s1 and $h1 # PE file হতে হবে: uint16(0) == 0x5A4D and $s1 # MZ header }

Real YARA Rules উদাহরণReal YARA Rule Examples

# Ransomware detect rule: rule Ransomware_Generic { meta: description = "Generic Ransomware Detection" severity = "critical" strings: $ransom1 = "Your files have been encrypted" nocase $ransom2 = "bitcoin" nocase $ransom3 = "decrypt" nocase $ransom4 = ".onion" $ransom5 = "pay" nocase $crypto1 = "CryptEncrypt" $crypto2 = "CryptoAPI" condition: 3 of ($ransom*) or (1 of ($ransom*) and 1 of ($crypto*)) } # Suspicious PE with download capability: rule Suspicious_Downloader { meta: description = "PE file that downloads content" strings: $url = /https?:\/\/[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/ $api1 = "URLDownloadToFile" $api2 = "WinINet" $api3 = "HttpSendRequest" condition: uint16(0) == 0x5A4D and filesize < 5MB and $url and any of ($api*) }

YARA চালানোRunning YARA

# Install: sudo apt install yara # Linux pip install yara-python # Python # একটি file scan: yara my_rule.yar suspicious.exe # Directory scan: yara -r my_rule.yar /path/to/files/ # Multiple rules: yara rules/*.yar suspicious.exe # Python দিয়ে: import yara rules = yara.compile('my_rule.yar') matches = rules.match('suspicious.exe') for match in matches: print(match.rule, match.strings) # Online YARA resources: # Yara Rules GitHub: https://github.com/Yara-Rules/rules # Awesome YARA: https://github.com/InQuest/awesome-yara # yarahub.io — community YARA rules

🔎 YARA মনে রাখোRemember

✅ String + Hex + Regex → তিন ধরনের patternthree types of patterns
✅ uint16(0) == 0x5A4D → PE file চেনার উপায়how to identify PE files
✅ nocase, wide → Case ও Unicode handle করেHandles case and Unicode
✅ Real rules: Yara-Rules GitHub থেকে নাওGet real rules from Yara-Rules GitHub

CHAPTER 09

🌍 বিখ্যাত Malware পরিবারFamous Malware Families

Real-world malware-এর বিশ্লেষণ — ইতিহাস থেকে শিক্ষাAnalysis of real-world malware — learning from history

WannaCry — বিশ্বের সবচেয়ে বিখ্যাত RansomwareWorld's Most Famous Ransomware

💀 WannaCry (2017)

Type:Type: Ransomware Worm
Exploit:Exploit: EternalBlue (NSA, CVE-2017-0144)
Protocol:Protocol: SMB v1 (Port 445)
Extension:Extension: .WNCRY
Ransom:Ransom: $300-600 Bitcoin
Kill switch:Kill switch: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
১৫০+ দেশে ২,৩০,০০০+ system আক্রান্ত230,000+ systems in 150+ countries affected

🔬 IOCIOC

MD5: db349b97c37d22f5ea1d1841e3c89eb4
Dropped: tasksche.exe
Registry: HKCU\SOFTWARE\WanaCrypt0r
Mutex: Global\MsWinZonesCacheCounterMutexA
Bitcoin wallets (3টি)
AES + RSA encryption
Ransom note: @Please_Read_Me@.txtRansom note: @Please_Read_Me@.txt

Emotet — সবচেয়ে বিপজ্জনক BotnetMost Dangerous Botnet

# Emotet — Modular Banking Trojan / Loader (2014-2021, 2022-) # ★ Infection vector: Malicious Word/Excel macro # ★ Payload: Download and execute (TrickBot, Ryuk) # Infection chain: # Phishing email → Word doc → Enable Macros → PowerShell → Download Emotet # Emotet → Spread via email (steals contacts) → Download TrickBot # TrickBot → Credential theft → Domain admin → Ryuk ransomware # Emotet IOC: # Network: HTTPS beacon to C2 (encrypted) # Process: regsvr32.exe, wscript.exe, powershell.exe # Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run # Persistence: Scheduled Task বা Registry Run key # Detection: strings emotet_sample.exe | grep -i "powershell\|wscript\|regsvr"

Cobalt Strike — Red Team Tool → Malware হিসেবেRed Team Tool → Used as Malware

# Cobalt Strike — Legitimate pentest tool, APT groups ব্যবহার করে # Beacon → C2 communication # Cobalt Strike Beacon detect করো: strings beacon.exe | grep -i "sleep\|checkin\|pipe" # Network pattern: # HTTP/HTTPS C2 polling (configurable interval) # User-Agent: hardcoded Mozilla string # 1768.py — CS config extract: python3 1768.py -r beacon.exe # Shodan dork (exposed CS servers): # product:"Cobalt Strike Beacon" # YARA rule for CS: # strings: "MZ" PE header + specific CS strings # https://github.com/Neo23x0/signature-base

Mimikatz — Credential Theft ToolCredential Theft Tool

# Mimikatz — Windows credential extraction (Post-exploitation) # LSASS memory থেকে plaintext password বের করে # Common commands (Attacker দৃষ্টিকোণ থেকে বোঝার জন্য): privilege::debug # Debug privilege পাওয়া sekurlsa::logonpasswords # Plaintext password ও hash বের করা sekurlsa::pth # Pass-the-Hash attack lsadump::sam # SAM database dump lsadump::dcsync # Domain Controller sync (AD attack) kerberos::golden # Golden ticket attack # Mimikatz detect করো: strings mimikatz.exe | grep -i "sekurlsa\|lsass\|wdigest" # Defense: # Windows Defender Credential Guard চালু করো # Protected Users group ব্যবহার করো # Disable WDigest: HKLM\SYSTEM\...\WDigest\UseLogonCredential = 0

🌍 Famous Malware মনে রাখোFamous Malware Remember

✅ WannaCry → EternalBlue SMB exploit → AES+RSA encryptionAES+RSA encryption
✅ Emotet → Macro → PowerShell → Loader for other malwareLoader for other malware
✅ Cobalt Strike → Legitimate tool, APT groups ব্যবহার করেLegitimate tool, used by APT groups
✅ Mimikatz → LSASS → Plaintext password বের করেExtracts plaintext passwords

CHAPTER 10

📋 Cheat Sheet & Roadmap

সব গুরুত্বপূর্ণ কমান্ড ও Malware Analyst হওয়ার পথAll important commands and the path to becoming a Malware Analyst

🔬 Static Analysis Cheat Sheet

📁 File Info

file suspicious.exeFile typeFile type

sha256sum file.exeHash (VT search)

strings -n 8 file.exeHidden stringsHidden strings

xxd file.exe | headHex dump

die file.exePacker detectPacker detect

upx -d file.exeUPX unpack

🐍 PE Analysis

python3 -c "import pefile; pe=pefile.PE('f.exe'); [print(e.dll) for e in pe.DIRECTORY_ENTRY_IMPORT]"ImportsImports

pestudio → open fileGUI PE analysisGUI PE analysis

objdump -d file.exeDisassemble

readelf -a file.elfELF headers

🏃 Dynamic Analysis Cheat Sheet

🐧 Linux (strace)

strace -f ./malware 2>&1 | tee log.txtAll syscallsAll syscalls

strace -e trace=network ./mNetwork onlyNetwork only

ltrace ./malwareLibrary callsLibrary calls

tcpdump -i eth0 -w cap.pcapNetwork captureNetwork capture

cat /proc/PID/mapsMemory mapMemory map

🪟 Windows Tools

procmon.exe → Filter: processFile/Reg/Net monitorFile/Reg/Net monitor

Regshot → 1st shot → run → 2nd → compareRegistry diffRegistry diff

wireshark -i eth0Network trafficNetwork traffic

fakenetFake internetFake internet

processhacker.exeProcess & memoryProcess & memory

⚙️ RE & YARA Cheat Sheet

⚙️ Reverse Engineering

ghidra → open → analyze → decompileFree disassemblerFree disassembler

r2 file; aaa; afl; pdf @ mainradare2

gdb -q ./elfLinux debug

x64dbg → F2 BP, F7 step, F9 runWindows debug

upx -d packed.exeUPX unpack

🔎 YARA

yara rule.yar suspect.exeSingle scanSingle scan

yara -r rules/ /path/Directory scanDirectory scan

uint16(0) == 0x5A4DPE file check

$s = "evil" nocase wideString matchString match

any.run → upload → IOC downloadSandboxSandbox

🗺️ Malware Analyst Roadmap

1

📚 Phase 1 — ভিত্তিPhase 1 — Foundation 1-2 মাস

OS internals, networking, basic programming না জানলে malware বোঝা কঠিন।Without knowing OS internals, networking, and basic programming, malware is hard to understand.

Windows Internals Linux basics Python scripting C/C++ basics Assembly x86

↓

2

🔬 Phase 2 — Static AnalysisPhase 2 — Static Analysis 1-2 মাস

File analysis, PE structure, strings — malware না চালিয়ে বিশ্লেষণ শেখো।File analysis, PE structure, strings — learn to analyze without running malware.

REMnux setup file/strings/hexdump pefile Python pestudio, DIE VirusTotal

↓

3

🏃 Phase 3 — Dynamic AnalysisPhase 3 — Dynamic Analysis 1-2 মাস

VM setup করো, sandbox ব্যবহার শেখো, behavior monitor করো।Set up a VM, learn to use sandboxes, monitor behavior.

FlareVM setup Procmon, Regshot Wireshark Any.run Cuckoo Sandbox

↓

4

⚙️ Phase 4 — Reverse EngineeringPhase 4 — Reverse Engineering 2-3 মাস

Assembly, Ghidra, Debugger — এখানেই সত্যিকারের দক্ষতা তৈরি হয়।Assembly, Ghidra, Debugger — this is where real expertise is built.

x86 Assembly Ghidra/IDA x64dbg YARA rules CTF Reversing

↓

5

🏆 Phase 5 — Real Malware ও CareerPhase 5 — Real Malware & Career চলমানOngoing

Real malware বিশ্লেষণ করো, writeup লেখো, community-তে contribute করো।Analyze real malware, write reports, contribute to the community.

MalwareBazaar samples Write reports GREM cert Threat Intel SOC Analyst

📚 সেরা ResourcesBest Resources

Resource	ধরনType	বিষয়Topic
Practical Malware Analysis (book)	Book	সেরা বই — Sikorski & HonigBest book — Sikorski & Honig
MalwareBazaar	Samples	Free real malware samplesFree real malware samples
Any.run	Sandbox	Interactive analysisInteractive analysis
OpenSecurityTraining2	Course	Free RE/malware courses
Ghidra Course (NSA)	Course	Official Ghidra training
CTF RE challenges	Practice	picoCTF, crackmes.one
REMnux	VM	Free analysis distroFree analysis distro
Yara-Rules GitHub	Rules	Community YARA rulesCommunity YARA rules

🦠 "Know your enemy — analyze the malware before it spreads."

এই ডকুমেন্ট সম্পূর্ণ শিক্ষামূলক উদ্দেশ্যে। Malware বিশ্লেষণ করো, তৈরি বা ছড়িও না। This document is entirely for educational purposes. Analyze malware — don't create or spread it.

v1.0 — Malware Analysis & Reverse Engineering | Bilingual | Dark/Light Mode

ম্যালওয়্যার বিশ্লেষণ ও রিভার্স ইঞ্জিনিয়ারিং — সম্পূর্ণ বাংলা গাইডComplete Guide to Malware Analysis & Reverse Engineering