A personal research lab built to practice and document malware analysis from start to finish. It covers static triage, behavioral detonation, memory forensics, and writing detection content based on what I find.
I built this lab to sharpen the skills that matter most in detection engineering and malware analysis roles. Every sample I work through follows the same structured process: triage it statically, detonate it in an isolated environment, pull the memory, and turn those findings into actual detection rules. The point is not just to document what the malware does but to understand the behavior well enough to catch it in a real environment.
| Component | Details |
|---|---|
| Host OS | Windows 11 Pro |
| Hypervisor | VirtualBox 7.1 |
| Analysis VM (Windows) | FLARE-VM, Windows 11 Pro 24H2, Host-Only isolated |
| Analysis VM (Linux) | REMnux, Ubuntu 24.04, Host-Only isolated |
| Network Simulation | INetSim on REMnux |
| Network Monitor | Wireshark, tcpdump |
| SIEM | Wazuh |
| Memory Forensics | Volatility 3 |
| Log Analysis | Elastic Stack / Kibana |
Both VMs run on an isolated Host-Only adapter (192.168.56.0/24) with no external internet access during detonation. FLARE-VM sits at 192.168.56.100 and REMnux sits at 192.168.56.101. Both are reverted to clean baseline snapshots before every session and again immediately after.
malware-analysis-lab/
├── docs/ # Lab architecture, tool rationale, safety practices
├── setup/ # VM configuration and environment setup guides
├── static-analysis/ # Pre-execution findings and YARA rules
├── dynamic-analysis/ # Behavioral analysis, IOC extraction, network findings
├── memory-forensics/ # Volatility 3 workflows and memory artifact reports
├── detection-engineering/ # Sigma rules, Wazuh alerts, MITRE ATT&CK mapping
├── tools-reference/ # Personal notes and cheat sheets for core tools
└── samples-index.md # Index of all analyzed samples with report links
Every sample goes through four phases in the same order.
Phase 1 — Static Analysis Pre-execution inspection before anything runs. File header review, section entropy, import table examination, string extraction, and YARA and CAPA against the binary to surface capabilities and known signatures. For ELF binaries, readelf, objdump, and FLOSS on REMnux replace the Windows-focused tooling.
Phase 2 — Dynamic Analysis Detonation in an isolated VM with full monitoring running before the sample executes. File system changes, process creation, and network activity captured via ProcMon and Wireshark on FLARE-VM, or tcpdump and inotifywait on REMnux for Linux samples. INetSim intercepts all outbound traffic and logs every connection attempt. IOCs get pulled at the end of each session and documented in a structured format.
Phase 3 — Memory Forensics After detonation a memory image is acquired and run through Volatility 3. The focus is injected code, hidden processes, suspicious network connections, and anything the malware tried to hide from on-disk inspection.
Phase 4 — Detection Engineering Findings from all three phases get turned into detection content: Sigma rules deployable across any SIEM, custom Wazuh alert rules tied to specific behaviors, and MITRE ATT&CK technique mappings for every relevant finding.
| Category | Tools |
|---|---|
| Static Analysis | PEStudio, CAPA, Detect-It-Easy, FLOSS, strings, readelf, objdump |
| Dynamic Analysis | ProcMon, Noriben, Wireshark, FakeNet-NG, x64dbg, tcpdump, INetSim |
| Memory Forensics | Volatility 3, WinPmem, avml |
| Detection Engineering | Sigma, Wazuh, Elastic SIEM |
| Threat Intelligence | MalwareBazaar, VirusTotal, ANY.RUN, Malpedia, MITRE ATT&CK |
See samples-index.md for a full table of every sample analyzed, including malware family, type, architecture, source, and links to individual reports.
No malware binaries, memory dumps, or packet captures are stored in this repository. All findings are documented in report format only.
MalwareBazaar is the primary sample source. ANY.RUN for sandbox comparison, Malpedia for family-level context, and MITRE ATT&CK for technique mapping. Analysis environments are FLARE-VM and REMnux. Memory analysis runs on Volatility 3.
All samples come from public threat intelligence repositories and are handled exclusively inside an isolated lab environment. No malicious code is stored or distributed through this repository.