Skip to main content
HashnodeBreaking Down Malware Without Execution

Command Palette

Search for a command to run...

Static Malware Analysis in a Controlled FlareVM Lab (Beginner SOC Perspective)

Updated
4 min read
Static Malware Analysis in a Controlled FlareVM Lab (Beginner SOC Perspective)
R
ridesh raju bijwe

Hi, I’m Ridesh — a Computer Engineering student on the path to becoming a SOC Analyst. I’m here to share my journey of learning cybersecurity, building projects, and improving my mindset while growing publicly. I’m passionate about cyber defense, psychology, philosophy, ancient wisdom, anime mindset lessons, and everything that builds mental strength. My goal is simple: Build a strong cybersecurity foundation, grow consistently, and connect with people who think like me. If you’re on a similar journey, you’re in the right place — let’s learn and grow together.

As part of my hands-on learning journey toward becoming a SOC Analyst, I recently performed a static malware analysis on a real malware sample using a dedicated Malware Analysis Virtual Machine (FlareVM).

This blog documents how I safely analyzed the malware without executing it, the tools I used, and the key findings I extracted — following a workflow similar to what is expected in real SOC environments.

⚠️ Disclaimer:-

No malware is shared in this blog.

All analysis was performed inside an isolated virtual machine with no internet exposure.

🧪 Lab Environment Overview

Before beginning analysis, I ensured the environment was properly isolated and prepared.

  • Host OS: Windows

  • Hypervisor: Oracle VirtualBox

  • Guest OS: Windows 10

  • Analysis Framework: FlareVM

  • Network Mode: Host-Only Adapter (Isolated)

📸 Screenshot:

VM running with malware sample stored in a dedicated analysis folder

This setup ensures that malware cannot affect the host system or communicate externally.

📦 Malware Sample Acquisition

The malware sample was provided in a compressed archive.

Before any inspection, I carefully extracted the sample into a separate analysis directory inside the VM.

📸 Screenshot:

Malware sample extracted from archive and stored safely

At this stage, the malware was not executed.

🔑 File Hash Analysis

To uniquely identify the malware and check its reputation, I calculated cryptographic hashes using HashMyFiles.

  • MD5

  • SHA-256

📸 Screenshot:

HashMyFiles showing MD5 and SHA-256 hashes

These hashes were later used to:

  • Search threat intelligence platforms

  • Identify known detections

  • Correlate indicators of compromise (IOCs)

🧬 File Type Identification

Next, I confirmed the true file type using HxD to inspect the file signature.

📸 Screenshot:

HxD showing file header / magic bytes

To validate the signature, I cross-referenced it with known file signatures.

📸 Screenshot:

Wikipedia file signature reference

📌 Result:

The file was confirmed to be a Windows executable (.exe).

🔍 Strings Analysis

Using PEStudio, I analyzed the strings embedded in the executable.

📸 Screenshot:

PEStudio strings section

Strings analysis can reveal:

  • Hardcoded URLs

  • Suspicious commands

  • File paths

  • Debug artifacts

Several suspicious strings suggested potential malicious behavior.

🧩 PE Imports Analysis

I then inspected the imported Windows API functions.

📸 Screenshot:

PEStudio import flags

📸 Screenshot:

Detailed Sections table in PEStudio

Imports related to:

  • Process manipulation

  • File system access

  • Networking

    can indicate malicious intent even without execution.

📊 Entropy Analysis

Entropy was analyzed to detect potential obfuscation or packing.

📸 Screenshot:

PEStudio entropy results

📌 Observation:

High entropy in certain sections suggested the file may be packed or obfuscated, which is common in malware.

🌐 VirusTotal Reputation (Hash-Based)

Using the previously generated hash, I checked the file reputation on VirusTotal.

📸 Screenshot:

VirusTotal detection results

This provided:

  • Detection ratios

  • Malware classification hints

  • Confirmation that the file is malicious

🚨 Extracted Indicators of Compromise (IOCs)

Based on static analysis, I extracted key IOCs and documented them.

📸 Screenshot:

Notepad showing extracted IOCs and summary

Extracted IOCs Included:

  • File hashes (MD5 / SHA-256)

  • Suspicious strings

  • Potential network indicators (from strings)

These IOCs can later be:

  • Fed into SIEM systems

  • Used for detection rules

  • Correlated during incident response

📝 Key Takeaways

  • Static analysis provides valuable insight without executing malware

  • Many indicators can be extracted safely

  • Proper lab isolation is non-negotiable

  • Documentation is just as important as analysis itself

This exercise helped me better understand how SOC analysts approach malware investigation in a safe and structured manner.

🔗 What’s Next?

I am currently working on:

  • Dynamic malware analysis of the same sample

  • Observing runtime behavior in an isolated environment

  • Expanding this into a full SOC-style case study

I will be sharing those findings soon.

👋 About Me

I’m a cybersecurity student and aspiring SOC Analyst, focused on building strong fundamentals through hands-on labs, documentation, and continuous learning.

If you’re also learning SOC or malware analysis, I’d love to connect and exchange insights.

🔖 Tags

#CyberSecurity #SOC #MalwareAnalysis #BlueTeam #FlareVM #InfoSec #LearningInPublic #CyberSecurityStudent

#cybersecurity#static-malware-analysis#flarevm#soc#malware-analysis#blueteam#infosec-cjbi6apo9015yaywu2micx2eo#soc-analyst#threatdetection#reverse-engineering#learning-in-public

Comments

Join the discussion

No comments yet. Be the first to comment.