Reverse Engineering Malware Lab
This is a little reverse-engineering lab for a penetration testing class I did to practice pulling apart a malicious file without actually running anything dangerous The executable is just a Python script I wrote with PyInstaller, but I think it behaves enough like real malware to make the analysis a good simulation.
Essentially, I created the script to work like actual malware and then analyzed what it was doing
Features of the sample
- XOR-encoded “C2” string
- Base64-encoded payload
- Fake persistence (drops a text file)
- A tiny beacon loop
- Packed with PyInstaller so it looks like malware in a PE viewer
- Benign file
I treated the compiled EXE like it was actually malware and investigated it w these tools:
Static Analysis
- Ran strings to see what popped out
- Looked at the PE structure in PE-bear
- Used pyinstxtractor to rip apart the PyInstaller bundle
- Loaded the unpacked blob into Ghidra and walked through the flow
- Reversed the XOR routine to recover the hidden C2 URL
- Decoded the Base64 payload with cyberchef
Dynamic Analysis
- Ran the program in a "safe" environment (my laptop)
- Used ProcMon to watch file writes + see if there was any persistence
- Watched the beacon loop do its thing
- Confirmed no real network traffic (it doesn’t actually reach out since it's benign)