After this lesson, you will be able to: Recognize malware categories and their indicators, read automated sandbox reports (Any.run, VirusTotal, Joe Sandbox), and write YARA rules to detect malware patterns.
This lesson covers the main malware categories and what each leaves behind, using public sandboxes to triage samples quickly, and writing YARA rules to detect families and patterns, the bridge from analysis to detection.
RATs (remote access trojans) give attackers control and beacon to a C2 server. Keyloggers capture input and exfiltrate it. Ransomware encrypts files and demands payment, leaving ransom notes and mass file modification. Rootkits hide deep in the system to evade detection. Botnets enlist machines into a controlled network. Each leaves indicators: C2 domains/IPs, dropped files, registry/persistence entries, characteristic API calls. Recognizing the category guides your analysis and response.
Automated sandboxes run a sample in an instrumented environment and report behavior fast. Any.run is interactive (you watch it execute in real time), VirusTotal aggregates dozens of AV engines plus behavioral and relationship data, and Joe Sandbox produces deep automated reports. Reading these reports (dropped files, network connections, processes, flagged techniques mapped to MITRE ATT&CK) is a fast triage step before or alongside manual analysis. Caveat: submitting a sample makes it public, so never submit sensitive or confidential files.
YARA is the standard language for writing detection signatures. A YARA rule describes strings or byte patterns and a condition; scanners and EDR tools use rules to flag files matching a malware family or technique. Once you have analyzed a sample, you distill its distinctive strings or code patterns into a rule so the same family is detected automatically across an environment. This is how analysis scales into protection.
A rule matches when its condition over the defined strings holds.
rule Example_Suspicious_Downloader{meta:description = "Detects a sample with these distinctive strings"author = "analyst"strings:$url = "http://evil-c2.example/gate.php"$mz = { 4D 5A } // PE magic bytes$api = "URLDownloadToFileA"condition:$mz at 0 and ($url or $api)}
Pick one.
Submitting confidential samples to public sandboxes (they become public). Writing YARA rules so broad they false-positive on benign files, or so narrow they miss variants. Trusting a single AV verdict on VirusTotal over behavior. Confusing categories (a dropper is not the final payload). Forgetting to map behavior to MITRE ATT&CK for shared language. Treating sandbox output as complete when evasive samples detect and hide from sandboxes.
Sign in and purchase access to unlock this lesson.