Skip to content
All Docs

Malware Lab Guide

Malware Lab Guide#

The unJaena AI Malware Lab automatically analyzes suspicious files and evaluates their threat level. It integrates YARA rule scanning, CAPA behavioral analysis, and Ghidra static analysis to provide comprehensive malware analysis.

Sample Upload#

Upload Methods#

  1. Navigate to the Malware Lab page.
  2. Click the Upload Sample button.
  3. Select the file to analyze or drag and drop it.
  4. Once the upload completes, the analysis pipeline starts automatically.

Supported File Types#

  • Executables: PE (.exe, .dll), ELF, Mach-O
  • .NET assemblies: .dll, .exe (.NET)
  • Scripts: PowerShell (.ps1), Python (.py), JavaScript (.js)
  • Documents: Office documents with macros
  • Archives: ZIP, RAR, 7z (automatically extracted before analysis)

Safety Notes#

  • All samples are processed in an isolated environment.
  • Samples are automatically deleted after the configured retention period.
  • For sensitive files, verify the hash value before uploading.

YARA Scan Results#

YARA scanning checks uploaded files against 160+ detection rules to identify malware patterns.

Interpreting Results#

Scan results include the following information:

Matched Rule List:

  • Rule name: Name of the YARA rule used for detection
  • Severity: Critical / High / Medium / Low
  • Category: RAT, Stealer, Ransomware, Trojan, Backdoor, etc.
  • Matching patterns: Specific patterns found in the file

Severity Classification:

SeverityDescriptionExamples
CriticalMalware requiring immediate responseRansomware, APT-related tools
HighClear malicious behavior patternsRAT, info stealers
MediumContains suspicious characteristicsPacker usage, obfuscated code
LowPotential risk factorsSuspicious strings, API calls

Community Rule Sets#

Verified community rule sets including YARA-Rules, Signature-Base, and Malpedia are included to detect the latest threats.

CAPA Analysis Results#

CAPA performs behavior-based analysis of binary files. It identifies what capabilities a file has from a behavioral perspective.

Analysis Result Components#

Detected Capabilities: CAPA automatically identifies the following capabilities in binaries:

  • File manipulation: File read/write/delete/encrypt
  • Network communication: HTTP requests, socket connections, DNS lookups
  • Process manipulation: Process creation, code injection, privilege escalation
  • Registry manipulation: Registry key creation/modification/deletion
  • Information gathering: System information, browser data, credential access
  • Defense evasion: Anti-debugging, anti-VM, code obfuscation
  • Persistence: Autorun registration, service creation, scheduled tasks

MITRE ATT&CK Mapping: Each detected capability is automatically mapped to the corresponding technique in the MITRE ATT&CK framework. This enables systematic understanding of the malware's tactics and techniques.

Supported File Types#

  • PE (32-bit, 64-bit)
  • ELF
  • Mach-O
  • .NET assemblies
  • Shellcode

Static Analysis (Ghidra)#

Ghidra is an open-source software reverse engineering framework developed by the NSA. The unJaena platform uses Ghidra's headless mode to perform automated static analysis.

Analysis Content#

Binary Structure Analysis:

  • Section information: Size and entropy of code, data, and resource sections
  • Import table: List of libraries and API functions used
  • Export table: Functions exposed externally
  • String analysis: Extraction of meaningful strings contained in the binary

Code Flow Analysis:

  • Key function identification: Detection of functions containing core logic
  • Suspicious API calls: VirtualAlloc, WriteProcessMemory, CreateRemoteThread, etc.
  • Control flow graph: Logical execution flow of the program

Entropy Analysis#

High entropy values may indicate that data is compressed or encrypted:

  • 0-3: Structured data (code, text)
  • 3-6: General binary data
  • 6-7.5: Compressed or packed data
  • 7.5+: High randomness (possibly encrypted data)

Analysis Report#

Once all analyses are complete, a comprehensive analysis report is generated.

Report Structure#

  1. Summary

    • Final verdict: Malicious / Suspicious / Clean
    • Overall risk score (0-100)
    • Primary threat type classification

  2. YARA Scan Results

    • Matched rule list and details
    • Detected malware family

  3. CAPA Behavioral Analysis

    • Detected capability list
    • MITRE ATT&CK mapping results

  4. Static Analysis Results

    • Binary structure summary
    • Suspicious API call list
    • String analysis results

  5. AI Comprehensive Assessment

    • Context-based risk evaluation
    • Related threat intelligence
    • Recommended response actions

Using Reports#

  • PDF export: Download in professional report format as PDF
  • Share: Share analysis results with team members
  • IOC extraction: Extract list of detected IOCs (Indicators of Compromise)