Skip to content
All Docs

Malware Lab Guide

Malware Lab Guide#

The unJaena AI Malware Lab automatically analyzes suspicious files and evaluates their threat level. It runs 19 analysis tracks through 8 engines (YARA, CAPA, Ghidra, Speakeasy, Qiling, MobSF, olevba, dnfile) with automatic mapping to all 14 MITRE ATT&CK tactics, delivering a comprehensive report in ~90 seconds on average.

Sample Upload#

Upload Methods#

  1. Navigate to the Malware Lab page.
  2. Click the Upload Sample button.
  3. Select the file to analyze or drag and drop it.
  4. Once the upload completes, the analysis pipeline starts automatically.

Supported File Types (19 analysis tracks)#

CategoryFormats
Windows executablesPE (.exe, .dll), .NET assemblies
Linux/macOS executablesELF, Mach-O
Android / iOSAPK, IPA
Office documentsDOCX, XLSX
Korean documentsHWP, HWPX
Other documentsPDF, OneNote
ScriptsJavaScript, PowerShell, VBS / HTA
EmailEML, MSG
InstallersMSI, MSIX, APPX
Shortcuts / PackagesLNK, JAR
OtherWebAssembly, Browser extensions (CRX / XPI), shellcode

Archive files (ZIP/RAR/7z) are automatically extracted before analysis. HWP/HWPX coverage is a Korean-market differentiator that most global vendors do not support in depth.

Safety Notes#

  • All samples are processed in an isolated environment.
  • Samples are processed for deletion after the configured retention period.
  • For sensitive files, verify the hash value before uploading.

YARA Scan Results#

YARA scanning checks uploaded files against 150+ detection rules to identify malware patterns.

Interpreting Results#

Scan results include the following information:

Matched Rule List:

  • Rule name: Name of the YARA rule used for detection
  • Severity: Critical / High / Medium / Low
  • Category: RAT, Stealer, Ransomware, Trojan, Backdoor, etc.
  • Matching patterns: Specific patterns found in the file

Severity Classification:

SeverityDescriptionExamples
CriticalMalware requiring immediate responseRansomware, APT-related tools
HighClear malicious behavior patternsRAT, info stealers
MediumContains suspicious characteristicsPacker usage, obfuscated code
LowPotential risk factorsSuspicious strings, API calls

Community Rule Sets#

Verified community rule sets including YARA-Rules, Signature-Base, and Malpedia are included to detect the latest threats.

CAPA Analysis Results#

CAPA performs behavior-based analysis of binary files. It identifies what capabilities a file has from a behavioral perspective.

Analysis Result Components#

Detected Capabilities: CAPA automatically identifies the following capabilities in binaries:

  • File manipulation: File read/write/delete/encrypt
  • Network communication: HTTP requests, socket connections, DNS lookups
  • Process manipulation: Process creation, code injection, privilege escalation
  • Registry manipulation: Registry key creation/modification/deletion
  • Information gathering: System information, browser data, credential access
  • Defense evasion: Anti-debugging, anti-VM, code obfuscation
  • Persistence: Autorun registration, service creation, scheduled tasks

MITRE ATT&CK 14-Tactic Mapping: Each detected capability is automatically mapped to all 14 tactics of the MITRE ATT&CK framework (Reconnaissance → Resource Development → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Command and Control → Exfiltration → Impact).

Supported File Types#

  • PE (32-bit, 64-bit)
  • ELF
  • Mach-O
  • .NET assemblies
  • Shellcode

Static Analysis (Ghidra)#

Ghidra is an open-source software reverse engineering framework developed by the NSA. The unJaena platform uses Ghidra's headless mode to perform automated static analysis.

Analysis Content#

Binary Structure Analysis:

  • Section information: Size and entropy of code, data, and resource sections
  • Import table: List of libraries and API functions used
  • Export table: Functions exposed externally
  • String analysis: Extraction of meaningful strings contained in the binary

Code Flow Analysis:

  • Key function identification: Detection of functions containing core logic
  • Suspicious API calls: VirtualAlloc, WriteProcessMemory, CreateRemoteThread, etc.
  • Control flow graph: Logical execution flow of the program

Entropy Analysis#

High entropy values may indicate that data is compressed or encrypted:

  • 0-3: Structured data (code, text)
  • 3-6: General binary data
  • 6-7.5: Compressed or packed data
  • 7.5+: High randomness (possibly encrypted data)

Analysis Report#

Once all analyses are complete, a comprehensive analysis report is generated.

Report Structure#

  1. Summary

    • Final verdict: Malicious / Suspicious / Clean
    • Overall risk score (0-100)
    • Primary threat type classification

  2. YARA Scan Results

    • Matched rule list and details
    • Detected malware family

  3. CAPA Behavioral Analysis

    • Detected capability list
    • MITRE ATT&CK mapping results

  4. Static Analysis Results

    • Binary structure summary
    • Suspicious API call list
    • String analysis results

  5. AI Comprehensive Assessment

    • Context-based risk evaluation
    • Related threat intelligence
    • Recommended response actions

Using Reports#

  • PDF export: Download in professional report format as PDF
  • Share: Share analysis results with team members
  • IOC extraction: Extract list of detected IOCs (Indicators of Compromise)