Malware Lab 19-Track Reference
Malware Lab 19-Track Reference#
Malware Lab automatically dispatches each upload to the right analysis track based on file format. The average sample finishes in roughly 90 seconds, and every track shares a common report shell with MITRE ATT&CK mapping, YARA matches, and an AI-generated natural-language summary.
Track Catalogue#
| # | Track | Input Format | Primary Engines | Report Highlights |
|---|---|---|---|---|
| 1 | PE | .exe, .dll, .sys | Ghidra (decompile) + CAPA + Speakeasy (emulation) + YARA | Function graph, CAPA capabilities, IOCs, MITRE mapping |
| 2 | APK | Android .apk | MobSF + YARA + manifest static analysis | Permission risk, suspicious API calls, certificate info |
| 3 | IPA | iOS .ipa | MobSF + YARA + code-signature checks | Entitlement audit, URL schemes, asset-theft patterns |
| 4 | Office (DOCX/XLSX/PPTX) | OOXML packages | olevba + YARA + macro extractor | VBA source, AutoOpen/AutoExec triggers, embedded IOCs |
| 5 | HWP / HWPX | Korean HWP and HWPX | olevba + Korean-specific extractors | Embedded OLE objects, macros, outbound calls |
| 6 | .pdf | PDF.js emulation + YARA + JavaScript tracer | OpenAction handlers, hidden objects, JS-based IOCs | |
| 7 | ELF | Linux executables | Qiling (user-mode emulation) + CAPA + YARA | System-call trace, capabilities, packer detection |
| 8 | Mach-O | macOS executables | Qiling + YARA + signature verification | Entitlements, dynamic libraries, injection traces |
| 9 | .NET | CLR assemblies | dnfile + Ghidra + YARA | IL decompilation, obfuscation detection, call graph |
| 10 | JAR | Java archives | CFR/Procyon decompilation + YARA | Class tree, manifest, third-party library calls |
| 11 | JavaScript | .js, .mjs | Sandbox emulation + AST analysis | DOM access, eval/Function usage, external calls |
| 12 | PowerShell | .ps1 | Sandbox + AMSI tracer + deobfuscator | Command tree, download URLs, encoded payloads |
| 13 | VBS·HTA | .vbs, .hta | Sandbox emulation + script static analysis | Downloader patterns, command execution, registry edits |
| 14 | OneNote | .one, .onepkg | OneNote parser + attachment extractor | Embedded payloads, external links, macros |
| 15 | EML·MSG | Email messages | EML/MSG parser + attachment splitter | Header analysis, sender authentication, recursive attachment scan |
| 16 | MSI·MSIX·APPX | Windows installers | MSI table parser + payload extractor + YARA | CustomAction list, post-install commands, signature info |
| 17 | LNK | Windows shortcuts | LNK parser + command-line decoder | Target command, encoded args, icon source |
| 18 | WebAssembly | .wasm | Wasm decompilation + YARA | Import/export functions, suspicious calls, static strings |
| 19 | Browser Extension | .crx, .xpi | Manifest analysis + content-script extractor + YARA | Permission scope, outbound calls, code-injection patterns |
Common Report Sections#
Regardless of track, every report includes:
- Threat verdict: clean / suspicious / malicious.
- MITRE ATT&CK mapping across all 14 tactic phases (Reconnaissance to Impact).
- IOCs: domains, IPs, hashes, mutexes, file paths.
- YARA matches from public rule sets plus unJaena-authored rules.
- AI summary in Korean, English, and Japanese.
Average Analysis Time#
Most samples complete within 90 seconds. Heavy stages — PE unpacking, full Ghidra decompilation, sandbox traces — can extend the run to about five minutes; the UI progress bar shows current stage and remaining work.
Next Steps#
- Malware Lab Guide — step-by-step UI walkthrough.
- Integration Access Guide — access process for approved customer integrations.