Static · Dynamic · Behavioural
Decode what hit you. Detect the next variant.
Static, dynamic and behavioural analysis of malware samples — from commodity ransomware to targeted APT toolchains. We extract IOCs, document TTPs, map to MITRE ATT&CK and produce YARA / Sigma rules to detect future variants.
cuckoo · isolated detonation · t+47scontained
sample.exe (29.4 KB)
MD5 5e1f9c… · packed (UPX 3.x stripped) · Cobalt-Strike beacon variant
Process behaviour
spawns wmic.exe · injects into spoolsv.exe (PID 1428)
Disables Defender via reg
DisableAntiSpyware = 1
Reads LSASS handles
T1003.001 · OS credential dumping
Network behaviour
HTTPS beacon · 60s interval · jitter 12%
C2 update[.]secure-cdn[.]xyz
domain age 4d · TLS 1.3 · self-signed
DNS beacon fallback
TXT records to attacker NS
Persistence
Registry Run key · scheduled task · WMI subscription
14 MITRE techniques observed · 8 IOCs extractedYARA · Sigma · Suricata ready
Three layers, one report
Static. Dynamic. Behavioural.
Every Macksofy malware analysis runs all three lenses. Static gets the structure, dynamic gets the runtime, behavioural gets the intent.
Layer 01
Static
IDA ProGhidraBinary NinjaPE-bearDetect It Easy
Disassembly, decompilation, unpacking, algorithm reverse-engineering
Layer 02
Dynamic
CuckooANY.RUNx64dbgOllyDbgREMnux
API tracing, network capture, live process behaviour, debugger walks
Layer 03
Behavioural
MITRE ATT&CKVirusTotalMISPCustom Macksofy lab
Adversary intent, persistence map, C2 protocol decoding
Detection output
Every report ships three rule formats.
YARA for endpoint AV/EDR, Sigma for SIEM detections, Suricata for network IDS. Drop them straight into your stack — your blue team detects the next variant of the same family without re-engaging us.
- Convert unknown samples into actionable IOCs and detections
- Satisfy IR + insurance reporting on what hit you
- Build organization-specific threat intelligence
- Map attacker capabilities to MITRE ATT&CK
YARASigmaSuricatagenerated · macksofy-ir
rule MacksofyCustom_CSBeacon_Variant_2025
{
meta:
author = "Macksofy IR"
description = "Custom Cobalt Strike beacon variant w/ DGA"
family = "CobaltStrike"
severity = "critical"
sha256 = "5e1f9c…"
strings:
$magic_xor = { 4D 5A ?? ?? ?? ?? 50 45 }
$cs_pattern_a = "%%COMSPEC%% /c " ascii wide
$cs_pattern_b = { 48 89 5C 24 ?? 48 89 6C 24 ?? 48 89 74 24 ?? 57 }
$jitter = "jitter\\x00" ascii
$dga_seed = /[a-f0-9]{8}-update-cdn\\.xyz/ ascii
condition:
uint16(0) == 0x5A4D and
filesize < 100KB and
2 of ($cs_pattern_*) and
1 of ($jitter, $dga_seed)
}title: Macksofy CS Beacon — LSASS Access from Suspicious Binary
id: 8f4c1f-…
status: stable
description: Detects LSASS handle access from spoolsv-injected payload
references:
- https://attack.mitre.org/techniques/T1003/001/
author: Macksofy IR
date: 2026/05/01
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\\lsass.exe'
SourceImage|endswith: '\\spoolsv.exe'
GrantedAccess: '0x1410'
filter_legit:
SourceCommandLine|contains: 'C:\\Windows\\System32\\spoolsv.exe'
condition: selection and not filter_legit
falsepositives:
- none expected
level: high
tags:
- attack.credential_access
- attack.t1003.001# Macksofy IR — DGA C2 fallback over DNS TXT
alert dns $HOME_NET any -> any 53 (
msg: "MACKSOFY · CSBeacon DGA TXT lookup";
flow: stateless;
dns.query;
pcre: "/^[a-f0-9]{8}-update-cdn\\.xyz$/i";
classtype: trojan-activity;
metadata: family CobaltStrike, mitre T1071.004;
sid: 99008142; rev: 1;
)
alert tls $HOME_NET any -> $EXTERNAL_NET any (
msg: "MACKSOFY · CSBeacon self-signed TLS to fresh domain";
tls.cert_subject; content: "CN=update.secure-cdn";
tls.cert_issuer; content: "CN=update.secure-cdn";
threshold: type both, track by_src, count 1, seconds 60;
classtype: trojan-activity;
sid: 99008143; rev: 1;
)Engagement snapshot
From unknown sample to fleet-wide detection.
BFSI (post-IR analysis)
Custom Cobalt Strike beacon variant
Finding · Modified C2 protocol with domain fronting + PE injection chain
YARA rules deployed across estate; new variant detected within 30 days
Risk severity · Critical
LMHC
RE toolchain
IDA. Ghidra. x64dbg.
Tools we operate
IDA ProGhidraBinary Ninjax64dbgOllyDbgCuckoo SandboxANY.RUNREMnuxPE-bearDetect It EasyYARASigma
What clients say · Trusted India + UAE
Rated 4.9 ★ from 612 client reviews.
CERT-In Empanelled
Govt of India · MeitY
EC-Council ATC
Authorized Training
ISO 27001 Certified
Info Security Mgmt
“We've worked with three Big 4 firms before Macksofy. None found what their team did in our payments stack. The most actionable report we've received in a decade.”
AK
Aisha Khan
Information Security Manager · Listed Fintech · BKC, Mumbai
“The CHFI training Macksofy delivered for our cyber cell raised investigation quality measurably. Practical, India-context-aware, and respectful of our operational realities.”
IK
Inspector K. Joshi
Cyber Cell · Maharashtra Police · Mumbai
“Came in with zero security background. 5 weeks later I was running Burp Suite and Metasploit confidently. Cleared CEH on the first attempt.”
VI
Vivek Iyer
DevSecOps Lead · Healthcare SaaS · Hyderabad
FAQ
Submitting a sample.
Yes — including nation-state-grade samples on a need-to-know basis. We hold tight chain-of-custody and reporting protocols.
Talk to us
Get a fixed-price proposal in 48 hours.
Tell us about your security need — pentest, audit, training or a wider engagement. A senior consultant will reply within a few business hours.
CERT-In Empanelled
Information Security Auditor · India
- CERT-In Empanelled
- EC-Council ATC · CompTIA Authorized
- 20,000+ professionals trained
- India + UAE engagements