Safety Warning
Always analyze malware in isolated environments (VMs with no network access). Never analyze on production systems!
Table of Contents
Introduction to Malware Analysis Static Analysis Techniques Dynamic Analysis (Behavioral) Reverse Engineering Common Malware Families Extracting IOCsIntroduction to Malware Analysis
Malware analysis is the process of studying malicious software to understand how it works, what it does, and how to defend against it. Analysts extract Indicators of Compromise (IOCs) and develop detection signatures.
Analysis Types
- Static Analysis: Examining code without execution
- Dynamic Analysis: Running malware in sandbox
- Hybrid Analysis: Combining both approaches
- Deep Reverse Engineering: Assembly-level analysis
Static Analysis Techniques
File Identification
# Identify file type
file suspicious.exe
# Calculate hashes
md5sum suspicious.exe
sha256sum suspicious.exe
# Check VirusTotal
curl --request POST \
--url 'https://www.virustotal.com/api/v3/files' \
--header 'x-apikey: YOUR_API_KEY' \
--form '[email protected]'String Analysis
# Extract strings
strings -n 8 suspicious.exe | less
# Look for interesting patterns
strings suspicious.exe | grep -i "http://"
strings suspicious.exe | grep -i "password"
strings suspicious.exe | grep -i "registry"
# FLOSS for obfuscated strings
floss suspicious.exePE Header Analysis
# Python with pefile
import pefile
pe = pefile.PE('suspicious.exe')
# Check sections
for section in pe.sections:
print(f"{section.Name.decode()} - Entropy: {section.get_entropy():.2f}")
# High entropy (>7) suggests packed/encrypted
# Import table (suspicious imports)
suspicious_imports = ['VirtualAlloc', 'WriteProcessMemory',
'CreateRemoteThread', 'NtUnmapViewOfSection']
for entry in pe.DIRECTORY_ENTRY_IMPORT:
for imp in entry.imports:
if imp.name and imp.name.decode() in suspicious_imports:
print(f"SUSPICIOUS: {imp.name.decode()}")Dynamic Analysis (Behavioral)
Setting Up a Safe Environment
- Use isolated VM (VirtualBox, VMware)
- Disable network or use INetSim for fake services
- Take snapshots before execution
- Monitor with Process Monitor, Wireshark
Monitoring Tools
Process Monitor (Windows)
Monitor file system, registry, and process activity in real-time.
Filter: Process Name contains "suspicious"
Capture: File, Registry, Network operationsNetwork Capture
# Capture C2 communication
tcpdump -i eth0 -w malware_traffic.pcap
# Analyze with Wireshark
# Look for:
# - DNS queries to suspicious domains
# - HTTP/HTTPS to unknown IPs
# - Beaconing patternsReverse Engineering
Disassembly with Ghidra
# Ghidra workflow
1. Import binary
2. Auto-analyze
3. Find entry point (main/WinMain)
4. Identify key functions:
- Anti-analysis checks
- Encryption/decryption routines
- C2 communication
- Persistence mechanismsCommon Anti-Analysis Techniques
- VM Detection: Check for VMware/VBox artifacts
- Debugger Detection: IsDebuggerPresent, timing checks
- Sandbox Evasion: Check mouse movement, delay execution
- Packing/Obfuscation: UPX, custom packers
Common Malware Families
| Family | Type | Key Characteristics |
|---|---|---|
| LockBit 3.0 | Ransomware | RaaS, fast encryption, double extortion |
| Emotet | Loader/Banker | Modular, email spreading, C2 rotation |
| Cobalt Strike | RAT/C2 | Beacon, DNS/HTTP C2, malleable profiles |
| QakBot | Banking Trojan | Thread hijacking, webinjects |
| AgentTesla | Infostealer | Keylogger, credential theft |
Extracting IOCs
Key indicators to extract during analysis:
- File Hashes: MD5, SHA1, SHA256
- C2 Domains/IPs: Command and control servers
- Mutex Names: Used for single-instance check
- Registry Keys: Persistence locations
- File Paths: Dropped files, staging directories
- YARA Rules: Detection signatures
# YARA rule example
rule SuspiciousExe {
meta:
description = "Detects suspicious executable"
author = "WhoisNexus"
strings:
$mz = "MZ"
$s1 = "VirtualAlloc" ascii
$s2 = "WriteProcessMemory" ascii
$c2 = /https?:\/\/[a-z0-9\-\.]+\.[a-z]{2,}/
condition:
$mz at 0 and 2 of ($s*) and $c2
}Last updated: December 2024