Key Takeaways
- Static analysis examines code without execution
- Dynamic analysis observes runtime behavior
- Sandboxing is essential for safe analysis
- IOCs help defenders detect and block threats
Contents
Safety Warning
NEVER analyze malware on your main system! Always use isolated virtual machines with snapshots. Disable network access or use INetSim to simulate internet. One wrong click can infect your entire network.
1. Malware Analysis Fundamentals
Malware analysis is the process of understanding malicious software's behavior, capabilities, and purpose. Analysts examine samples to extract indicators of compromise (IOCs), develop detection signatures, and understand attacker tactics.
Analysis Types
- Static Analysis: Examining code without execution (strings, imports, structure)
- Dynamic Analysis: Observing behavior during execution (network, file, registry)
- Hybrid Analysis: Combining both approaches
- Memory Analysis: Examining RAM for artifacts
2. Setting Up a Safe Lab
# Recommended Lab Setup:
# 1. Isolated VM (VirtualBox/VMware) - Windows 10/11
# 2. Snapshot before each analysis
# 3. Host-only networking (or INetSim)
# 4. Disable shared folders
# 5. Flare-VM for pre-installed tools
# Install Flare-VM (automated tool installation)
# In admin PowerShell on Windows VM:
Set-ExecutionPolicy Unrestricted
iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1'))
# REMnux for Linux malware analysis
# Download from https://remnux.org/3. Static Analysis
File Identification
# Get file hash (unique identifier)
md5sum malware.exe
sha256sum malware.exe
# Check VirusTotal
curl --request POST --url 'https://www.virustotal.com/vtapi/v2/file/report' \
--form apikey=YOUR_API_KEY --form resource=HASH
# File type identification
file malware.exe
# PE32 executable (GUI) Intel 80386, for MS Windows
# Check for packing/obfuscation
peframe malware.exe
# Or use DIE (Detect It Easy)String Analysis
# Extract strings
strings malware.exe > strings.txt
strings -el malware.exe >> strings.txt # Unicode
# Look for:
# - URLs, IPs, domains
# - Registry keys
# - File paths
# - API names (CreateRemoteThread, VirtualAlloc)
# - Error messages
# - Crypto artifacts
# FLOSS (FLARE Obfuscated String Solver)
floss malware.exe # Extracts obfuscated stringsPE Header Analysis
# Python with pefile
import pefile
pe = pefile.PE('malware.exe')
# Imports - what APIs does it use?
for entry in pe.DIRECTORY_ENTRY_IMPORT:
print(entry.dll)
for imp in entry.imports:
print(f" {imp.name}")
# Suspicious imports:
# CreateRemoteThread, WriteProcessMemory - Process injection
# VirtualAlloc, VirtualProtect - Shellcode execution
# WinExec, CreateProcess - Command execution
# RegSetValue - Persistence
# InternetOpen, URLDownloadToFile - C2 communication
# Sections - look for high entropy (packed/encrypted)
for section in pe.sections:
print(section.Name, section.get_entropy())4. Dynamic Analysis
Process Monitoring
# Process Monitor (Procmon)
# Filter: Process Name contains malware.exe
# Capture: File, Registry, Network, Process activity
# Process Hacker / Process Explorer
# - View process tree
# - Check loaded DLLs
# - View network connections
# - Analyze memory strings
# API Monitor
# Hook and log API calls in real-timeNetwork Analysis
# Wireshark capture
# Filter: ip.addr == malware_ip
# FakeNet-NG / INetSim
# Simulate internet services (HTTP, DNS, SMTP)
# Capture C2 communication attempts
# Start INetSim
sudo inetsim --config /etc/inetsim/inetsim.conf
# DNS queries reveal C2 domains
# HTTP requests show C2 protocolSandbox Analysis
# Online sandboxes
# - Any.run (interactive)
# - Hybrid Analysis (free)
# - Joe Sandbox (detailed)
# - VirusTotal Behavior
# Local sandbox with Cuckoo
cuckoo submit malware.exe
cuckoo analyze5. Reverse Engineering
Ghidra (Free)
# Ghidra workflow:
# 1. Create project, import binary
# 2. Auto-analyze
# 3. Navigate to entry point
# 4. Identify main() or WinMain()
# 5. Rename functions as you understand them
# 6. Add comments
# 7. Use decompiler for C-like code
# Key shortcuts:
# G - Go to address
# X - Cross-references
# L - Rename label
# ; - Add commentx64dbg (Debugger)
# Dynamic reversing:
# 1. Load malware in x64dbg
# 2. Set breakpoints on suspicious APIs
# 3. Step through code
# 4. Examine registers and memory
# 5. Bypass anti-analysis checks
# Common breakpoints:
bp VirtualAlloc
bp CreateProcessW
bp InternetConnectA
bp RegSetValueExW6. Common Malware Types
- RAT (Remote Access Trojan): Full remote control, keylogging, screenshots
- Ransomware: Encrypts files, demands payment
- Botnet: Part of zombie network for DDoS, spam
- Stealer: Extracts credentials, cookies, crypto wallets
- Dropper/Loader: Downloads and executes additional payloads
- Rootkit: Hides presence, persists at kernel level
- Worm: Self-propagating across networks
7. Essential Tools
Malware Analyst Toolkit
- Ghidra/IDA Pro: Disassemblers and decompilers
- x64dbg/OllyDbg: Windows debuggers
- Process Monitor: System activity monitoring
- Wireshark: Network capture
- YARA: Pattern matching for detection rules
- PE-bear/pestudio: PE analysis
- Cuckoo: Automated sandbox
8. Extracting IOCs
# Key IOC types:
# - File hashes (MD5, SHA1, SHA256)
# - C2 domains and IPs
# - Mutex names
# - Registry keys for persistence
# - Dropped file names and paths
# - YARA signatures
# YARA rule example
rule Emotet_Loader {
meta:
description = "Detects Emotet loader"
strings:
$s1 = "POST"
$s2 = { 8B 45 ?? 83 C0 ?? 50 }
$mutex = "Global\\I98B68E3C"
condition:
uint16(0) == 0x5A4D and all of them
}FAQ
Can malware detect it's being analyzed?
Yes! Malware uses anti-analysis techniques: VM detection, debugger detection, timing checks, and environment checks. You must bypass these during analysis.
How do I get started in malware analysis?
Set up a FLARE-VM lab, practice with samples from MalwareBazaar or TheZoo (careful!), and study resources like Practical Malware Analysis book.