Complete Malware Analysis Guide 2024: Static, Dynamic & Reverse Engineering

Key Takeaways

Always analyze malware in isolated environments (VMs, sandboxes).
Static analysis examines code without execution.
Dynamic analysis observes behavior during execution.

Combine approaches for comprehensive understanding.
Document IoCs for threat intelligence sharing.
Malware often detects analysis environments.

1. Introduction to Malware Analysis
2. Setting Up a Safe Lab
3. Static Analysis
4. Dynamic Analysis

5. Reverse Engineering
6. Malware Types & Behaviors
7. Analysis Tools
8. Frequently Asked Questions

1. Introduction to Malware Analysis

Malware analysis is the process of understanding how malicious software works, what it does, and how to detect and defend against it. Analysts reverse engineer malware to extract indicators of compromise (IoCs), understand attack tactics, and develop protections.

There are three main approaches: static analysis (examining code without running it), dynamic analysis (observing behavior during execution), and reverse engineering (deeply analyzing code logic with disassemblers and debuggers).

Safety First

Never analyze malware on production systems. Use isolated virtual machines with snapshots. Disable network bridging or use isolated networks. Modern malware can escape VMs—use dedicated analysis machines when possible.

2. Setting Up a Safe Lab

2.1 Virtual Environment

VMware Workstation or VirtualBox with snapshots
Windows 10/11 VM for Windows malware (disable updates)
REMnux or Flare VM for analysis tools
Isolated network (host-only or internal network)
INetSim or FakeNet for network simulation

2.2 Flare VM Tools

# Flare VM includes:
- Debuggers: x64dbg, OllyDbg, WinDbg
- Disassemblers: IDA Free, Ghidra
- PE Analysis: PEStudio, PE-bear, CFF Explorer
- Process Analysis: Process Hacker, Process Monitor
- Network: Wireshark, FakeNet-NG
- Utilities: HxD, CyberChef, YARA

3. Static Analysis

Static analysis examines malware without executing it. This is safer and reveals code structure, strings, imports, and potential capabilities.

3.1 File Identification

# File type identification
file suspicious.exe
# PE32 executable for MS Windows

# Calculate hashes
sha256sum suspicious.exe
md5sum suspicious.exe

# Check VirusTotal
# Submit hash or file to virustotal.com

3.2 String Analysis

# Extract strings
strings suspicious.exe | less

# Look for:
- URLs and domains (C2 servers)
- IP addresses
- File paths
- Registry keys
- Error messages
- Encryption constants
- API names

3.3 PE Header Analysis

# PEStudio analysis reveals:
- Imports: Which Windows APIs are used
- Sections: Code, data, resources
- Compiler info: When and how it was built
- Entropy: High entropy suggests packing/encryption
- Suspicious indicators: Known bad patterns

4. Dynamic Analysis

Dynamic analysis executes the malware in a controlled environment to observe its behavior.

4.1 Process Monitoring

# Process Monitor (Procmon) filters:
- File writes: Operation is WriteFile
- Registry changes: Operation begins with Reg
- Network: Operation is TCP/UDP

# Process Hacker shows:
- Running processes and their tree
- DLL injection
- Memory regions and strings
- Network connections

4.2 Network Analysis

# Wireshark capture
# Filter for: dns || http || tcp.port == 443

# FakeNet-NG simulates:
- DNS responses (C2 domains resolve locally)
- HTTP/HTTPS servers
- Captures network traffic
- Logs all connection attempts

4.3 Automated Sandboxes

Sandbox	Type	Features
Cuckoo Sandbox	Open Source	Full automation, API calls, network
Any.Run	Commercial/Free	Interactive, fast, good reporting
Hybrid Analysis	Free	CrowdStrike powered, detailed
Joe Sandbox	Commercial	Deep analysis, anti-evasion

5. Reverse Engineering

5.1 Disassembly with Ghidra

# Ghidra workflow:
1. Create new project
2. Import malware binary
3. Analyze (auto-analysis)
4. Navigate to entry point
5. Identify key functions
6. Rename functions as you understand them
7. Add comments for documentation

5.2 Debugging with x64dbg

# x64dbg techniques:
- Set breakpoints on suspicious APIs
- Step through code execution
- Examine registers and memory
- Bypass anti-debugging tricks
- Dump decrypted payloads from memory

Common Anti-Analysis Techniques

Packing: Code is compressed/encrypted, unpacked at runtime
VM Detection: Checks for VMware, VirtualBox artifacts
Debugger Detection: IsDebuggerPresent, timing checks
Sandbox Detection: Checks for analysis tools, limited interactions

6. Malware Types & Behaviors

Type	Primary Goal	Key Behaviors
Ransomware	Extortion	File encryption, shadow copy deletion
Trojan/RAT	Remote access	C2 communication, persistence, data exfil
Stealer	Data theft	Browser data, credentials, screenshots
Dropper	Payload delivery	Downloads and executes additional malware
Rootkit	Stealth	Kernel-level hiding, hooking

7. Analysis Tools

Ghidra: NSA's free reverse engineering suite
IDA Pro: Industry standard disassembler
x64dbg: Open source debugger
PE-bear: PE file analysis
YARA: Pattern matching for malware classification
Volatility: Memory forensics

8. Frequently Asked Questions

How do I start learning malware analysis?

Start with basic static analysis (strings, hashes, PE headers). Practice on samples from sites like MalwareBazaar or theZoo. Take courses like SANS FOR610 or free resources like Practical Malware Analysis book. Build skills gradually from static to dynamic to reverse engineering.

Can malware escape virtual machines?

Yes, though it's rare. VM escape vulnerabilities exist. More commonly, malware simply refuses to run in VMs. For high-risk samples, use dedicated physical machines or hardware-isolated sandboxes. For most analysis, properly configured VMs are sufficient.

Conclusion

Malware analysis is a critical skill for understanding threats and developing defenses. Start with static analysis for safety, use dynamic analysis for behavioral insights, and advance to reverse engineering for deep understanding. Always prioritize safety and document your findings for threat intelligence sharing.

Continue Learning:
Incident Response Threat Intelligence