Cylabs
  • 😊Welcome to CyLabs
  • 101 Series
    • Cyber Security 101
      • Introduction to Cyber Security and core concepts
      • Getting Started into Cyber Security Career
      • Online Cybersecurity Practice Labs to Sharpen Your Skills
      • Cyber Security Interview Q&A
        • Careers in Cybersecurity
      • Stay Tuned : Cyber Resources
        • Blogs for Cyber Security
          • Blogs
            • Penetration Testing Automation
            • Security
              • Metasploit Framework
              • Jenkins Servers: Identifying Vulnerabilities and Exploiting Unauthenticated Access with Groovy Scrip
              • Securing Your Network: Printer Vulnerabilities, LDAP Exploits, and Defense Strategies
              • SSH for Red Teaming and Security Analysis
              • Operating Systems for Penetration Testing: Enhancing Your Cybersecurity Arsenal
              • Hacking Notes
                • Phineas Fisher
        • Cyber News
        • Leading Cybersecurity Companies to follow
        • Cybersecurity Courses and Certifications: Trends in 2024
        • ISACs: Enhancing Cybersecurity through Collaboration and Information Sharing
        • Global and National Cybersecurity Agencies: Guardians of the Digital Realm
        • Cyber Security News Feed Resources
    • Kubernetes 101
    • Web 101
    • Operating Systems
      • Linux 101
        • Linux Kernel
        • Basic Commands and Usage
          • Shell Commands
        • Linux File System
        • apt
        • su and sudo
        • File Search
        • Linux Services
        • Networking
          • Netcat
        • Corn Jobs
        • Shell Scripting
        • Linux OS API's
      • Windows 101
        • Windows system calls
        • Windows Event Logs and IDs
        • Windows UAC
        • Windows Registry
        • Windows Bit Locker
        • Volume Shadow Copy Service
        • Windows OS API's
    • Building the Security Lab
      • Virtualization with Virtual Box
        • Installing and setting Virtual Box
        • Vritual Box Networking
      • Home Lab Setup
        • PF Sense Installation
        • Ubuntu Installation
        • Metasploit Installation
        • Kali Linux Installation
    • Fundamentals of Programming
      • Python 101
      • Powershell 101
      • SQL 101
    • AI/ML and Data Science for Cyber Security and Analytics
    • IT Infrastructure and Hardware
    • Governance, Risk and Compliance
    • Networking 101
      • Network Packets and Frames
      • Network Switches and Routers: The Backbone of Connectivity
      • Network Security Devices and Strategies
      • Network Design and Architecture: A Foundation for Robust Connectivity
      • Specialized Network Equipment and Functions
      • Network Traffic Management and Analysis
      • Advanced Networking Concepts
      • ARP and RARP
      • How DNS, HTTP and HTTPS works
      • Understanding the Basics of Networking
  • Introduction to Cyber Security Operations
    • Security Architecture and Engineering
      • Security Controls
        • Preventive
        • Deterrent
        • Detective
        • Corrective
        • Compensating
        • Directive
    • GRC
      • Information Security and Risk Management
        • Risk Management
        • Supply Chain Risk Management
        • Governance
        • Asset Management
        • Cyber Security Road Map
        • Cyber Security Controls
        • Cyber Security Strategy and Architecture
        • Cyber Security Architecture
        • Risk Assessment and Security Questionnaire
        • Ransomware Prevention
        • Gap Assessment
        • Principle of Least Privilege
      • Governance
      • Asset Security
      • Communication and Network Security
      • Identity and Access Management
      • Security Assessment and Testing
      • Security Operations
      • Software Development Security
      • Security Baselines
      • Security Reporting
      • Data Loss Prevention
      • Zero Trust
      • MFA
      • Compliance
    • Security Policies and Procedures
    • Offensive Security
      • Stages of Penetration Testing
    • Cyber Defense
      • Security Operations Center (SOC)
        • SOC Architecture Development with ELK Stack:
      • Different Classes of Threat Actor
    • Security Principles, Controls and Strategies
      • Defense in Depth
      • Least Privilege
      • Zero Trust
  • Cyber Security Assessment
    • Planning and Scoping
      • Security Engagement
      • Security Assessment Questionaire
      • Who Targeting you
    • Reconnaissance
      • Active Recon
        • Tools
          • NMAP
          • Maascan
          • Recon-NG
          • Maltego
          • Spider Foot
          • Whois
          • TraceRoute
          • Amass
          • The Harvester
          • Nslookup
          • DNS Dumpster
          • BloodHound
          • Relay Attacks
          • Packet Crafting
          • NMAP+Proxychains+TOR
      • Passive Reconnaissance
        • Network Sniffing
          • Wireshark
          • TCPDump
        • Whois (online services)
        • EMail Account Enumeration
          • Hunter.io
        • Search Engine Analysis
          • Google Hacking Database
          • Shodan
          • Censys.io
        • Information Disclousre
        • Banner Grabbing
        • HTML Scrapping
        • Certificate Transparency Logs
        • Open Source Intelligence (OSINT)
          • Ship OSINT
          • Social Media
          • Code Repositories
          • Darkweb Analysis
          • DNS
          • Cached Pages
          • Password Dumps
          • Anonymity
    • Enumeration
      • OS Finger Printing
      • Service Discovery
      • Protocol Enumeration
      • DNS Enumeration
      • FTP Service
      • HTTP/HTTPS
      • WMI
      • DCOM
      • RPC Remote Procedure Call
      • Directory Enumeration
      • Host Discovery
      • Share Enumeration
        • SMB
      • Local User Enumeration
      • Email Account Enumeration
      • SSH Service
      • Wireless Enumeration
        • Wigle.net
        • InSSIDer
        • Aircrack-ng
      • Permission Enumeration
      • Secrets Enumeration
        • Passwords
        • Session Tokens
        • Cloud Access Keys
      • Attack Path Mapping
      • VNC
      • Web Application Firewall
      • Wordpress Scan
      • Remote Desktop Protocol
      • SNMP
      • SMTP
      • Web Crawling
        • Platform Plugins
        • Sitemap
        • Robots.txt
      • Active Directory Enumeration
    • Vulnerability Assessment and Management
      • Terminology
      • Vulnerability Database
      • Vulnerability Scoring
        • CWE
        • CVSS
        • CVE
        • EPSS
      • Vulnerability Scan
        • Authenticated vs Unauthenticated Scans
        • OS Security Assessment
        • Tenable
        • Nikto
        • Open VAS
      • Exploit Databases
      • Tools
        • Tenable.IO
        • Open VAS
    • Exploitation
      • Attack Surface and Target Prioritization
        • High Valued Assets and Identification
        • Vulnerability Metrics
        • End of Life Softwares
        • Default Configuration
        • Running Services
        • Vulnerable Encryption Methods
        • Defensive Capabilities
        • Attack Path
      • Attack Types
        • Network Attacks
          • Virtual LAN Hopping
          • Packet Crafting
            • Attacks Scenario
          • Default Credentials
          • On-Path / Man in the Middle Attacks
          • Certificate Services Attacks
      • Host Based Attacks
        • Privilege Escalation
        • Credential Dumping
        • Shell Escape
        • UAC Bypass
        • Payload Obfuscation
        • Endpoint Security Bypass
        • Process Hallowing
        • Log Tampering
        • DLL Injection
        • Service Path Injection
      • Authentication Attacks
        • LDAP Injection
        • SAML Attacks
        • Open ID Connect Attacks
        • Dictionary Attacks
        • Credential Stuffing
        • MFA Fatigue
        • Pass the Hash attacks
        • Kerberos Attacks
        • Pass the Ticket Attacks
      • Vulnerable Encryption Methods
      • Tools
        • Metsploit
        • Netcat
        • LOLbins
        • Mimikatz
        • Rubeus
        • Certify
        • AD Search
        • Powerview
        • SeaBelt
        • Evil winRM
        • PSEXEC
        • Powersploit
        • Metasploit
        • Impacket
        • Responder
        • CrackMapExec
        • Msfvenom
        • Responder
        • Searhsploit
        • Powersploit
      • Password Attacks
        • Password Cracking
        • Password Spraying
        • Tools
          • Medusa
          • Burpsuite
          • John the Ripper
          • Hydra
          • Hashcat
        • Password Attacks
    • Lateral Movement
      • Relay Creation
      • String Searches
      • Service Discovery
      • Tunneling
        • SSH Tunneling
      • Pivoting
      • Exfiltration
        • DNS
        • HTTPS
        • EMail
        • Cloud Storage
      • Tools
        • sshuttle
        • Page 1
    • Post Exploitation
      • Persistance
        • Scheduled Taks
        • Bind Shell
        • Registry Keys
        • C2 Frameworks
        • Tampering Security Controls
        • Back Door
          • Trojan
          • Root Kit
          • Web Shell
        • Searching Valid Account Credetials
        • New Account Creation
        • Reverse Shell
        • Service Creation
        • Cron Jobs
      • Command and Control
    • Reporting
  • Cybersecurity Frameworks and Standards
    • CREST
    • CIS
    • NIST Publications
      • NIST SP 800-171
      • NIST CSF
      • NIST SP 800-115
    • MITRE
      • MITRE D3FEND
      • MITRE ATT&CK
    • Penetration Testing Execution Standard (PTES)
    • OWASP Top 10
    • Purdue Model
    • Open Source Security Testing Methodology Manual (OSSTMM)
    • Council of Registered Ethical Security Testers (CREST)
    • Zero Trust
    • CMMC
    • Threat Modeling Frameworks
      • STRIDE
      • OCTAVE
      • DREAD
    • Mitigation Strategies
      • Network Segmentaion
      • Access Control
      • Application Control
      • Isolation Techniques
      • Default Password Changes
      • Host based firewall
      • Protocol blocking
      • Port blocking
      • Host based intrusion prevention
      • Endpoint Management
      • Decommissioning
      • Configuration Management
      • Least Privilege
      • Logging
      • Monitoring
      • Encryption
      • Patching
    • Security Governance
      • Data and System: Roles and Responsiblities
      • Security Policies
        • Access Use Policy
      • Security Standards
        • Access Control
        • Encryption
        • Password
      • Security Procedures
        • Change Management
  • Security Domains
    • Security Designing
    • Application Security
      • Cryptographic Attacks
      • Password Attacks
      • Web Application Security
        • Enumeration
          • Cookie and Header Security Review
        • Bruteforce Attack
        • Directory Traversal
        • Insecure Direct Object Reference (IDOR)
        • Session Hijacking
        • File Inclusion Attacks
          • LFI
          • Webshell
          • RFI
        • Server-Side Request Forgery (SSRF)
        • Deserialization Attacks
        • Command Injection
        • Server Side Template Injection
        • Cross Site Scripting (XSS)
        • SQL Injection
          • Union Based SQL Injection
          • Blind SQL Injection
        • Cross-Site Request Forgery (CSRF)
        • XML External Entity (XXE)
        • File Upload Vulnerabilites
        • Remote Code Execution (RCE)
        • Tools
          • Hetty
      • OWASP TOP 10 API
        • API Abuse
        • JWT Token manipulation
        • Graph QL security
        • API security
      • OWASP Top 10 Mobile
      • OWASP Top 10 IOT
      • Web Application Security
        • Getting Started in BugBounty Hutning
        • Subdomain Enumeration
        • Subdomain Takeover: Understanding the Risks and Prevention
        • Tools and Technologies
      • Microservices
      • WPscan
        • Burpsuite
        • Ffuf
        • Gobuster
        • Postman
        • Dirbuster
        • Wfuzz
        • ZAP
      • Tools
        • BurpSuite
        • SQLmap
    • Cloud Security
      • Metadata Service Attacks
      • IAM misconfigurations
      • Tools
        • Pacu
        • Prowler
        • Scoutsuite
        • Docker Bench
      • Container Escape
      • Workload Runtime Attacks
      • Supply Chain Attacks
      • Misconfigurations
        • Network Segmentation
        • Network Controls
        • IAM Credentials
        • Public Access to Services
        • Exposed Storage Buckets
        • Logging Information Exposure
      • Azure Security : Components and Assessment Guide
        • Azure Security Assessment Tools : Installation and usuage
    • Identity and Access Management
    • Cloud Security
      • Cloud Engineering and Architecture concepts
      • Cloud Data Security
      • Cloud Platform and Infrastructure Security
      • Cloud Application Security
      • Cloud Security Operations
      • Cloud Legal, Risk and Compliance
      • Azure Security
      • Azure Pentest
    • DevSecOps
      • Static Application Security Testing (SAST)
        • Code Quality
        • CheckMarx
        • Sonarqube
          • Sonarqube Installation using Helm Chart on AKS
      • Interactive Application Security Testing (IAST)
      • Dynamic Application Security Testing (DAST)
      • SCA
      • Wazuh SIEM and XDR
        • Wazuh on Azure AKS
        • Azure + Argo
      • DevSecOps
    • Social Engineering
      • Vishing
      • Spearphishing
      • Smishing
      • Eavesdropping
      • Impersonation
      • Watering Hole
      • Shoulder Surfing
      • Whaling
      • Phishing
      • Tools
        • GoPhish
        • Beef
        • Evilginx
        • SET social engineering toolkit
    • DevOps
      • Kubernetes
        • Kubernetes Architecture and Components
        • Mastering kubectl: The Command Line Interface for Kubernetes
        • Overview of Kubernetes Tools and Utilities
        • Container vs Pod vs Deployment
        • Kubernetes and Docker Swarm
        • Deploying a Kubernetes Cluster Using Minikube
        • Deploying a Kubernetes Cluster Using Kind
        • Integrating Kubernetes with Azure Key Vault
        • Containers vs Virtual Machines
        • Comprehensive Guide to Kubernetes Security and Analysis Tools
        • Monitoring Kubernetes with Prometheus and Grafana
        • Introduction to Azure Kubernetes Service (AKS) and Deploying Your First Cluster
        • Kubernetes Persistence with Backend Databases
        • Kubernetes StatefulSet vs. Deployment
        • DevSecOps Architecture for Kubernetes
      • Docker
      • Helm
        • Scenario : Configuring Azure Key Vault and Using Secrets in Helm Deployments
      • Git Ops
        • Argo CD
      • Git and Versioning
      • Terraform
      • Virtualization
    • Mobile Security
      • Android Mobile App Security Assessment
      • Suspicious Malware App Analysis
      • Android App Penetration Testing
      • Permission Abuse
      • Jailbreak/Rooting
      • Tools
        • MobSF
        • Drozer
        • Frida
    • IOT/OT/SCADA
      • Power Supply
        • Juice Jacking
      • RFID
      • Bluetooth
        • BlueJacking
        • Bluetooth Spamming
      • Ports and Services
      • Port Mirroring
      • Modbus Attack
      • CAN Bus Attack
      • Replay Attack
      • Memory Registry Attacks
      • Tools
        • BlueCrack
        • Scapy
        • TCP Replay
    • Network Security
      • Network Attacks
        • DNS Attacks
        • DDOS
      • Network Assessment
      • Wireshark
      • Zeek
      • Snort
      • TCPDump
      • Defensive Network
        • Firewalls
        • Intrusion Detection System
    • Wireless Attacks
      • Service Set Identifier (SSID)
      • Wardriving
      • Evil Twin Attack
      • Deauthentication Attacks
      • Signal Jamming
      • Channel Scanning
      • Signal Strength Scanning
      • Tools
        • WiFi Pumpkin
        • AirCrack Ng
        • Kismet
    • Purple Teaming
      • Tools
        • Infection Monkey
        • Atomic RedTeam
        • Caldera
    • Kubernetes Security
      • AKS Security
      • Kube-Hunter
      • KubeEscape
    • Hardware Security
    • Container Security
      • Grype
      • Trivy
      • Clair
    • AI
      • LLM (Large Language Models)
      • Prompt Engineering
      • AI Cyber Security Risk Management
        • AI Policies
      • AI Security
      • AI Attacks
        • Prompt Injection
        • Model Manipulation
      • Security Frameworks
        • MITRE ATLAS
        • OWASP Top 10 LLMs
        • NIST AI Risk Management Framework
    • Reverse Engineering
      • Scenarios
        • Browser Plugin
        • PDF document
        • Word Doc
        • Windows Binary File
        • Mobile App
      • Buffer Overflow
  • Operational Security
    • Identity and Access Management
      • Identity
      • Authentication
      • Accountability
      • Access Management
      • Authorization
      • Access Controls
    • Deception Technology
      • Honeypot
      • Honeynet
      • Honeyfile
      • Honey Token
    • Cryptography
      • Data at Rest
      • Data at Transit
      • Hashing
      • BlockChain
      • Digital Signatures
      • Certificates
      • Encryption
        • Public Key Infrastructure (PKI)
          • Public Key
          • Private Key
        • Tools
      • Certification Preparation
        • Penetration Testing
        • GRC and Audit
    • File Integrity Monitoring
    • Data Security
      • DLP
    • Change Management
      • Impact Analysis
    • Malware Analysis
      • Malware Analysis Tool
      • Malware Analysis Books
      • university courses and resources related to malware analysis
      • Binary Analysis
    • Data Loss Prevention
    • Threat Modeling
      • Attack Surface Management
        • Introduction
      • Threats, Technologies, Procedures
        • Threat Actors
      • Threat Hunting
        • Indicators of Compromise
      • Threat Assessment
        • Threat Modeling
          • OCTAVE
          • DREAD
          • STRIDE
        • Threat Hunting
          • Threat Hunting Blogs
          • Ransomware: An Overview
          • Threat Hunting and Incident Response Q&A
          • Network Traffic Analysis: Wireshark
          • Threat Hunting Questionnaire
          • KQL
          • Email Header Analysis
          • TH
          • Windows Process Exploration
        • Threat Intelligence
          • Threat Intelligence Tools and Techniques
            • Yara
      • Malware Attacks
    • Digital Forensics
      • Network Forensics
      • Forensic Tool Analysis
      • Data Recovery
    • Endpoint Management
    • SOC/SOAR
      • Threat hunting scenarios
      • Log Management
        • AWS VPC flow log analysis
        • Linux Logs
        • Windows Logs
    • Ransomware Prevention
      • APT Groups
    • Security Automation
      • C
      • Powershell
      • Python
      • C++
      • GO
      • Rust
    • Incident Response
      • Scenarios
        • Windows : No Event Logs
      • Tools
        • Chainsaw
    • Defensive Security Controls
    • Physical Security
      • Physical Attacks
        • USB (Universal Serial Bus)
        • Tailgating
        • Lock Picking
        • RFID Cloning
          • Badge Cloning
    • Personal Security
    • Security Awareness and Training
    • Firewall
    • Network Access Control
    • Intrusion Detection System
    • Intrusion Prevention System
    • Operating System Security
    • Secure Protocol Usuage
    • Business Continuity
    • Email Security
    • DNS Filtering
    • user behaviour analytics
    • Host Security
    • Mobile Device Security
    • Change Management
    • Vulnerability Management
      • Vulnerability Assessment
        • Vulnerability Analysis
      • Types of Vulnerabilites
    • Penetration Testing/Red Teaming
    • Disaster Recovery
    • Logging and Monitoring
      • Monitoring
        • Systems
        • Infrastructure
        • Applications
      • Logging
        • Log Data
          • Application Logs
          • Network Logs
          • WAF Logs
          • IDS/IPS logs
          • OS logs
          • Endpoint Logs
          • Firewall Logs
        • Alerting
        • Log Aggregation
      • Tools
    • Endpoint
    • Security Metrics
  • Industry Specific Security:Case Studies
    • Aviation Security
      • The Integral Role of Airports in National Security : Operations Perspective
      • Cyber Attacks on Airports
      • Navigating the Complex Web of Airport Operations: Key Components and Leading Industry Providers
    • Aviation Security
  • Computational Science
    • Quantum Computing
      • Quantum Computing: Unleashing the Power of Qubits
    • Probability
  • Data Engineering
  • AI/ML and Data Science
    • Installation
      • Ollama
    • Machine Learning
    • Large Language Models (LLM)
    • Security Analytics
    • Untitled
      • Roles and Responsibilites
      • Azure AI Services
        • AI Services Security
        • Monitoring Azure AI Services
        • AI services on containers
  • Application Development
    • Django
  • Radom Topics :)
    • CSA WAI
  • CISSP
Powered by GitBook
On this page

Was this helpful?

  1. Operational Security

Malware Analysis

Introduction

Malware, short for malicious software, is a term used to describe any software specifically designed to harm, exploit, or compromise computer systems, networks, and data. As the digital landscape continues to evolve, the sophistication and diversity of malware threats have also increased. To effectively combat these threats, cybersecurity experts employ a process known as malware analysis. In this blog post, we'll explore the concept of malware analysis and delve into the different categories that make up this essential field of cybersecurity.

What is Malware Analysis?

Malware analysis is the process of examining and dissecting malicious software to understand its behavior, functionality, and impact on a system or network. The primary goal of malware analysis is to gain insight into how a piece of malware operates, its purpose, and any potential vulnerabilities it may exploit. This information is critical for developing effective countermeasures, such as antivirus signatures, intrusion detection rules, and network filters.

Different Categories of Malware Analysis

  1. Static Analysis

Static analysis involves examining the malware without executing it. Analysts use various tools and techniques to inspect the code and structure of the malicious software. Key elements of static analysis include:

a. File Signature Analysis: This method involves comparing the binary file's hash value to known malware signatures in antivirus databases.

b. Code and File Structure Analysis: Analysts study the malware's code and file structure, looking for anomalies, obfuscation techniques, or hidden functions.

c. API Calls and Dependencies: Analyzing the malware's API calls and dependencies can reveal its intended functions and communication channels.

d. String Analysis: This involves searching for specific strings within the malware code that may reveal its purpose or origin.

  1. Dynamic Analysis

Dynamic analysis, in contrast to static analysis, involves executing the malware in a controlled environment (sandbox) to observe its behavior. This method allows analysts to uncover runtime behaviors, such as:

a. Network Activity: Observing network connections and data exchanges between the malware and external servers or systems.

b. File System Activity: Monitoring file operations to identify any file modifications or attempts to spread to other files or directories.

c. Registry Activity: Tracking changes made to the Windows Registry, which may indicate persistence mechanisms or system manipulation.

d. Memory Analysis: Examining the malware's interaction with system memory, including code injection and anti-analysis techniques.

  1. Behavioral Analysis

Behavioral analysis focuses on understanding the malware's actions and effects on a system. Analysts collect information on how the malware behaves when executed. Key aspects of behavioral analysis include:

a. System Calls and Events: Recording system calls and events triggered by the malware, such as process creation, file access, and registry modifications.

b. Payload Delivery and Exploitation: Identifying how the malware delivers payloads, exploits vulnerabilities, and escalates privileges.

c. Persistence Mechanisms: Determining how the malware maintains persistence on the compromised system, such as through startup processes or scheduled tasks.

d. Communication and Data Exfiltration: Studying the methods used by the malware to communicate with command and control servers and exfiltrate sensitive data.

  1. Hybrid Analysis

Hybrid analysis combines elements of both static and dynamic analysis. Analysts employ this approach to gain a comprehensive understanding of malware by examining its code, structure, and behavior in a controlled environment. Hybrid analysis is particularly effective for sophisticated malware that employs evasion techniques to thwart analysis.

  1. Code Reversing

Code reversing, or reverse engineering, involves disassembling the malware's binary code to understand its underlying logic and functionality. This technique can reveal hidden features, encryption methods, and vulnerabilities that may be exploited to develop countermeasures or patches.

Conclusion

Malware analysis is a vital aspect of modern cybersecurity, as it allows experts to understand, detect, and mitigate the ever-evolving threat of malicious software. By employing a combination of static, dynamic, behavioral, hybrid analysis, and code reversing, cybersecurity professionals can effectively combat malware and protect systems and networks from potential harm.

As malware continues to evolve in complexity and sophistication, the field of malware analysis remains a dynamic and essential component of cybersecurity, helping organizations stay one step ahead of cyber threats.

What is Malware Analysis ?

What is Malware ?

Types of Malwares

  • Virus

  • Worms

  • Botnets

  • Polymorphic malware

  • APT (Advanced Persistent Threat)

  • Infostealer

  • Exploit kits for drive-by attacks

  • Trojan horses

  • Wipers

  • Ransomware

  • Mobile malware

  • Drive-by download

  • Maldocs

  • Rootkits

  • IoT malware

  • File less malwares

Malware Analysis helps to find charecterization and categorization of threat and helps at the time of impact analysis

Programming Languages

  • Assembly Language

  • C

  • C++

  • Java

  • Python

  • Go

  • Rust

  • Java Script

  • PowerShell

  • Perl

  • Shell Script

  • Apple Script

Operating System Internals

  • Windows

  • Unix

  • Mac OS

Networking and TCP/IP Protocol Suite

  • Most common protocols, Ports and Services

Operating System Security concepts

  • Password management

What is organization Incident Response Plan

  • For IT

  • For OT/IOT

  • For Mobile Devices

Tools

Debuggers

X64 dbg , X32 dbg, Radare , cutter, windbg, ollydbg

Disassembly

Ghidra, ida pro

PE Analysis

PE Studio, PEID, Detect it easy, CFF explorer, PE Bear, Hiew

Check entropy 0-8, 8 more likely packed

Process Monitoring

ProcMon, Process explorer, Proc dot, Process Monitor

Process creation and registry changes

API Monitoring

API Monito

Autoruns

Autoruns

Web Proxy

Fiddler

Network Traffic capture and analysis/monitoring

Wireshark, Tshark, TCP view

Sand Box Environment and services

Cuckoo, Limon for linux, sandboxie, drakvuf-sandbox

Dedicated distributions for Malware analysis/RE

Flare vm, Remnux

Additional

Hex editor

ASM

FASM

Dynamic Analysis

    • Triage

    • Any.run

    • Hybrid analysis

    • Jose sandbox

    • VirusTotal

Registry Monitoring

Reg Shot

Network Deception

FakeNet-NG

ApateDNS

Python's SimpleHTTPServer

INetsim

System Monitoring

sysmon

Emulation

Atomic red team

De obfuscation tools

Js detox, floss

Framework

MITRE

Memory Forensics

Volalility

Document Analysis

OLE tools

PDFStreamDumper

VB Script Analysis

VB DE compiler

Android App Analysis

APKtool, ADB

Java file analysis

JADX

Packer/Cryptor analysis

Upx, aspack

Urls/domain

    • Urlvoid

    • Urlhaus

    • urlscan

Malware Samples

    • Honeypot

    • Zoo

    • Vx underground

Analysis Notes/writeups

Lab/Malware Sandboxing :

Host only Network :

  • Linux (security onion/ELK/fake dns)

    • Windows Flare

    • SIFT

    • Remnux

Build lab

  • Remnux

  • Sans SIFT

  • Flare VM

  • Collecting Malware samples

  • Monitoring

  • Installing end-user software's

  • Opening multiple files

  • Keeping the same file name

  • Don’t install VM guest tools

  • Collecting/Analyzing

    • PCAP Files

    • API calls

    • Logging file system and registry activity

    • Web hooks

    • API hooks

    • Process hallowing

    • Change in process handle table

    • Suspicious command logging

  • Memory acquisition

    • RAM

Static Analysis

  • Fast flux domains

  • Get-fileHash -algorithm SHA256

  • Python package hashlib

  • SSdeep

  • File

  • Strings

  • PE header analysis

  • Python package "magic"

  • Python code for PE analysis

  • Is executable packed

  • File hashing

  • Fuzzing hashing

    • SSDEEP

  • Virus total integration

    • Python program

IP Lookup

  • www.ipchicken.com

  • www.whatsmyip.com

  • File hashes

  • Compute hash

  • Totalhash.cymru.com -> mutex search

  • Is it packed ? Packer identification

  • Imports and exports

  • Strings

  • Sections -> hashvalue -> search on vt

  • Resources -> hashvalue

  • File metadata

  • Exeinfo pe

  • HxD hex editor (https://mh-nexus.de/en/hxd/):

  • File

  • strings

  • xxd -g 1 log.exe | more

  • CFF explorer

  • Bintext

  • Virustotal

  • https://www.winitor.com/

  • https://www.mzrst.com/

  • Virus scanner

  • https://www.virscan.org/

  • https://virusscan.jotti.org/en-US/scan-file

  • Pe studio

    • Optional-header -> subsystem

    • Libraries

      • Imports and exports

    • Strings

    • Virtual allocation

  • Detect it easy

  • Process Hacker

    • Mutants

    • Mutex

  • Process Monitor

  • Fakenet

  • Regshot

    • Plain TXT

    • Scan dir c:\

  • Procmon

    • Save in native format and csv format

    • Filter

      • Process name/malicious file name

      • Process write, create, delete, registry changes

Dynamic Analysis:

  • Submit to sandbox

    • Observe

      • Process

      • Network

      • File

      • Registry

  • Use debuggers to analyze the flow

Source Code Analysis:

Memory Analysis :

To Do Analysis:

  • Analyze and create documentation

  • JavaScript

  • PDF

  • Doc

  • Office macros

  • RTF

  • One note

  • Lnk file

  • Xlsx

  • Iso

  • Executables

  • VBS/VBA

  • JS

  • Powershell script analysis

  • Phishing email headers

    • SPF/DKIM/DMARC

  • Behavioral analysis

  • Anti-analysis techniques (anti-debug, anti-vm)

    • Anti analysis strings

  • Malware unpacking (encrypted/packed executables)

  • Malware debugging

  • Email header analysis

  • Malicious RTF analysis

  • Malicious PDF analysis

  • Malicious docx analysis , macros

  • Malicious iso analysis

  • Malicious DLL analysis

  • APT attack scenarios

    • Qakbot analysis

    • Emotet analysis

    • Dridex analysis

    • Trick bot

    • RunDll32.exe is then run with the TrickBot DLL, utilizing the DLLRegisterServer entrypoint. Shortly thereafter, WerMgr.exe is suspiciously spawned as a child process of RunDLL32

Malware Debugging

Malware de obfuscation

  • Decode

  • Decrypt

  • Unpacking malware

Analysis

  • Volatility

  • Code injection and extraction

  • API hooking

  • File less

  • Sandbox escaping

  • Anti malware analysis

Learn

  • Disassembling

  • Decompiling

  • Binary instructions

  • Assembly Language

  • Disassembler - produce assembly code

  • Debuggers - manipulate execution of code

  • PE structure portable executable

  • Suspicious windows API patterns

  • Packers

    • Compress and encrypt the executables

    • Obfuscates

    • Anti-analysis features

Techniques to learn

  • Detecting fake trails

  • Malware using encryption

  • PE Header data Analysis

  • Meta data analysis

  • Detect the kill switch to stop spread

  • Obfuscated code analysis

  • Understanding new encoding and encryption schemes

  • Detection evasion techniques

    • Delay of execution

    • Detection of VM env

    • Verifying user activity

    • Hiding malicious code

    • Sandbox evasion

    • Debugger detection

    • Flow misdirection

    • Anti-analysis

  • Code injection

  • API hooking

  • File less techniques/malwares

  • Registry persistence

Further Reading:

  • Concepts/Tutorial https://exploitreversing.com/

  • Review course content : https://courses.zero2auto.com/beginner-bundle

  • Concepts https://www.malwaretech.com/challenges/windows-reversing

  • Concepts/Tutorial https://zeltser.com/reverse-engineering-malware-methodology/

  • https://gist.github.com/kimusan/475bf632009fc8eef9f22a6489b74a03

  • Preparation https://www.secjuice.com/the-road-to-reverse-engineering-malware/

  • Course https://ritcsec.wordpress.com/2022/04/30/beginners-guide-to-reverse-engineering-malware/

  • Review tools https://awesomedfir.com/malware-reverse-engineering

  • Course review : https://www.offensivecon.org/trainings/2023/modern-malware-opsec-and-anti-reverse-techniques-implementation-and-reversing.html

  • Course https://opensecuritytraining.info/ReverseEngineeringMalware.html

  • Tutorial https://intezer.com/blog/malware-analysis/malware-reverse-engineering-beginners/

  • Tutorial https://www.varonis.com/blog/malware-analysis-tools

  • Tutorial : https://www.hackers-arise.com/post/2017/01/18/Reverse-Engineering-Malware-Why-YOU-Should-Study-Reverse-Engineering-Malware

  • Tutorial https://malwareunicorn.org/workshops/re101.html#11

University:

  • https://alperovitch.sais.jhu.edu/

Books

  • Michael Sikorski, Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, 2012. ISBN: 978-1593272906

  • Chris Eagle. The IDA Pro Book. No Starch Press (2nd Edition), 2011. ISBN: 978-1593272890

  • Randal E. Bryant, David R. O'Hallaron. Computer Systems: A Programmer's Perspective. Pearson (3rd Edition), 2015. Online: http://csapp.cs.cmu.edu/. ISBN: 978-0134092669

  • Intel Developer’s manuals. http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html

References:

https://blog.malwarebytes.com/glossary/

PreviousImpact AnalysisNextMalware Analysis Tool

Last updated 11 months ago

Was this helpful?

Free Malware Sample Sources for Researchers:

theZoo - A Live Malware Repository | theZoo aka Malware DB:

VirusShare.com:

VirusBay:

https://zeltser.com/malware-sample-sources/
https://thezoo.morirt.com/
https://virusshare.com/
https://beta.virusbay.io/
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla