Malware Analysis Fundamentals - Nico's Knowledge Base

# How Malware Analysis Helps SOC Analysts # Malware Definition and Malware Types Malware is a word derived from the words **MAL**icious soft**WARE** Software that endangers the security and integrity of systems by targeting a malicious purpose Cyber threat actors develop themselves and develop more complex malware. Attackers now use various methods to make analysis of their malicious software even more difficult ## **Malware Types** - Backdoor - Adware - Ransomware - Virus - Worm - Rootkit - RAT - Banking Malware - Keylogger # What a Malware Analyst Should Know ## **Operating System Fundamentals and Architecture** ![[Pasted image 20250318184241.png]] Often takes advantage of features provided by OSs, increasing privileges, ensuring persistence. ## **Assembly Language & Programming** Since processors only understand 0s and 1s, compilers job is to translate from code to binary. Assembly: each instruction has a direct 0 and 1 counterpart. C > Assembly > Binary Reason: compiled malware can be easily converted to Assembly, so analyses are usually made via assembly. Software that translates code into Assembly is called Disassembler. ## **Network Protocols and Fundamentals** Since Malware often exhibits behavior to connect to C&C or download secondary payloads, understanding network traffics is important to be able to recognize outliers. ## **Cryptography** Malware can obfuscate their code via cryptography to make it hard to decipher, also used to encrypt files for ransomware. Can also be used defensively to protect information. # Which Approach to Take Either Static Analysis or Dynamic Analysis ## Static Analysis reverse engineering malware without running it Examine the Following Information 1. P.E. (Portable Executable) Headers 2. Imported DLL's 3. Exported DLL's 4. Strings in binary 5. CPU Instructions ## Dynamic Analysis Run the malware in a virtual machine to analyze its behavior. 1. Network Connections 2. File Events 3. Process Events 4. Registry Events ## Comparison | Static Analysis | Dynamic Analysis | | ----------------------------------- | ------------------------------------------------------------------------------------------ | | Takes a long time | Generally seconds to minutes | | Full capacity of malware is learned | Can only learn activities upon system on which it is run, for the duration of the analysis | | Detailed Result | Limited Analysis Result | # Dynamic Analysis Using Any.Run Upload Malware \+ New Task Run Machine 1. interactive desktop 2. process logger 3. network and file logger 4. process details # 29 Addresses to Analyze Malware Faster - [Anlyz](https://sandbox.anlyz.io) - [Any.run](https://app.any.run) - [Comodo Valkyrie](https://valkyrie.comodo.com) - [Cuckoo](https://sandbox.pikker.ee/) - [Hybrid Analysis](http://www.hybrid-analysis.com/) - [Intezer Analyze](https://www.intezer.com) - [SecondWrite Malware Deepview](https://www.secondwrite.com) - [Jevereg](http://jevereg.amnpardaz.com/) - [IObit Cloud](http://cloud.iobit.com) - [BinaryGuard](http://www.binaryguard.com) - [BitBlaze](http://bitblaze.cs.berkeley.edu/) - [SandDroid](http://sanddroid.xjtu.edu.cn) - [Joe Sandbox](https://www.joesandbox.com/#windows) - [AMAaaS](https://amaaas.com/) - [IRIS-H](https://iris-h.services/pages/dashboard#/pages/dashboard) - [Gatewatcher Intelligence](https://intelligence.gatewatcher.com/) - [Hatching Triage](https://tria.ge/) - [InQuest Labs](https://labs.inquest.net/dfi) - [Manalyzer](https://manalyzer.org/) - [SandBlast Analysis](https://threatpoint.checkpoint.com/ThreatPortal/emulation) - [SNDBOX](https://app.sndbox.com/) - [firmware](http://firmware.re/) - [opswat](https://metadefender.opswat.com/?lang=en) - [virusade](http://virusade.com/) - [virustotal](https://www.virustotal.com/gui/) - [malware config](https://malwareconfig.com/) - [malware hunter team](https://id-ransomware.malwarehunterteam.com/) - [virscan](http://www.virscan.org) - [jotti](https://virusscan.jotti.org/it)