Malware analysis involves examining malicious software to understand its behavior and impact. This guide explores the different types of malware analysis, including static and dynamic methods.
Learn about the importance of malware analysis in threat detection and incident response. Understanding malware analysis is crucial for organizations to enhance their cybersecurity capabilities.
What is Malware Analysis?
Malware analysis examines and studies malware to understand its behavior, capabilities, and potential impacts. This can be done manually, using tools and techniques to reverse engineer and analyze the code, or using automated tools and analysis platforms to identify and classify malware. Malware analysis is an essential part of cybersecurity and incident response, as it helps identify and understand an organization’s threats and develop effective strategies to defend against them.
Malware analysis enables your network to triage incidents by the level of severity and uncover indicators of compromise (IOCs). It also provides a more comprehensive threat-hunting image and improves IOC alerts and notifications.
Types of Malware Analysis
Malware analysis can be static, dynamic, or a hybrid of both types. When using static analysis, you’ll examine the file for signs of malicious intent, while dynamic analysis allows you to execute the suspected code in a sandbox environment. Using a sandbox will isolate the malware from your live system, eliminating the ability to infect your production environment or allow the virus to escape into your network.
Malware Analysis Use Cases
Computer Security Incident Management
In this case, an organization has determined that malware may have infiltrated their network. A response team is sent to deal with the threat.
They perform malware analysis on malicious files and specify the danger and type of malware. They’ll also analyze what impact it will likely have on the organization’s system.
Malware Research
Academics or industry specialists can perform in-depth malware research. These professionals try to get the best possible understanding of how certain malware performs.
SentinelLabs have, for example, closely examined the anatomy of TrickBot Cobalt Strike Attacks and gained insights into FIN7 malware chains.
This level of research and understanding is vital for reverse-engineering malware and requires malware analysis, as well as the testing of malware in a sandbox environment.
Indicator of Compromise (IOC) Extraction
Software product and solution providers often perform bulk testing and analysis to determine potential IOCs. In turn, they can improve their security network to preemptively improve weak points in their system.
The Stages of Malware Analysis
There are four common steps to malware analysis that get more complex and specific the further into the process you are. There are four main stages:
1. Scanning – Automated Analysis
Fully automated tools rely on detection models formed by analyzing already discovered malware samples in the wild. By doing so, these tools can scan suspicious files and programs to determine if they are malware.
Automated analysis can also produce a detailed report, including the network traffic, file activity, and registry keys. A tool like this is the fastest method and doesn’t require an analyst.
It is suited for sifting through large quantities of malware and testing a vast network. Subsequently, it also doesn’t include as much information.
2. Static Properties Analysis
Once the scan is complete, static property analysis looks closely at the malware. At this stage, analysts would examine the static properties of a threat without executing the malware. This is often something you’d do within an isolated environment or sandbox. Static properties include hashes, embedded strings, embedded resources, and header information.
Tools like disassemblers and network analyzers can get information on how the malware works at this stage.
3. Interactive Behavior Analysis
To gain further insight, analysts might want to run a malicious file in an isolated laboratory system to see its effects in action.
Interactive behavioral analysis allows the tester to observe and understand how malware affects the system, its registry, file system, process and network activities and how someone might replicate them.
A safe testing environment can be set up by downloading virtualization software to run a guest operating system. Testing malware in a sandbox like this is also called dynamic analysis.
The one great challenge with this is that malware can often detect when it is being run on a virtual machine and alter its behavior accordingly. Malware may remain dormant until certain conditions are met.
It’s possible to take a hybrid analysis approach by combining static and dynamic analysis methods.
4. Manual Code Reversing
Finally, analysts can manually reverse the file’s code and decode any encrypted data stored in the sample. This allows analysts to determine capabilities that didn’t show up during behavioral analysis and can add valuable insight to the findings.
Additional tools, like debuggers and disassemblers, are required at this stage.
Building a Malware Analysis Environment
For a malware researcher, building the right malware analysis environment is a crucial step in analyzing and investigating malware properly. This consists of downloading, installing and configuring a Windows 10 and REMnux Linux virtual machine, setting up a private network for communication between virtual machines, building a custom Windows environment with SentinelLabs RevCore Tools, and capturing traffic from a Windows 10 virtual machine.
Top Malware Analysis Tools
There are several different types of essential tools necessary for performing malware analysis so that you can avoid and understand cyber-attacks. While many of the tools listed here are free, the paid versions are highly recommended in a professional setting.
Disassemblers: A disassembler, like IDA Pro or Ghidra, which was developed by the National Security Agency (NSA), takes apart the assembly code instead of executing it, so that it can be statically analyzed. They also work with decompilers, which can convert binary code into native code.
Debuggers: A debugger, like x64dbg or Windbg is used to manipulate the execution of a program. This provides insights into what happens when the malware is run, and can help you to reverse engineer a malware sample to see how it operates.
It also allows analysts to control areas of the program’s memory to understand how it impacts a network.
Hex editors: A hex editor, like HxD, is a specialized editor that can open any type of file and show its contents byte by byte. This can be used to break down malware entirely and start translating its code.
Monitors: When you need to see real-time file system, Registry, and process/thread activity, you need to use an advanced monitoring tool like Process Monitor. This tool displays a process tree that will show the relationships between all processes referenced in a trace and provide reliable capture of process details.
PE Analysis: Tools like PeStudio, PE-bear and pefile are great tools to consider when looking for freeware reversing tools for PE files. They’re useful when trying to visualize a PE section layout, and can help you to detect file signatures, hard-coded URLs and IP addresses.
Network analyzers: This type of software, tells analysts how the malware interacts with other machines. It can showcase the threat’s connections and what data it is trying to send.
Protect Your System with Leading Edge-to-Edge Enterprise Security
SentinelOne gives you a centralized platform to prevent, detect, respond, and hunt in the context of all enterprise assets.
SentinelOne offers endpoint protection, detection and response, and IoT discovery and Control. For more information on malware analysis get in touch today.