- Online Malware Analysis Platforms
- VirusTotal
- Any.run
- Hybrid Analysis
- String Analysis in Malware
- Understanding Strings
- Decoding versus Deobfuscating
- Binary Analysis Components
- Imports
- Headers
- Embedded Resources
- Disassembly
- Decompilation
- Virtual Machine Network Modes
- Bridged Mode
- Host-Only Mode
- NAT Mode
- System Monitoring Tools
- Procmon
- Process Hacker
- System Architecture
- Cmder
- 32-bit Systems
- 64-bit Systems
- Windows System Components
- DLLs and Windows API
- MalAPI Resource
- Virtual Machine Management
- VM Snapshots
- Synchronization Mechanisms
- Mutex
- Mutex in Malware Context
- Detection Rules
- Sigma Rules
- Sigma Rule Example
- Sigma Translator Resource
- YARA Rules
- YARA Rule Example
- Malware Analysis Methodologies
- Analysis Types Overview
- Advanced Dynamic Analysis Example
- Network Simulation in Analysis
Online Malware Analysis Platforms
VirusTotal
VirusTotal is an online malware-scanning platform that aggregates results from dozens of antivirus engines. It helps analysts quickly see detection rates, file metadata, and related network or file indicators. This platform provides a comprehensive view of how different antivirus solutions detect a particular sample, allowing security professionals to assess the threat level and gather initial intelligence about suspicious files.
Any.run
Any.run is an interactive malware analysis sandbox that lets you manually observe malware behavior in real time. It shows network traffic, file changes, processes, and dynamic actions as they happen. The interactive nature of this platform gives analysts the ability to interact with the malware during execution, providing deeper insights into its behavior and capabilities.
Hybrid Analysis
Hybrid Analysis is a malware sandbox by CrowdStrike that provides automated behavior reports. It offers threat scores, system modifications, and IOCs extracted from dynamic and static analysis. This platform combines multiple analysis techniques to provide comprehensive reports that help analysts understand both the surface-level and deeper behaviors of malicious samples.
String Analysis in Malware
Understanding Strings
Strings are simply arrays of characters, like google.com or Hello world, but computers don't interpret them the way humans do—they read them one character at a time until they reach a null byte, which marks the end of the string. In malware analysis, an executable can be viewed as a box filled with bytes, some of which may form meaningful strings such as http:// that point to attacker-controlled domains. The analyst's job is to extract and inspect these strings to uncover indicators like domains or other clues about the malware's behavior. Tools like FLOSS enhance this process by not only pulling out visible strings but also deobfuscating or decoding hidden ones to provide a clearer picture of the binary's content.
Decoding versus Deobfuscating
Decoding is like translating something from one understandable format to another. For example, turning aGVsbG8= (Base64) back into hello. The original data is just hidden in a readable code.
Deobfuscating is like untangling something messy or confusing. For example, if malware scrambles code or uses tricks to hide what it really does, deobfuscating cleans it up so you can see the real instructions.
So, decoding equals revealing hidden data, deobfuscating equals making messy code understandable.
Binary Analysis Components
Imports
Imports show the external functions a binary relies on, revealing the capabilities it intends to use. They help analysts understand behavior such as networking, file operations, or process manipulation. By examining the imports, analysts can build a preliminary picture of what the malware is capable of doing even before running it.
Headers
Headers contain structured metadata like file type, architecture, entry point, and section layout. Analyzing them helps determine if a file is packed, malformed, or suspicious. Headers provide critical information about the executable's structure and can reveal attempts to hide malicious code or evade analysis.
Embedded Resources
Embedded resources include icons, images, configuration files, or payloads stored inside the executable. They often hide malicious scripts, encrypted data, or dropped components. Attackers frequently use resources to conceal additional payloads or configuration data that will be extracted and used during execution.
Disassembly
Disassembly converts machine code into assembly instructions, enabling a low-level view of program logic. Analysts use it to understand behavior, detect obfuscation, or find malicious routines. This process is fundamental to understanding exactly what instructions the processor will execute.
Decompilation
Decompilation translates binary code into a high-level language like C, making the logic easier to understand. It helps analysts read program flow without dealing directly with assembly. While not always perfect, decompilation can significantly speed up the analysis process by presenting code in a more human-readable format.
Virtual Machine Network Modes
Bridged Mode
Bridged mode connects the VM directly to the physical network as if it were another device on the LAN. It gets an IP from the network's DHCP and can communicate freely with other devices. This mode is useful when the VM needs to act as a full network participant but carries risks when analyzing malware.
Host-Only Mode
Host-only mode creates an isolated network between the host and the VM only. The VM cannot access the internet unless additional routing or NAT is configured manually. This mode provides maximum isolation for malware analysis, preventing any accidental network communication with external systems.
NAT Mode
NAT mode shares the host's IP address to give the VM internet access through network address translation. The VM can reach the internet but cannot be reached directly from the external network. This provides a balance between connectivity and isolation, allowing malware to attempt network connections while protecting the internal network.
System Monitoring Tools
Procmon
Procmon is a Windows monitoring tool that captures real-time events like file, registry, and process activity. It helps analysts trace malware behavior, system changes, and suspicious actions. This tool is essential for understanding what modifications malware makes to the system during execution.
Process Hacker
Process Hacker is an advanced task manager that shows detailed process, service, and network information. It is useful for detecting hidden processes, inspecting memory, and terminating malicious tasks. This tool provides deeper visibility into running processes than the standard Windows Task Manager.
System Architecture
Cmder
Cmder is a popular, portable, open-source console emulator for Windows that enhances the default command-line experience by bundling the ConEmu terminal with Git for Windows, Clink for bash-like features, and custom configurations, offering a much-loved, user-friendly terminal with features like tab support, aliases, and theming for developers.
32-bit Systems
32-bit systems handle data in 32-bit chunks and can address up to 4 GB of RAM. They run older software well but have limited performance and compatibility with modern applications. These systems are becoming increasingly rare as software demands more resources.
64-bit Systems
64-bit systems process data in larger 64-bit chunks and can address massive amounts of memory. They offer better performance, stronger security features, and support for modern software and operating systems. The transition to 64-bit architecture has become standard in modern computing environments.
Windows System Components
DLLs and Windows API
A DLL is a Dynamic Link Library that contains reusable functions and code that programs can load when needed instead of storing everything inside a single executable. Windows APIs are collections of functions provided by the operating system that allow programs to perform tasks like creating windows, managing files, or interacting with hardware. These API functions are stored inside DLL files such as kernel32.dll, user32.dll, and advapi32.dll, which applications call to execute system-level operations. When a program runs, it imports these DLLs so it can use their functions without implementing them itself. This creates a modular system where Windows handles complex tasks while applications focus on their own logic. The relationship between DLLs and the Windows API is that the DLLs are the physical files containing the API functions. Without these DLLs, applications would not be able to interact with the operating system.
MalAPI Resource
Virtual Machine Management
VM Snapshots
A VM snapshot is a point-in-time capture of a virtual machine's state, including its disk, memory, and power status, acting as a restore point for quick rollbacks after bad updates, config changes, or errors. Snapshots are essential in malware analysis to quickly return to a clean state after each analysis session.
Synchronization Mechanisms
Mutex
A mutex (mutual exclusion object) is a synchronization mechanism used to ensure that only one process or thread can access a shared resource at a time. Malware often creates a mutex to prevent multiple copies of itself from running simultaneously on the same system.
Mutex in Malware Context
A malware sample creates a mutex named "Global\MyMalwareMutex123" so that if another copy tries to run, it checks for this mutex first. If the mutex already exists, the second copy exits preventing duplicate infections. This technique helps malware avoid detection through unusual system behavior caused by multiple instances.
Detection Rules
Sigma Rules
Sigma Rule Example
title: Suspicious PowerShell Execution
id: e7d1c6b4-1234-4f56-8c9a-abcdef123456
description: Detects PowerShell commands executing encoded scripts
status: experimental
logsource:
product: windows
service: powershell
detection:
selection:
CommandLine|contains: "EncodedCommand"
condition: selection
level: high
This Sigma rule detects PowerShell processes running encoded commands, which is often used by malware. Sigma rules provide a vendor-agnostic way to describe detection patterns that can be translated into various SIEM and security tool formats.
Sigma Translator Resource
https://translatormind.com/translator-tool/sigma-translator/
YARA Rules
YARA Rule Example
rule SuspiciousMalware
{
meta:
author = "Analyst"
description = "Detects simple malware pattern"
strings:
$a = "malicious_string" nocase
$b = { 6A 40 68 00 30 00 00 }
condition:
any of them
}
This YARA rule looks for either a specific string or a sequence of bytes in a file to identify potential malware. YARA rules are powerful tools for pattern matching and malware identification based on specific characteristics or signatures.
Malware Analysis Methodologies
Analysis Types Overview
Basic Static Analysis involves examining the malware without running the executable. The analyst will analyze the strings of this exe to gather initial intelligence about its capabilities and indicators.
Basic Dynamic Analysis involves running the exe and observing processes and network connections to see what the malware does in a live environment.
Advanced Static Analysis involves examining the malware without running the executable but uses disassembler tools to understand the code structure and logic at a deeper level.
Advanced Dynamic Analysis involves running the malware while using tools as a debugger to observe and manipulate changes within the same ASM (assembly code) in real-time.
Advanced Dynamic Analysis Example
When analyzing malware through advanced dynamic techniques, you might encounter a scenario where the malware runs but nothing happened during Basic Dynamic analysis. However, when using a debugger and changing values such as isdebuggerpresent from true to false, then continuing to run the malware, you can see how the malware actually functions. This demonstrates the power of Advanced Dynamic analysis in bypassing anti-debugging techniques.
Network Simulation in Analysis
Consider an executable that needs to connect to semoskidz.xyz to function. If the connection succeeds, the malware runs based on the server response. If there is no connection, the malware doesn't make anything happen. In an isolated network with a VM that has no network access, you can use inetsim to simulate the response. By tricking the exe with simulated responses like 404 or 200OK, you can analyze the behavior as if you were connected when you are not. This technique allows you to see the behavior of network-dependent malware without actually exposing your analysis environment to malicious infrastructure.