Malware Analysis

Objectives: By the end of this topic, you will be able to…

Differentiate between static and dynamic analysis

Observe and document suspicious behaviors of a binary

Recognize indicators of compromise

Perform basic analysis in a safe and controlled manner

What is malware?

Malware (malicious software) is any program designed to damage, disrupt, steal, or exploit computer systems, networks, or data.

Common types

Type	Description
Trojan	Disguises as legitimate software to execute malicious actions
Worm	Replicates automatically through networks without user intervention
Ransomware	Encrypts files and demands payment for their release
Spyware	Monitors user activity without consent (e.g., keyloggers)
Rootkit	Gains privileged access while hiding its presence
Botnet	Network of infected computers remotely controlled for distributed attacks

Malware life cycle

Understanding the life cycle helps detect and mitigate attacks at different stages:

Delivery: How malware reaches the system (email attachments, malicious links, USB, exploits)
Execution: The malicious code runs on the victim system
Persistence: Attempts to maintain presence after reboots or cleanup
Command and Control (C2): Communication with the attacker for instructions
Action: Data theft, file encryption, espionage
Evasion: Techniques to avoid detection (obfuscation, encryption, sandbox detection)

Static analysis (without executing the binary)

Focuses on examining the malicious file without running it, making it safer in initial stages.

Common techniques:

Review metadata (creation date, author, hashes)
Identify file type with file, strings, binwalk, readelf
Basic disassembly using Ghidra, IDA Free, or Radare2
Extract readable strings with strings to identify URLs, commands, filenames
Analyze headers: check imports/exports, sections, architecture
Compare hashes with known malware databases (VirusTotal, Hybrid Analysis)

Advantages: low risk of infection, useful for gathering initial indicators. Limitations: does not reveal dynamic behavior, can be bypassed by obfuscated or packed malware.

Dynamic analysis (controlled execution)

Involves executing the malware in a safe environment to observe its behavior.

Typical environment: isolated virtual machines with snapshots and no direct internet connection.

Aspects observed:

File, registry, or process modifications
Outbound communications (IP, domain, port, protocol)
Persistence mechanisms (scheduled tasks, startup modifications)
Process behavior and resource usage

Precautions:

Never run real samples on production or daily-use systems
Ensure network isolation
Use snapshots to easily revert the environment

Indicators of Compromise (IoC)

IoCs are traces or signals that indicate a system has been compromised:

Hashes of malicious files (MD5, SHA256)
Suspicious filenames or paths
IP addresses or domains the malware connects to
Modified registry keys
Characteristic strings inside binaries or processes

These indicators are shared among security professionals to facilitate detection and incident response (via STIX, MISP, threat intelligence feeds).

Recommendations for safe analysis

Always use controlled environments (virtual machines, sandboxes)
Disable unnecessary features such as shared folders or open ports
Take snapshots before any execution
Avoid direct internet connection
Have forensic and monitoring tools ready
Maintain a logbook of all actions taken
Store samples with neutral names and safe extensions (.txt, .bin) to avoid accidental execution

Hands-on lab

Requirements: Kali Linux (isolated VM), provided sim_malware binary, Wireshark

Part 1: Static analysis

Run initial analysis:

file sim_malware
md5sum sim_malware
sha256sum sim_malware

Extract readable strings:

strings sim_malware | less

Look for commands like bash, curl, nc, /bin/sh, wget.

Inspect assembly:

objdump -d sim_malware | less

Look for call, syscall, functions such as connect, open, write.

Part 2: Dynamic analysis

Observe system calls:

strace -o output_strace.txt ./sim_malware
ltrace -o output_ltrace.txt ./sim_malware

Monitor connections and processes:

netstat -anp
lsof -p $(pgrep sim_malware)
ps aux | grep sim_malware

Open Wireshark and capture traffic during execution: DNS lookups? Outbound TCP/IP? HTTP?
Check for file creation or modification:

find /tmp -newerct "10 minutes ago"

Part 3: IOC — Indicators of Compromise

Document observed elements in a table:

Type	Indicator	Observation
Hash	`d41d8cd98f00b204...`	SHA256 of the sample
File	`/tmp/payload.sh`	Created by the binary
Process	`nc -e /bin/sh ...`	Simulated reverse shell
Network	`192.168.1.10:4444`	Outbound connection detected
String	`"pwned!"`	Message found in `strings` output

Submission

Compressed folder with:

output_strace.txt, output_ltrace.txt, captures from strings, objdump
Screenshots of netstat, ps, and Wireshark traffic
IOC table in .md, .csv, or .pdf
Brief written reflection (less than 1 page)

Key concepts

Term	Definition
Malware	Malicious software designed to damage or compromise systems
Ransomware	Malware that encrypts files and demands payment to release them
Trojan	Malware disguised as legitimate software
IoC	Observable evidence that a system has been compromised
Static analysis	Examination of binaries without executing them
Dynamic analysis	Observation of behavior during execution

Test yourself

Classification: You receive a suspicious file. Describe your analysis process step by step, starting with static techniques before moving to dynamic ones. Why this order?
IoC: What indicators of compromise would you look for in a system you suspect was infected with ransomware?
Safety: Why is it critical to use an isolated virtual machine for dynamic analysis? What could happen if you analyze malware on your main system?

Navigation: ← Previous | Home | Next →

Quartz 4

Explorer

07 - Malware Analysis