In the recent years, attacks such as WannaCry and NotPetya blew up in the news making headlines and becoming a global phenomenon. They were both what we call Ransomware.

A type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through -phishing emails or by unknowingly visiting an infected website. — US Cert

Unfortunately, these types of attacks happens daily around the world, not always making headlines but always causing damage. Which makes Malware analysis a necessary skill to possess.

However, analyzing malware could be a difficult task as malware writers apply multiple techniques to make sure they are not easily discovered and their code could not be easily analyzed. Techniques like obfuscation, Anti-Debug, Anti-VM…etc. Makes it harder to understand what is going on.

That is why, one should be ready and well equipped with the knowledge and tools to answer the questions that arises when analyzing malware and for that, an approach is required.

Malware Analysis Techniques

Multiple approaches and techniques exists to analyze malware, each revealing some information. Generally, we have two major approaches on how to analyze malware.

First we have Static analysis that goes from simply obtaining the “strings” and the hash of a malicious file to decompiling it and making sense of the assembly code.

Second, we have Dynamic analysis that goes from running the malicious file in a controlled environment and making sense of its behavior to hooking its API and function calls and debugging it.

Let’s take a quick look at each approach that we will be covering in this series.

Static Analysis

Image for post
Image for post
Image : HashMyFiles
  • Basic Static Analysis
    Basic static analysis consists of extracting as much static information as we could from a file such as “Strings”, Hashes , Functions, Libraries…etc. Without ever executing the file.
  • Advanced Static Analysis
    Advanced static analysis or reverse engineering consists of grabbing the malware and putting it through a disassembler and analyzing its assembly code to determine exactly what the malware does and what functionality it contains.
Image for post
Image for post
Image : IDA Pro disassembler

Dynamic Analysis

Image for post
Image for post
Image : Process Hacker
  • Basic Dynamic Analysis
    Basic dynamic analysis is all about behavior where we run the malware and look for interesting actions such as writing files to disk, writing registry keys and opening network socket.
  • Advanced Dynamic Analysis
    Advanced dynamic analysis or debugging consists of running the malware and through a debugger and analyzing its behavior (Function calls, API calls…etc.) in details to determine exactly what the malware is doing.
Image for post
Image for post
Image : x64dbg

Now that we have a basic understanding of these techniques, in the next article of this series i’ll be covering the first and simplest technique of the four that is Basic Static Analysis. [See Below]

Note : This article was inspired by the book “Practical Malware Analysis : The Hands-On Guide to Dissecting Malicious Software”.

Thanks for reading.

Questions? Comments? Contact me via twitter @nas_bench

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store