Day 4 – My Conversation About Malware Analysis

So yeah it’s been a bit since I’ve posted, which was not the goal when starting, but never the less I’m back. New job and family have occupied much of my time.  I was recently speaking with an individual that is breaking into #infosec and he asked what I currently do in my role. I briefly explained #IR and spoke a bit about malware analysis. As we spoke I thought of it as an introduction to him for malware analysis and thought I should out my random thoughts down. This is by no way an exhaustive list but merely what I think and have ran into. There are some ways more experienced guys/girls out there that may assist with questions you may have.

0x1: What is malware

  • Basically malicious code
  • Categories include worms, viruses, key loggers, backdoors

0x2: Malware behavior – What does this object (c what I did there) do?

This is by no way an exhaustive list but merely what I think and have ran into. There are some ways more experienced guys/girls out there that may assist with questions you may have.

  • Monitor user activity
  • Steal sensitive information
  • Disrupt system operations
  • Disrupt network operations
  • Function as a launching point for other malware

0x3: Types of malware analysis

YAY-1 Static analysis: analysis without executing the malware, so you aren’t blowing up your machine. All about safety right? Right?

You don’t need special tools for the first items listed. I didn’t number them as obtaining this should be basic knowledge and you should know this from the start i.e.

Determine file type- a must for analysis          

Determine file size- a must for analysis        

Hash- a must for analysis    

3.1) SSDEEP: comparison of fuzzy hash with previously submitted samples to determine similar variants

3.2) MD5

3.3) SHA1

4) Strings

4.1) Unicode

4.2) ASCII

5) Determine packers via tools like UPX. Get fancy and try it with YARA rules

6) File Obfuscations (packers, cryptors)- Sneaky stuff

7) Submission to AV Scanning engines

7.1) VirusTotal via API calls- public (free) & private (not so free)

8) ELF characteristics

8.1) Displays program header structures


YAY-2<> Dynamic analysis: analysis performed by executing the malware. WARNING: Do not perform this on your host machine. Create a virtual environment. Maybe I should post on building a virtual environment

1) File system activity

2) Process activity

3) Network activity

3.1) DNS summary

3.2) TCP conversations

3.3) Packet captures

3.4) Event trace dump

4) System call tracing


YAY-3 Memory analysis: analysis of RAM (main memory) after executing the malware

1) List running process

1.1) Process listing with process arguments

1.2) Threads associated with each process

2) List network connections

2.1) Display process running with RAW sockets

3) List shared libraries

4) Kernel modules

4.1) Module list

4.2) SYSFS

5) Detect hooking (user and kernel Mode)

5.1) Checks net filter hooks

5.2) Check for PLT/GOT hooks

5.3) Keyboard hooks

5.4) TTY Hooks

5.5) Check for userland API hooks

6) Code or binary injection

7) Rootkit detection

7.1) System call table modification

7.2) Check for modified file operation structures

7.3) Check hooked network operation function structures

8) Detect hidden artifacts




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s