Introduction to Malware Analysis

To get you started, read https://digital-forensics.sans.org/media/malware-analysis-cheat-sheet.pdf

https://dribbble.com/shots/2194105-Malware-detection-in-Firefox-Downloads

Malware Analysis Series

You’ll see multiple articles numbered “MA-X”, for example “MA-01 — Emerging Malware Analysis News/Intel”, I recommend you read them sequentially if you’re new. You can refer to the series as a handbook.

Malware analysis methodology

These are going to be questions that you want to answer when analysing malware, what you want to achieve essentially by performing malware analysis.

Does the file pose a threat to the org, specifically? I.e. does it check for specific infrastructure, services or files that only the org’s users would hold.

What ways to defend against this threat, can we carve out from the analysis/reverse engineering of this malware?

What are the files capabilities?

What are the key functions of the file?

What can we extract that will support lessons learnt, threat hunting and future detection? I.e. IOC’s, specific behaviour not seen before etc.

What does the file reveal about the adversary? You want to attribute the attack to a group/actor, is there anything specific to an actor i.e. certain coding methods, certain IP’s/infrastructure used, certain TTP’s used etc.

Malware Analysis — 3 tips

  1. Don’t overthink the sample
  • Try to get a general understanding of the malware, rather than digging into why the attacker may have setup a function in a certain way, for example.

2. Keep an open mind

  • Your samples will react differently to different environments, either through configuration/compatibility or evasion/detection from the sample.
  • If static analysis isn’t working, try dynamic.

3. Malware will constantly evolve, so should your analysis techniques/tools.

  • As its likely the techniques you employ will be from here aswell a well known books/resources, the malware authors will be aware and aim to avoid/evade these techniques you learn. Try to apply what you learn to develop your own techniques.

People to watch, follow and listen to…

Watch: Hackersploit Malware Analysis boot camp ← Click

YouTube

Colin Hardy

MalwareAnalysisForHedgehogs

Kindred Security

CheerioLive

Danooct1 (His viewer made malware playlist is also quite funny to watch)

HackerSploit

SANS Digital Forensics and Incident Response

MalwareTech

Twitter

Malwaretech

Podcasts

Darknet Diaries

Cyber by Motherboard

Books

Introduction to malware analysis by Packt

Practical malware analysis by No Starch Press

Malware Data Science by No Starch Press

Hands on learning with Workshops

Malware Unicorn Workshops RE101 and RE102: From 0 to Reverse Engineering Crypto Algorithms used by common malware samples. The first workshop presents a good workflow that it’s helpful during any malware analysis task. The RE102 it’s a good hands on tutorial and step by step guide to dissect a malware and walk through some of the most common “Anti-” techniques used by malware writers.

https://github.com/RPISEC/Malware: Materials developed by RPISEC. It includes Lectures, Labs and Projects. As a Textbook it references ‘Practical Malware Analysis’, it also contains a list of further places where to continue to pick up more samples or challenges.

Challenges

Some anti virus companies will put out “Crack me’s” as a challenge for recruitment, you can openly download these and try them even if you don’t want to apply: https://join.eset.com/en

FireEye Flare-On challenges: https://www.flare-on.com

Twitter: @mikecybersec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Metasploit: Exploitation Use Cases

[Mal Series #16] RunAs TrustedInstaller from Snake Keylogger

[CTF Series #9 Malicious MSI] InSutola

I’m Not a Robot: The Rise and Fall of CAPTCHA

Do Cybersecurity Certifications Even Matter?

Why Should I Scan Devices On My Wi-Fi?

{UPDATE} FreeCell Cash Money App Hack Free Resources Generator

Biswap Key Metrics | Remarkable Numbers!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@mikecybersec

@mikecybersec

Twitter: @mikecybersec

More from Medium

1–1) Introductory Course: Introduction to Cyber Security

Why I love using NMAP

Why Is IoT Security Important? — Informer

What does Russia’s invasion mean for Cyber Security?