Analyzing malware to understand its function and infection routine can be a challenging task. This article provides a comprehensive tutorial on malware analysis, including a detailed cheatsheet and a list of essential tools.
What is Malware Analysis?
Malware analysis is a process of examining malware samples such as Trojans, viruses, rootkits, ransomware, and spyware in an isolated environment. The goal is to understand the infection type, purpose, and functionality by applying various methods based on its behavior. This understanding helps to create rules and signatures to prevent user infections.
Types of Malware Analysis
Malware analysis can be divided into several types, each focusing on different aspects of malware behavior:
- Static Malware Analysis: This involves the extraction and examination of different binary components and static behavioral inductions of an executable without executing the samples. Tools for static malware analysis include Hybrid-analysis, Virustotal.com, BinText, Dependency Walker, IDA, Md5deep, PEiD, Exeinfo PE, RDG Packer, D4dot, and PEview.
- Dynamic Malware Analysis: Dynamic analysis involves executing the malware in a controlled environment and observing its behavior. Tools for dynamic analysis include Procmon, Process Explorer, Anubis, Comodo Instant Malware Analysis, Process MonitorRegshot, ApateDNS, OllyDbg, Regshot, Netcat, and Wireshark.
- Memory Forensics: This involves analyzing volatile artifacts found in physical memory. Tools for memory forensics include WinDbg, Muninn, DAMM, FindAES, and Volatility.
- Malware Detection: This involves identifying malware based on signatures, heuristic analysis, rule-based analysis, behavioral blocking, and sandboxing. Tools for malware detection include YARA, Yara rules generator, File Scanning Framework, hash deep, Loki, Malfunction, and MASTIFF.
- Web Domain Analysis: This involves inspecting domains and IP addresses. Tools for web domain analysis include SpamCop, SpamHaus, Sucuri SiteCheck, TekDefense Automatic, URLQuery, IPinfo, Whois, and mail checker.
- Network Interactions Analysis: This involves monitoring network traffic to detect malware. Tools for network interactions analysis include Tcpdump, tcpick, tcpxtract, Wireshark, CapTipper, chopshop, and CloudShark.
- Debugging & Debugger: Debuggers allow an analysis of code at a low level. Tools for debugging include obj dump, OllyDbg, FPort, GDB, IDA Pro, Immunity Debugger.
- Analyze malicious URLs: This involves analyzing web pages for malicious activities. Tools for this include Firebug, Java Decompiler, jsunpack-n, Krakatau, and Malzilla.
- Sandboxes Technique: Sandboxing is a security system that segregates programs, keeping malicious or failing programs from harming or snooping on the rest of your computer. Tools for sandboxing include firmware.re, Hybrid Analysis, IRMA, Cuckoo Sandbox, cuckoo-modified, PDF Examiner, ProcDot, Recomposer, Sand droid.
In conclusion, malware analysis involves various methods and tools. This article provides a comprehensive list, but it’s not limited, and you can utilize a complete set of malware analysis tools.
