So lately I have been spending a lot of my time learning about malware analysis. I have found that it is really addicting to tear software apart with the goal of determining its functionality. I am naturally a person who asks “why” all the time, so I have found that reverse engineering is an area that naturally interests me. I am still new to the field so the goal of these upcoming posts is to create a medium where I can practice reversing malware and share my experiences doing so. While I planned for this first post to be about reversing a live sample of malware, it has proven to be more time consuming than I thought and I really wanted to get my first post up on the blog! So instead I will be writing about my current methodology when performing any sort of analysis. I feel this is a good first simple topic to write about.

During my time in cyber security thus far, I have found that having a methodology for solving problems is invaluable. It is what allows you to create a strong framework for tackling problems and ensures that you are solving issues in the most efficient manner. This is especially true for malware analysis! Threat actors obviously don’t want you analyzing their malware and it is extremely common for analysts to face unusual and challenging problems that need to be solved. This is where falling back on a methodology can help you to hit the ground running when performing analysis. So without a due, this is the base methodology I use when performing malware analysis!

So I break my methodology into two sections, basic static analysis and basic dynamic analysis. Each section contains a basic set of questions I strive to answer. It is assumed that you already have the malware sample in an environment where you can analyze them. I do not include the retrieval of malware or deep analysis requiring a debugger / disassembler part of this framework. These can be in depth and complicated and worth their own writeup.

Basic Static Analysis:

What type of files are you dealing with? Is it executable?

• Check for the MZ file header in hex editor (for PE executables)
• Check if the file is packed / obfuscated
• Tools: PEiD, 010 Editor

When was the sample compiled?

• Older malware is most likely registered in AV databases
• IMAGE_FILE_HEADER holds this value (can be spoofed)

What subsystem does this operate in?

• Is this command line based or are there GUI components?
• IMAGE_OPTIONAL_HEADER holds this value

Are there any other embedded executables?

• Sometimes malware authors will embed executables in the header of the executable (namly the .rsrc section)
• Tools: Resource Hacker

What functions are imported / exported

• Looking at the function imports / exports can give you some insight into what the malware might do (network activity, file changes, ect)
• Tools: PEStudio
• If functions are listed by ordinal number, Dependency Walker can be used

Any noteworthy clear text strings?

• Clear text strings are good for finding basic IOCs (domain names, IP addresses, mutexes, ect)
• Malware authors will sometimes use junk strings to make analysis harder
• Tools: PEStudio or IDA Pro SubString View

Basic Dynamic Analysis:

What changes are introduced to the Windows Registry?

• Malware typically uses the Registry for persistence or configuration data
• Tools: RegShot and Procmon

What processes are running?

• Looking not only at the malware base process, but other processes the malware spawns
• Malware can also modify existing processes
• Tools: ProcMon and Process Explorer

Any changes to the file system?

• Malware might modify existing files or create new files on the machine
• Tools: Procmon / CaptureBAT

Any network activity?

• DNS Resolutions, IP callouts, network traffic over non-standard or suspicious ports
• Tools: Wireshark, Inetsim, ApateDNS

And that’s it! As I have been learning about malware analysis this is the framework I use as a basic guide. While it may be simple, in action it proves to be very effective. Once I answer these basic questions I can then get a pretty good idea of what the malware does and if any further analysis is needed. If you enjoyed this content I recommend stopping back again as I plan to continue writing about malware analysis in the near future. Till then, happy hunting!