Malware analysis is defined as “the process of breaking down malware into its core components and source code, investigating its characteristics, functionality, origin, and impact to mitigate the threat and prevent future occurrences. Malware analysis is an important part of preventing and detecting future cyber attacks. Using malware analysis tools, cyber security experts can analyse the attack lifecycle and glean important forensic details to enhance their threat intelligence.
Why Is Malware Analysis Important?
Malware analysis is often the first step in triaging an incident, or suspected incident, to determine the criticality of the situation. Malware analysis helps network defenders determine what they are dealing with and how to remediate the issue. Indicators captured in analysis are useful for determining the range and extent of an infection, identifying other infected machines, and removing malware from the network.
Malware analysis is an essential process for any network defender as it answers many critical questions:
- Is this file malicious?
- If so, how critical are the implications?
- What does it do?
- Is my information at risk?
Malware analysis can also prevent an incident from occurring in the first place by providing users a way to evaluate suspicious files without opening them.
What Is Malware Analysis?
Malware is defined as, “software designed to infiltrate or damage a computer system without the owner’s informed consent. Any software performing malicious actions, including information stealing, spying, etc., can be referred to as malware.” As our reliance on technology and the number of connected endpoints increases, traditional malware variants like a virus, Trojan, or worm will also start to mutate. This gives rise to new forms of malware, which attack your systems in unfamiliar ways, and cause damage without any explicit signal.
Malware analysis is defined as “The process of dissecting malware to understand its core components and source code, investigating its characteristics, functionality, origin, and impact to mitigate the threat and prevent future occurrences.”
- Breaks down the malware: A big part of malware analysis is demystifying malware and cyberthreats to increase awareness. Malware is only a software program written with the expressed purpose of causing harm. Understanding the code and how it works is integral to blocking malware entry or, at least, its spread across your ecosystem.
- Investigates its characteristics: Every software will leave a unique digital footprint, and malware is no different. How does a specific malware variant or family approach data? How does it spread? What is its pace of replication and tactic for camouflage? Knowing the exact characteristics of malware makes it easier to detect it.
- Unravels its functionality: This is a critical element of malware analysis, and it is difficult to get right. Malware will typically wait in hiding until the right time to attack. This means its functionality will not become clear to the user before it is too late. Malware analysis tries to determine the intended functionality of the software by reviewing its code.
- Traces the malware’s origin: Malware can be notoriously hard to trace, and hackers take advantage of this by holding data ransom for large amounts. Malware analysis tries to see beyond the anonymisation of the coder and trace it back to its origin; a person, an IP, a geographic location, or even an organisation, among others. This helps in the swift intervention of legal authorities during an attack.
- Tries to predict the impact: By putting the above threads of investigation together, it is possible to arrive at a probable impact profile. Its functionality, nature of target systems, the pace of growth, and preferred distribution channels indicate the worst-case scenario impact of malware. This enables organisations to plan and deploy mitigation procedures.
Malware analysis is an arduous process, requiring a wealth of knowledge, a lot of patience, and, occasionally, disruptive thinking. If an organisation discovers or suspects that some malware may have gotten into its systems, a response team may wish to perform malware analysis on any potential samples that are discovered during the investigation process to determine if they are malware and, if so, what impact that malware might have on the systems within the target organisations’ environment.
Academic or industry malware researchers may perform malware analysis simply to understand how malware behaves and the latest techniques used in its construction. Vendors of software products and solutions may perform bulk malware analysis in order to determine potential new indicators of compromise, this information may then feed the security product or solution to help organisations better defend themselves against attack by malware.
Types of Malware Analysis
Broadly, there are two types of malware analysis; static and dynamic. You can also classify malware analysis based on the effort it requires, opting for either manual or automated analysis. A complete analysis exercise will combine all of these types to study the malware in detail and test how it reacts to different approaches. The method by which malware analysis is performed typically falls under the types of:
Static malware analysis
This type of analysis gets information about a malicious program without running, just has a look at it. With this approach, you can investigate content data, patterns, attributes, and artifacts. However, it’s very hard to work with any advanced malware using only static analysis.
This type of analysis examines static properties like metadata, headers, embedded assets, etc. A quick static analysis often reveals enough information needed to create an indicator of compromise (IOC), a document recording the software’s malicious nature. In case the results of static analysis are optimistic, the code is usually discarded like a piece of bad programming, not meriting further investigation as malware.
Static or Code Analysis is usually performed by dissecting the different resources of the binary file without executing it and studying each component. The binary file can also be disassembled (or reverse engineered) using a disassembler such as IDA or Ghidra. The machine code can sometimes be translated into assembly code which can be read and understood by humans: the malware analyst can then read the assembly as it is correlated with specific functions and actions inside the program, then make sense of the assembly instructions and have a better visualisation of what the program is doing and how it was originally designed.
Viewing the assembly allows the malware analyst/reverse engineer to get a better understanding of what is supposed to happen versus what is really happening and start to map out hidden actions or unintended functionality. Some modern malware is authored using evasive techniques to defeat this type of analysis, for example by embedding syntactic code errors that will confuse disassemblers but that will still function during actual execution.
Dynamic malware analysis
Examines malware while executing it on hardware or, more frequently, in a sandbox, and then tries to figure out its functionality. The great advantage is that the virtual machine allows you to research malicious files completely safe for your system.
The main part of the dynamic analysis is to use a sandbox. It is a tool for executing suspicious programs from untrusted sources in a safe environment for the host machine. There are different approaches to the analysis in sandboxes. They can be automated or interactive. Cybersecurity professionals need to evaluate threats fast and respond efficiently, before damage occurs.
Dynamic analysis allows the malware to play itself out in a controlled environment while observing its behaviour. VMs are critical when conducting dynamic analysis, as it is likely that the malware will cause irreparable damage to its host environment.
Several behavioural signals require your attention during dynamic malware analysis; including its interactions with network traffic, its targeting patterns towards the file system, and any changes to the registry.
The malware may also be debugged while running using a debugger to watch the behaviour and effects on the host system of the malware step by step while its instructions are being processed. Modern malware can exhibit a wide variety of evasive techniques designed to defeat dynamic analysis including testing for virtual environments or active debuggers, delaying execution of malicious payloads, or requiring some form of interactive user input.
By baselining the host environment before and after dynamic analysis, you can learn more about the malware’s behavioural tendencies. That’s why this type of analysis is also known as behaviour analysis.
Manual malware analysis
In a manual analysis, an analyst may choose to break down the code manually, using tools like debuggers, decompilers, and decrypters. Manual analysis often reveals the strategic intent behind malicious software, because the analyst examines the core logic of the algorithm and tries to predict the logic behind elements that seem unnecessary at first appearance.
Manual analysis is also known as code reversing since you are essentially beginning with the final software, moving backward into code, and then arriving at the original logic, instead of the other way around.
Automated malware analysis
Automated analysis passes the malware through an automated workflow where its different behavioural and static properties are tested. This may not provide insights into the software’s logic, but it is extremely useful for understanding its broader classification and to which malware family it might belong to.
Automation can generate detailed reports and feeds data into an incident response system, bringing only the most necessary signals to a human analyst.
Each type of malware analysis has its own purpose. It’s advisable to execute all of them in conjunction to create a holistic picture of what the malicious app is capable of and how to prevent its entry into user systems. Particularly, the manual code reversal approach aids in getting to the very root of the problem, why the malware was created in the first place.
Absolute 6 Malware Analysis Process
The malware analysis process:
Before the actual analysis, you need access to a malicious piece of code in an uncompressed format. You can use a tool to capture it in an investigation friendly environment.
Prepare malware lab
A malware analysis lab is a safe environment where you can test different malware functionalities without any risk to nearby files. Typically, malware labs rely on virtual machines (VMs) to sandbox the entire exercise.
Install analysis tools
These tools must be installed in the VMs.
Before running the malware, we assess the operating environment and document it as our baseline. The tools installed in the VMs help here, running these same tools later (after the malware is activated) indicates malware behaviour and impact.
There are several phases involved in the investigation step. Some require intense manual involvement, while others can gain from automation tools. We take the malware apart before initiating these phases to reveal its properties at every layer.
Depending on the tools used, we supply detailed information on malware behaviour, tendencies, and interaction patterns with its surrounding digital environment. Consolidating these results into an exhaustive document that forms the deliverable for the malware analysis exercise.
Malware analysis is at the heart of cybersecurity innovation today. Analysts can work with governments, non-profit organisations, research institutions, and corporates to develop the body of knowledge around malware.
Key Stages of Malware Analysis
Examining malicious software involves several stages, including, but not limited to the following:
- Manual Code Reversing
- Interactive Behavior Analysis
- Static Properties Analysis
- Fully-Automated Analysis
You can break down malware analysis into three key stages. These coincide with the types of malware analysis listed above, giving you a closer look at the various facets of the malware’s identity and traits.
Observing malware behaviour
At the initial stages, our malware analysts run tools or execute short, manual exercises to force it to react. Once the malware reacts to its surrounding environment (on a VM), it becomes easier to understand whether it is harmless or a potential threat.
A popular tool used to observe malware behaviour is Wireshark, a tool that simulates multiple network conditions and inspects malware behaviour in the face of different protocols. Behavioural studies could be as simple as running antivirus in the virtual environment to check how the malware responds.
Combining the benefits of automation and manual strategy, we use behavioural analysis frameworks to create a reusable analysis script that puts the malware through its paces in a live virtual environment.
Disassembling the code
Disassembling the code involves both static analysis, where we look at the unchangeable elements of the malware code, as well as its inner logic. Code disassembly relies on manual efforts to a large extent, which is why it is recommended that malware analysts bring some knowledge in binary and assembly language. We may also leverage a ready-to-use disassembler to tear down the malware program, converting the logic from an original binary form into assembly language. Typically, three types of tools can help at this stage:
- A disassembler deconstructs the malware into its primitive binary form and reconstructs it into assembly language that’s comprehensible for a human analyst
- A debugger conducts a code walkthrough and highlights unusual/suspicious-looking code elements where the malware analyst must investigate further
- A decompiler recreates the original source code of a program and can help identify a coder’s digital fingerprint to trace its origin.
The first two stages focus on the malware’s surface identity and ambient behaviour, while the next stage combs through its potential impact.
At this stage, we dive into the forensic artifacts left behind by the malware on your system’s memory. The average malware is often 1MB or less in size, so it is difficult to observe its memory imprint in everyday computing environments. A malware analysis lab provides the conditions necessary to benchmark the pre-malware memory state, run it, and then extract artifacts resulting from its functionalities.
Memory analysis can be extremely difficult, as we are looking for the most minute of digital imprints left behind by an extremely light application designed for stealth. Fortunately, there are several tools out there to help at this stage, such as Memoryze, a free tool that analyzes memory images to list all running processes (including hidden ones), identify loaded drivers, verify driver signatures, and display any open network sockets. In other words, this stage reveals further information on behaviour, even after the malware has stopped running.
Across these stages, our goal is to learn more about the malware, how it works, and how it would respond in different scenarios. To simplify the process, our malware analysts follow a set of key best practices.
Have a question? We’re here to help.
You can reach us through our contact form, by email, or by phone. We will get back to you within 1 business day.
Contact Makarov Intelligence Cyber & Risk Management