The Malware Analysis Project 101

A complete beginner project for malware analysis.

Full Disclosure: * denotes affiliate link.

👩‍💻 Project Overview

Malware analysis is the process of understanding the behavior and purpose of files, applications, or suspicious executables. Effective analysis allows for uncovering hidden indicators of compromise (IOCs), triage of incidents, improving threat alerts and detection, and provide additional context into the latest exploits and defense evasion techniques.

This project assumes a complete beginner mindset into the world of malware investigation and analysis. This project’s goal is to enhance overall comprehension and provide exposure to malware infection techniques and popular tools used by practitioners to aid in malware analysis.

🏆 Goals

Learn the basics of malware infection tactics and common indicators of compromise (IOCs).
Learn the foundations of static and dynamic malware analysis techniques.
Investigate samples of malware triage with the help of written guides.

👍 The Project

#1 Practical Malware Analysis by Matt Kiely *

Used as the foundational training program to learn the basics of malware, analysis techniques, deploying an isolated malware lab, and tools used in malware investigation. Taught by Matt Kiely (HuskyHacks) on TCM Academy who is a security practitioner with 10 years of experience in IT and cybersecurity.

#2 Create an Isolated Malware Lab Environment

Deploy an isolated malware lab environments through self-hosted virtual machines using Virtualbox and cloud-provisioned EC2 instances in AWS. An isolated lab environment will provide a means of safely investigating malicious exectuables and programs.

#3 Malware Analysis CTFs

Practice malware analysis by playing CTFs. Using MalwareUnicorn, play the PE Injection Study and MacOS DyLib Injection CTFs.

#4 Investigate Live Malware Sample

Investigate live malware samples and create write-ups on findings. Using theZoo Live Malware Repository or vx-underground.org install malicious programs and use malware analysis tools to collect artifacts. Write findings in a report. Use other write-ups if necessary.

🔍 Analysis Techniques

There are two primary types of techniques used by security researchers to examine malware contents and investigate behavior.

Static Analysis

Does not require the code, program, or executable to run. Instead, static analysis examines files for signs of malicious contents, including strings, file names, hashes, domains, IP addresses, and file header data. Static analysis provides a first-step into dissecting and examining malware.

Dynamic Analysis

The code, program, or executable in question is run in real-time. A safe environment, called a sandbox, is used by security practitioners to examine what happens when malware is executed. Dynamic analysis provides more detail into how the malware operates.

Hybrid Analysis

A combination of static and dynamic analysis is often used by malware researchers and security teams to extract the most amount of information and provide a “complete picture” for a malware sample. An example of hybrid analysis is when a piece of malicious code runs and changes some contents. Malware researchers can view the real-time behavior with a tool, while saving the data via a memory dump for further investigation with a static analysis tool.

🔨 Tools

There are many different free and commercial tools offered for static and dynamic malware analysis. Below is a list of a few popular tools used for analysis.

PeStudio

Best used for Windows executables. This tool provides the user with hashes of malware and any detections found in VirusTotal. PeStudio can also identify the level of entropy within a file, known as malware “packing”. Entropy is used by malware to obfuscate its true functionality, by packing malware, a malware sample will be harder to detect from defense tools. Useful strings can also be pulled and reviewed such as malicious domains and IP addresses.

Promon

Tool produced by Microsoft which records the live filesystem activity such as process creations and registry changes. ProcMon is very useful to see new process creation and is particularly useful when analyzing malicious documents. One of ProcMon’s best features is to see hidden processes being launched in the background with seemingly “innocent” processes in the foreground.

ProcDot

Allows to ingest the output from ProcMon CSV export files and network packet files, such as PCAP files to generate a graphical representation of the captured events and processes happening.

Autoruns

Tool produced by Microsoft to display any installed software on a device that is set to launch when a machine is powered on. Malware will often create a scheduled task or create specific run keys in the Windows Registry to maintain persistence within in the system. Autoruns will detect and highlight any new persistent software installed in the system.

Wireshark

Used to capture and analyze network traffic. Wireshark provides network packet inspection. While capturing network traffic, malware can and will often reach out to C2 domains or malicious IP addresses to download more payloads or await for instructions from the server.

x64dbg

Used for manually debugging and reverse engineering malware samples. You will need to have an understanding of assembly code to use this tool. x64dbg has a steep learning curve, but can provide further detail into how malware samples work, including the imported API calls and specific operations used by a sample.

Ghidra

Free and open-source reverse engineering tool developed by the National Security Agency (NSA). Ghidra provides the static analysis for code, meaning it does not execute the code. Ghidra will attempt to decompile code into human-readable output, which makes it easier for a malware analyst to reverse engineer the malware.

Capa

Open-source tool for analyzing malicious programs. This tool provides a framework for the community to encode, recognize, and share behaviors that have been seen in malware. When running Capa against malware samples, strings, capabilities, and other important information is extracted and mapped to a known behavior (such as communication or host interaction).

Cuckoo Sandbox

A sandbox for automated malware analysis. A Cuckoo Sandbox will run on a host machine running Cuckoo and have a Windows 7 VM nested within VirtualBox. The VM will have a Cuckoo agent installed which provides a data feed back to the host operating system running Cuckoo. Once the analysis is completed, a detailed report of the malware is generated. This is a great tool to run malware in an isolated and collect information in the background. The Cuckoo Sandbox project support has been discontinued as of April 2021.

CAPEv2 Sandbox

An open-source automated malware analysis system which sources from the Cuckoo Sandbox repository, but is a stand-alone project launched in September 2016. CAPEv2 automatically analyzes files and provides a comprehensive analysis of what the malware does while running in an isolated Windows operating system. The CAPE Sandbox consists of a central management software which handles sample execution and analysis. Each analysis is launched in an isolated virtual machine. The host machine (Ubuntu is recommended) runs the management software and a number of guest virtual machines (Windows 7 is recommended) is used as isolated guests for malware execution.

VirusTotal

A free, online services which analyzes files and URLs for viruses and other types of malicious content. Used to flag malicious files and programs.

YARA Rules

A way to identify malware (or other files) by creating rules that look for certain characteristics. Mainly used for malware research and detection. It is used to describe patterns that identity particular strings or entire families of malware. YARA rules are deployed to defense tools such as Anti-Virus (AV), Endpoint Detection Response (EDR), and inspection tools.

Remnux

A Linux distribution for Malware Analysis. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. One of Remnux’s many use cases is to be used as C2 server simulation to understand which URLs and malicious domains are probed when malware has been denoted.