Introduction To Malware & Malware Analysis

This module provides a foundational overview of malware analysis, aimed at enabling SOC analysts to perform essential malware analysis tasks, particularly focusing on Windows-based malware.

Types of Malware

1. Viruses: Infect host files and spread by attaching to legitimate programs.

2. Worms: Self-replicating, spread autonomously over networks.

3. Trojans: Disguised as legitimate software, create backdoors for unauthorized access.

4. Ransomware: Encrypts data and demands ransom for decryption keys.

5. Spyware: Collects user data without consent, tracking activities or capturing credentials.

6. Adware: Displays intrusive ads and may collect browsing data.

7. Botnets: Networks of compromised devices used for attacks or malware distribution.

8. Rootkits: Gain control over OS components, concealing malicious activity.

9. Backdoors/RATs: Enable remote access and prolonged control of a compromised system.

10. Droppers: Carry additional malware payloads, ensuring stealthy installation.

11. Information Stealers: Focused on stealing sensitive data like passwords and PII.

Malware Samples Resources

For malware research, handling samples should be done in secure, controlled environments. Notable sources include:

• VirusShare

• Hybrid Analysis

• TheZoo (GitHub)

• Malware-Traffic-Analysis.net

• VirusTotal

• ANY.RUN

• Contagio Malware Dump

• VX Underground

Malware/Evidence Acquisition

During investigations, disk imaging and memory acquisition tools are vital. Recommended tools include:

Disk Imaging Tools

• FTK Imager: Widely used for creating disk images.

• OSFClone: Open-source, supports multiple file systems.

• DD/DCFLDD: Command-line tools on Unix-based systems, with forensic-focused features.

Memory Acquisition Tools

• DumpIt: Simple tool for memory dumps on Windows and Linux.

• MemDump: Command-line utility for RAM capture.

• Belkasoft RAM Capturer: Effective for Windows systems, even with anti-debugging.

• Magnet RAM Capture: User-friendly tool by Magnet Forensics.

• LiME: Linux Memory Extractor, effective for volatile memory acquisition.

Additional Evidence Acquisition

• KAPE: Targeted artifact collection, quick analysis.

• Velociraptor: Host-based incident response tool using Velocidex Query Language (VQL).

Malware Analysis: Definition, Purpose, & Techniques

Malware Analysis is the study of malware to understand its behavior, origin, and impact. This helps in detection, reverse engineering, behavioral analysis, and threat intelligence gathering.

Goals of Malware Analysis

• Detection and Classification: Identifying and categorizing malware to develop detection rules.

• Reverse Engineering: Disassembling code to understand functionality, encryption, and control infrastructure.

• Behavioral Analysis: Observing malware’s interactions with systems (e.g., file changes, network connections).

• Threat Intelligence: Gathering attacker tactics, techniques, and malware origins.

Common Malware Analysis Techniques

1. Static Analysis: Analyzing malware code without execution to gain initial insights.

2. Dynamic Analysis: Executing malware in a controlled environment to observe behavior.

3. Code Analysis: Reverse engineering code to understand structure and functionality.

4. Memory Analysis: Examining system memory to detect runtime modifications.

5. Malware Unpacking: Extracting hidden code from packed malware to reveal actual functions.