Malware analysis involves two key techniques: static analysis and dynamic analysis.
Static analysis examines malware without actually running it. Dynamic analysis (also known as behavior analysis) executes malware in a controlled and monitored environment to observe its behavior. Each technique includes elements further categorized as basic or advanced. Although there are benefits for conducting static and dynamic analysis as separate tasks, an analyst can realize the value provided by conducting both techniques when reverse engineering complex malware.
Performing static and dynamic analysis together helps identify the true intent and capabilities of malware and can provide a series of technical indicators which may not be achievable by basic static analysis alone. Since the focus of this blog is on basic malware analysis, I will define what the key techniques of basic analysis are.
Basic Static Analysis
Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provide information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size and recognition by antivirus detection tools.
Basic Dynamic Analysis
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators which can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network.
Additionally, it will identify communication with an attacker-controlled external server for command and control purposes or in an attempt to download additional malware files.
Basic analysis can be thought of as what most automated sandboxes or dynamic malware analysis engines do today.
What many malware analysts used to do manually with various tools for basic analysis has been replaced with automated analysis through commercial sandboxes, open-source projects or custom homegrown solutions for various time and resource reasons.
When performing basic static analysis, different tools and techniques are used to gather as much information as possible about the malware. Typically, the first step is to scan the malware to determine whether or not an anti-virus engine will detect it as being malicious. This can be done with a custom setup of multiple scanning engines or submission to an online scanner like VirusTotal.
Keep in mind that using online tools can tip off the malicious actor that someone is analyzing their malware.
Because of this, I typically start by hashing the file. The hash serves as a fingerprint of the malware, and I use that to perform searches to see what information is available. The most popular hashing algorithm used is MD5. However, using the various SHA algorithms and even SSdeep may glean additional information.
Next, you should get as much information as possible from the file’s headers, functions, strings etc. These details will provide you with some simple indicators you can use to begin searching your environment for additional signs of infection. This can be done with the indicators themselves or using this information to create a custom scanning signature such as a yara rule.
Dynamic analysis is the portion of basic malware analysis which is able to provide the most useful indicators for filesystem and network detection. At this stage, it is important to have a safe environment in which the analyst can run the malware and observe its behavior.
The analyst will need various tools to monitor system processes, filesystem and registry changes and network activity. For brevity’s sake, I’m not going through all the descriptions and tools which can possibly be used.The importance is on the analyst being able to monitor the malware regardless of the tools or personal preference. It is also important to understand any shortcomings of tool choice and how malware might detect its use and evade monitoring.
Because malware authors understand the reliance on automated analysis, malware today has started to look for this and behave differently when it detects this type of environment. This doesn’t affect basic static analysis as much, but it can drastically change the results of the basic dynamic analysis.
This brings up the importance of returning to the manual process of basic dynamic analysis and using advanced techniques to provide additional details about malware which are not generally revealed through basic analysis.
Understanding how the malware operates and the technical indicators associated with it is extremely vital to the detection of malware and the protection of the network environment. Even the indicators gleaned from the basic analysis can be a game changer when it comes to identifying additional malware distributed throughout the network.