# Notes on Malware Analysis

Malware analysis is the process of studying and understanding malicious software

(malware) to determine its behavior, functionality, and impact on systems. The
primary goal of malware analysis is to identify the type of malware, its attack
vector, and the damage it may cause, in order to develop defenses, remove the
threat, and prevent future infections.

## 1. **Introduction to Malware**

**Malware** (short for malicious software) is any software intentionally designed

to cause harm to a computer, network, or device. The various types of malware
include:

- **Viruses**: Programs that replicate themselves by infecting other files and

programs.
- **Worms**: Self-replicating programs that spread across networks without user
interaction.
- **Trojans**: Malware disguised as legitimate software or files to trick users
into executing it.
- **Ransomware**: Malware that encrypts files or locks systems and demands payment
for the decryption key.
- **Spyware**: Malware designed to secretly monitor a user’s activities and collect
sensitive information.
- **Adware**: Software that displays unwanted ads, often collecting browsing data
without the user’s consent.
- **Rootkits**: Software designed to gain unauthorized access to a system and hide
its existence.

---

## 2. **Objectives of Malware Analysis**

- **Behavioral Understanding**: Identifying how malware behaves in a system (e.g.,

what files it modifies, what processes it starts, which servers it communicates
with).
- **Signature Development**: Creating detection mechanisms or signatures for future
detection of the same or similar malware.
- **Malware Removal**: Understanding how to remove malware from infected systems.
- **Forensic Evidence**: Providing evidence for legal or investigative purposes.
- **Preventive Measures**: Developing strategies to protect systems against future
attacks.

---

## 3. **Types of Malware Analysis**

### a. **Static Analysis**

Static analysis is the process of examining the malware code without executing it.
This method involves analyzing the malware’s binary code, structure, and components
in a controlled environment (without running it on an actual system).

**Techniques**:
- **Disassembly**: Breaking down the binary code into assembly language using tools
like **IDA Pro** or **Ghidra**.
- **String Analysis**: Extracting readable strings (e.g., file paths, IP addresses,
URLs) from the binary to gather information about its behavior.
- **File Structure**: Analyzing file headers, such as **PE (Portable Executable)**
format or **ELF (Executable and Linkable Format)**, to understand its structure.
- **Hashing**: Using hash functions (e.g., MD5, SHA-256) to identify known malware
by comparing file hashes with malware databases.
- **Anti-Analysis Techniques**: Some malware may contain techniques to detect if
it's being analyzed, such as packing or obfuscation.

**Advantages**:
- No risk of system infection.
- Provides insights into the malware’s capabilities and functions.

**Disadvantages**:
- May be difficult to fully understand complex malware without running it.
- Malware may be obfuscated or encrypted, making it harder to analyze.

### b. **Dynamic Analysis**

Dynamic analysis involves running the malware in a controlled environment (sandbox)
to observe its behavior in real-time. The purpose is to see what actions the
malware performs once executed, such as system changes, network activity, or file
modifications.

**Techniques**:
- **Sandboxing**: Running the malware in a virtual machine or isolated environment
to observe its actions safely (e.g., using **Cuckoo Sandbox**).
- **System Monitoring**: Monitoring system changes, such as files modified,
processes created, or registry keys altered.
- **Network Analysis**: Observing network traffic to detect attempts to contact
external servers, download additional payloads, or exfiltrate data. Tools like
**Wireshark** or **tcpdump** are useful.
- **Behavioral Monitoring**: Using tools like **Procmon** or **Sysinternals** to
track real-time activities (file, registry, and process modifications).

**Advantages**:
- Provides real-world insights into malware behavior.
- Identifies dynamic activities such as network communication or self-
replication.

**Disadvantages**:
- Risk of infecting the analysis environment if not properly isolated.
- Requires time and resources to execute and monitor the malware.

---

## 4. **Malware Analysis Tools**

**Static Analysis Tools**:

- **IDA Pro**: A disassembler and debugger for reverse engineering.
- **Ghidra**: A free and open-source reverse engineering tool developed by the NSA.
- **PEiD**: A tool for detecting the packers and protectors used to obfuscate
malware.
- **Binwalk**: A tool for analyzing binary files, particularly used for embedded
firmware.

**Dynamic Analysis Tools**:

- **Cuckoo Sandbox**: An open-source automated malware analysis system that runs
and analyzes malware in an isolated environment.
- **Wireshark**: A network protocol analyzer to monitor network traffic.
- **Procmon**: A system monitoring tool from Sysinternals that captures and logs
real-time system activity.
- **OllyDbg**: A debugger for analyzing executable code.
- **Fakenet-NG**: A tool used to simulate network services (such as HTTP, DNS) to
monitor network traffic generated by malware.

---

## 5. **Malware Behavior Indicators**

During analysis, various indicators of compromise (IOCs) help analysts understand

the malware’s behavior and impact:

- **File IOCs**: File names, hashes, and locations created by the malware.
- **Registry IOCs**: Keys or values modified or created by malware in the Windows
registry.
- **Network IOCs**: IP addresses, domain names, URLs, or network protocols used by
the malware for communication.
- **Process IOCs**: Processes that are created or injected by the malware.
- **Persistence Mechanisms**: Methods used by the malware to maintain access or
ensure it starts on system reboot (e.g., adding itself to startup, scheduled
tasks).
- **Exfiltration**: Malware that attempts to send stolen data to a remote server,
often using protocols like HTTP, FTP, or custom protocols.

---

## 6. **Malware Infection Stages**

Malware typically goes through several stages during an attack. Understanding these
stages helps analysts track and stop infections:

1. **Infection**: The malware gains access to the system, often through phishing,
vulnerabilities, or malicious downloads.
2. **Execution**: The malware executes its payload, which may involve installing
additional components or performing actions on the system.
3. **Persistence**: The malware ensures it will continue to run after system
reboots or user logins.
4. **Exfiltration/Exploitation**: The malware may send stolen data back to the
attacker or exploit the system for further attacks.
5. **Covering Tracks**: Some malware may attempt to hide its presence by deleting
logs or disabling security measures.

---

## 7. **Advanced Malware Analysis Techniques**

### a. **Memory Analysis**

Some malware exists entirely in memory (e.g., fileless malware), making it
difficult to detect with traditional file-based analysis. Memory analysis involves
dumping the contents of system memory (RAM) and analyzing it for signs of malicious
activity.

**Tools**:
- **Volatility**: A framework for memory forensics and analysis.
- **Redline**: A memory analysis tool that can extract artifacts from volatile
memory.

### b. **Reverse Engineering**

Reverse engineering involves deconstructing malware to understand how it works,
often at the assembly or code level. This allows analysts to understand the
malware’s functionality and develop ways to defend against it.
**Tools**:
- **OllyDbg**: A debugger used for reverse engineering Windows executables.
- **x64dbg**: An open-source debugger for Windows systems, used for analyzing 64-
bit executables.

---

## 8. **Reporting and Documentation**

Once the analysis is complete, documenting the findings is critical. A good malware
analysis report should include:

- **Malware Overview**: A brief description of the malware type, infection vector,

and potential impact.
- **Indicators of Compromise (IOCs)**: List of relevant IOCs like file hashes, IP
addresses, domains, and registry keys.
- **Behavioral Analysis**: Details of the malware's actions, including changes to
the system and network activity.
- **Mitigation and Remediation**: Suggested steps to remove the malware and prevent
future infections.
- **Recommendations**: Additional security measures or tools that could prevent
similar attacks in the future.

---

## 9. **Conclusion**
Malware analysis is an essential skill for cybersecurity professionals tasked with
identifying, understanding, and mitigating the risks posed by malicious software.
By utilizing static and dynamic analysis techniques, leveraging appropriate tools,
and understanding the behavior of malware, analysts can provide valuable insights
that aid in the development of effective defenses and response strategies.