Understanding Malware

Analysis Fundamentals
Aytaj Kazimli
Balagiz Orujova
Elmira Ibrahimli
Fidan Babayeva
Zarifa Shahbazzade
Ilaha Gardashaliyeva
01 Introduction to Malware Analysis
Table of
Contents
02 Identifying malware

03 Objectives of Malware Analysis

04 Static analysis

05 Dynamic analysis

06 Role of Threat Intelligence in

Malware Analysis
 01
Introduction to Malware
Analysis
Malware, or “malicious software,” is an
umbrella term that describes any malicious
program or code that is harmful to
systems.
Hostile, intrusive, and intentionally nasty,
malware seeks to invade, damage, or
disable computers, computer systems,
networks, tablets, and mobile devices,
often by taking partial control over a
device’s operations.
 Malware Analysis and its Benefits

Incident Response
Threat Threat Hunting
Intelligence
Malware analysis provides a By dissecting and examining the Malware analysis
very accurate and malicious software involved in the knowledge helps
comprehensive list of IoCs attack, incident responders can cybersecurity engineers to
compared to other methods identify its characteristics, behavior, be more professional
such as log analysis or digital and capabilities. This deep threat hunters who
forensics. understanding allows them to understand the attackers'
determine the attack vectors used by techniques and tactics on
the malware to infiltrate systems, a deeper level and who
exploit vulnerabilities, and evade are fully aware of the
detection mechanisms. context.
 Malware Analysis Process
Acquisition Static Analysis

01 The first step is to obtain a sample of

the malware for analysis. This can be
done through various sources such as
malware repositories, email
attachments, network captures, or
02 Includes File Identification,
Metadata Analysis, Code
Disassembly and Signature
Matching

incident response activities.

Dynamic Analysis Reporting and

03 Includes Environment Setup,

Behaviour Setup, Network Traffic
Analysis and System Call Tracing 04 Remediation
Document findings and analysis
results in a comprehensive report,
including details such as malware
indicators, behavior patterns, and
mitigation recommendations.
 Types of Malware
Adware Spyware

01 Adware displays unwanted and

sometimes malicious
advertising on a computer
screen, captures user data that
02 Spyware is a form of
malware that hides on
your device, monitors
activity, and steals
can be sold to advertisers sensitive information

Ransomware Trojans

03 Ransomware is malware
designed to lock users out
of their system or deny
access to data until a
04 A Trojan disguises itself
as legitimate software to
trick you into executing
malicious software on
ransom is paid. your computer.
 Worms Viruses

05 Worms spread over computer

networks by exploiting
operating system
vulnerabilities.
06 A virus is a piece of
code that inserts itself
into an application and
executes when the app
is run.

Keyloggers Fileless malware

07 A keylogger is a type of
spyware that monitors
user activity.
08 Fileless malware is a type
of malicious software
that uses legitimate
programs to infect a
computer.
 What can malware do?
•Malware attacks can crack weak passwords, bore deep into systems, spread through networks, and disrupt the daily
operations of an organization or business. Other types of malware can lock up important files, spam you with ads, slow
down your computer, or redirect you to malicious websites.

•Malicious software is at the root of most cyberattacks, including the large-scale data breaches that lead to widespread
identity theft and fraud. Malware is also behind the ransomware attacks that result in millions of dollars in damages.
Hackers aim malware attacks against individuals, companies, and even governments.
 How To Know if You Have Malware
 suddenly slows down, crashes
 won’t shut down or restart
 serves up lots of pop-ups,
inappropriate ads, or ads that
interfere with page content
 shows ads in places you typically
wouldn’t see them, like government
websites
 shows new and unexpected icons on
your desktop
 runs out of battery life more quickly
than it should
Why do hackers and cybercriminals use malware?

Cyberwarfare and
Data theft international espionage Sabotage Extortion

1 2 3 4

Entrepreneurship DDoS attacks Mining cryptocurrency

1 2 3
 Malware's Propogation
.

Malware propagation is performed

by an attacking message being sent
to the victim's computer, with the
intent of exploiting a vulnerability in
that system to compromise it.
1.Vectors of Propagation
2.Social Engineering Tactics
3.Exploiting Vulnerabilities
4.Network Propagation Techniques
 03
Objectives of
Malware Analysis
Damage caused by malware

So how does malware impact your computer’s

performance? Here are a few ways:
• Installing additional software.
• Creating unwanted popup ads.
• Redirecting web browser searches.
• Slowing connection speeds.
• Switching computer settings.
• Changing the homepage.
• Disrupting network connection.
 Hardware failures

Because the hardware that’s used within

modern computers is relatively well
protected against damage that can result
from software faults, computer viruses can
also cause the failure of hardware
components. However, hardware failure is
still a possibility. A Trojan virus may
perform a repetitive action – for example,
repeatedly opening and closing the CD tray.
Even though these electromechanical
components are generally very reliable, this
repeated opening and closing could
eventually cause the CD drive to fail.
 System
Data Theft
Disruption
System disruption malware aims to
Malware designed for data theft aims to interfere with the normal operation of
extract sensitive information from computers, networks, or infrastructure. This
compromised systems. This could financial can occur through denial-of-service attacks,
data, intellectual property, or any other which flood systems with traffic to render
valuable data. them inaccessible. Additionally,
Examples of data theft malware include ransomware encrypts files and demands
keyloggers, as well as data-stealing Trojans, payment for decryption, while destructive
which extract files and data from infected malware causes permanent of data and
systems. systems.
Context: an artifact
Observable:
must fit the specific it
IOCs act as flags that cybersecurity professionals use
to detect unusual activity that is evidence of or can

must
context display
inindicator
lead to a future attack.
Three conditions an which signs
must satisfy:

that
the
Metadata: a malicious
attack there
event
happened.
must be hasadditional
For
transpired.
example,
information if athat
phishing
helps security occurs, the
IoCs
teamsshould make sense be
things
of the IoC. like This can
suspicious
include theURLs or
suspicious email
 Common types of IOCs

Strange outbound network traffic

A high or unusual amount of traffic from
your server could be a sign of command
and control (C2) communication. This
could be traffic from an internally
compromised system to an external C2
communication center.
Large number of unsuccessful login
 04
Static
Analysis
 What is Static Malware
Static Analysis?
malware analysis involves the examination of a
suspicious file without executing it. It involves inspecting
the file header, metadata, strings, resources, and code of a
suspicious file. It can use tools like hex editors,
disassemblers, debuggers, and decompilers to extract
information from the file.
 Benefits and Limitations

Benefits: Limitations

• Faster and more efficient - More difficult and time-consuming

• Safer - more prone to errors and false
• More comprehensive positives
• More reliable - more susceptible to evasion and
anti-analysis techniques
 Static Analysis Techniques

01 File Fingerprinting
02 Code Reversing

03 Code Analysis
04 Strings Analysis
 05
Dynamic
Analysis
 Dynamic analysis
Dynamic analysis: Launches and
studies malware.

No deep understanding of packing

needed.

Does not require understanding of

malware’s packing.

Allows real-time malware

observation.
 Isolation techniques:
Running malware on a physical machine.
Disabling outside communication.
Virtualizing environment and mimic network services.

Sandbox examples:
Norman Sandbox, Cuckoo sandbox, GFI, etc.

Executing malware:
EXE: Launch executable files directly.
DLLs: Use rundll32.exe with DLL name and exports as
arguments.
Process Monitor:
Observes system resources.
Records changes in resources.
Detailed explanation.

Event Types: File creation, registry

changes.
Filtering: Certain events like run key
event.
Network Simulation

• Simulated DNS: Redirects malware traffic

on Linux VM.
• Tricks malware into thinking it reached
the internet.
• Network Traffic Fingerprinting identifies
malicious payloads.
• Command and Control Analysis: Analyzes
packets sent by malware.
• Fingerprinting: Uses beacon information
to identify infected machines.
 06
Role of Threat
Intelligence in
Malware Analysis
What is threat intelligence?

Threat intelligence refers to the

collection, analysis, and
dissemination of information about
potential and current cyber threats. It
involves understanding the tactics,
techniques, and procedures (TTPs)
employed by malicious actors, as
well as their motivations and
capabilities.
 Importance of Threat Intelligence in
Malware Analysis
Early Attribution Incident
Detection and Context Response
Improvement

1 2 3 4 5

Enhanced Customized
Situational Defenses
Awareness
 Application of Threat Intelligence in
Malware Analysis

WannaCry
Stuxnet (2010) APT29 (Cozy
Ransomware (2017)
Bear)
Threat intelligence The global WannaCry Threat intelligence
played a significant role ransomware attack was has been crucial in
in the analysis of analyzed using threat tracking the activities
Stuxnet, a highly intelligence to understand its of advanced persistent
sophisticated malware propagation methods and the threat (APT) groups
that targeted SCADA vulnerabilities it exploited, like APT29.
systems. namely the EternalBlue
exploit
Thanks!