Malware is any software intentionally designed to cause disruption to a computer, erver, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. The main role of a malware analyst is to understand how malware works, what it is designed to do, and how to prevent it from causing harm to computer systems and networks. There are mainly two ways to analyze a malware.
- Static Analysis
- Dynamic Analysis
- View malware without looking at instructions.
- Tools: VirusTotal, strings.
- Quick and easy but fails for advanced malware and can miss important behavior.
- Examines malware without running it.
- Tools: VirusTotal, strings, a disassembler like IDA Pro (A disassembler is a computer program that translates machine language into assembly language).
- Reverse-engineering with a disassembler.
- Complex, requires understanding of assembly code.
- Run the malware and monitor its effect
- Use a virtual machine and take snapshots
- Tools: RegShot, Process Monitor, Process Hacker, CaptureBAT
- RAM Analysis: Mandant Redline and Volatility
- Easy but requires a safe test environment
- Not effective on all malware
- Run code in a debugger.
- Examines internal state of a running malicious executable.
| Resources | Link |
|---|---|
| Architecture 1001: x86-64 Assembly on OpenSecurityTraining2 by Xeno Kovah | Link |
| Architecture 1001: x86-64 Assembly on OpenSecurityTraining2 by Xeno Kovah | Link |
| Learn C | Link |
| Malware Analysis Fundamentals by MalwareAficionado | Link |
| Resources | Link |
|---|---|
| How can you start learning Malware Analysis by Lenny Zeltser | Link |
| Malware Analysis and Reverse Engineering Study Plan for Beginners by Alex Perotti | Link |
| Malware Noob2Ninja Course by Neil Fox | Link |
| Malware Analysis in 5+ Hours - Full Course - Learn Practical Malware Analysis by HuskyHacks | Link |
| Malware Analysis Bootcamp by HackerSploit | Link |
| Name | Description | Link |
|---|---|---|
| Virustotal | Overall scan the files and gives initial context about the malware | Link |
| HashCalc | GUI tool to calculate hash of a malware | Link |
| PEiD | PEiD detects most common packers, cryptors and compilers for PE files | Link |
| PE Studio | Explore PE Header of a malware | Link |
| TrID | Commandline utility to verify binary signature with malicious files | Link |
| Microsoft Sysinternals | A suite of program use in various analysis | Link |
| Process Explorer | Hierarchical view of processes | Link |
| PE Explorer | Inspect PE header of the malware and overall inside of the malware | Link |
| Procmon | Monitor every process in the system | Link |
| TCP View | Track TCP traffic for the host machine | Link |
| Apate DNS | GUI tool to capture DNS request | Link |
| REGShot | Take registry shots before and after malware execution to detect registry changes in the system | Link |
| HxD | A easy to use GUI to searching and replacing, exporting, checksums/digests, insertion of byte patterns, a file shredder, concatenation or splitting of files, statistics of the malware | Link |
| Resource Hacker | It used to add, modify or replace most resources within Windows binaries including strings, images, dialogs, menus, VersionInfo and Manifest resources | Link |
| IDA Pro | A de-compiler form high level to low. Great for static analysis | Link |
| Ollydbg | OllyDbg is a popular debugger for Windows that is commonly used for software reverse engineering, debugging, and malware analysis. It allows users to analyze and modify the behavior of binary code running on Windows systems. Best for Dynamic Analysis | Link |
| Flare VM | A script that turns a windows VM into a malware analysis VM installing all the necessary tools and utility | Link |
| Resources | Link |
|---|---|
| Malware Traffic Analysis by the community | Link |
| Reverse Engineering for Beginners by Ophir Harpaz | Link |
| BlueYard - BlueTeam Challenges | Link |
| MAL: Malware Introductory | Link |
| Basic Malware RE | Link |
| MAL: Researching | Link |
| Dissecting PE Headers | Link |
| The Basic Static Analysis | Link |
| The Basic Dynamic Analysis | Link |
| Resource | Link |
|---|---|
| Cheat Sheet for Analyzing malicious software by Lenny Zeltser | Link |
| Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser | Link |
| Resources | Link |
|---|---|
| Awesome Malware Development by rootkit-io | Link |
| Malware Development par 1 of 9 by 0xPat | Link |