Types of Malware Analysis
1. Static Analysis
Is a type of analysis that doesn’t require the sample to be executed. It is done by inspecting the PE Header, Resource Section, Hash value and etc. to extract as much information from the sample being analyzed.
Static Analysis is typically perform to check if the sample is packed, to know the sample’s file type and to check the timestamps in order to correlate it with other analyzed samples. Static analysis can also aid the analyst to prepare the environment if the sample needs further analysis, sometimes, this alone isn’t enough to understand the inner workings of the sample.
Even if this type of analysis doesn’t require the sample to be executed it is then required to perform this steps inside an isolated environment. (You won’t like to explain the scenario when you accidentally execute the sample inside your environment.)
Tools used for Static Analysis: Click Me!
2. Dynamic Analysis or Behavioral Analysis
This type of analysis is then perform by executing the sample inside an isolated environment or inside a malware sandbox, with the help of tools an analyst can extract data that cannot be viewed during static analysis (eg: strings, IP addresses, API keys)
Behavioral Analysis together with correct tools aids the analyst to understand the sample and this alone can generate data that can be used for detecting host-based and network-based indicator of compromise(IOC).
As the malware evolves, malware authors also used evasion techniques to bypass this type of analysis whether detecting the environment where the sample is being executed or has the ability to terminate itself if it detects something odd during execution. As you perform this analysis and an analyst find no valuable information it is then needed to perform extra steps to overcome this problem.
Tools used for Dynamic Behavioral Analysis: Click Me!
3. Reverse Engineering Static Code Analysis
Code analysis performs by executing not executing the sample but running it inside the dis-assembler and from that understanding the inner workings of the sample. This analysis requires expertise and knowledge of assembly language(instructions that is used by the CPU for execution) to understand the jump and calls of the API function the sample is using.
In performing this type of analysis, there are also some drawbacks, first, is the knowledge of the analyst in understanding assembly codes, second, if the sample is packed by known or unknown packer, and if then, it needs to be unpacked in order to see the full disassembled code and third, if the sample has an anti-static code analysis function.
Running a packed sample inside the disassembler can only give you a few instructions and the rest is junked code used by the packer to obfuscate the data inside. Whether the sample is packed or not, static code analysis plays a huge advantage to the analyst for analyzing a sample.
Tools used for Static Code Analysis: Click Me!
4. Reverse Engineering Dynamic Code Analysis
This type of analysis is performed together with disassembler and a tool called debugger and this too requires further expertise of understanding the assembly language, the debugger and basic code structures. Developers used this technique when they encounter problems with the programs they are working. In a malware analyst’s perspective, you are presented with sample without knowing the code and function within, and in order to analyze and understand you must reverse-engineer the sample to extract the data and fully understand the inner workings behind the sample.
In performing this type of analysis, there are also some drawbacks, first, is the knowledge of the analyst in understanding assembly codes, second, if the sample is packed by known or unknown packer, and if then, it needs to be unpacked in order to see the full disassembled code and third, if the sample has an anti-dynamic code analysis function.
There are lots of anti-reverse engineering techniques used by the malware authors and knowing each of those techniques aids the analyst to have a step ahead of the game.
Tools used for Reverse Engineering: Click Me!
Summary:
Malware analyst must developed the skills needed to perform these steps, malware authors are constantly innovating and we, too, future malware analyst must cope with this. Performing procedure and staged analysis can help to simply the life of an analyst, depending on the situation an analyst may encounter a situation inside their organization that it requires them to respond on a fast paced procedure when it comes to an incident.
