Table of Contents
Due to Covid-19, many teams have started working from home. This has left employees more vulnerable than ever to cyberattacks and breaches. In the first six months of 2020 alone, data violations exposed over 36 billion records.
One theme is evident. Malware continues to be a considerable threat to high-profile organizations. As such, combatting attacks remains a high priority.
Malware analysis is a crucial step in understanding, fighting, preventing, and mitigating various malware. This article will explain what goes into malware analysis, what tools can assist you with it, and where you can turn for help.
What is Malware Analysis?
Malware analysis is the process of taking a close look at a suspicious file or URL to detect potential threats. It is one of the first steps to identifying malware before it can infect a system and cause harm to critical assets.
Malware analysis enables your network to triage incidents by the level of severity and uncover indicators of compromise (IOCs). It also provides a more comprehensive threat hunting image and improves IOC alerts and notifications.
Types of Malware Analysis
Malware analysis can be static, dynamic, or a hybrid of both types. When using static analysis, you’ll examine the file for signs of malicious intent, while dynamic analysis allows you to execute the suspected code in a sandbox environment. By using a sandbox, you’ll be able to isolate the malware from your live system, eliminating the ability to infect your production environment or allowing the virus to escape into your network.
Malware Analysis Use Cases
Computer Security Incident Management
In this case, an organization has determined that malware may have infiltrated their network. A response team is sent to deal with the threat.
They perform malware analysis on malicious files and specify a danger and what type of malware it is. They’ll also analyze what impact it will likely have on the organization’s system.
Academics or industry specialists can perform in-depth malware research. These professionals try to get the best possible understanding of how certain malware performs.
SentinelLabs have, for example, closely examined the anatomy of TrickBot Cobalt Strike Attacks and gained insights into FIN7 malware chains.
This level of research and understanding is vital for reverse-engineering malware and requires malware analysis, as well as the testing of malware in a sandbox environment.
Indicator of Compromise (IOC) Extraction
Software product and solution providers often perform bulk testing and analysis to determine potential IOCs. In turn, they can improve their own security network to preemptively improve weak points in their system.
The Stages of Malware Analysis
There are four common steps to malware analysis that get more complex and specific the further into the process you are. There are 4 main stages:
1. Scanning – Automated Analysis
Fully automated tools rely on detection models formed by analyzing already discovered malware samples in the wild. By doing so, these tools can scan suspicious files and programs to determine if they are actually malware.
Automated analysis can also produce a detailed report, including the network traffic, file activity, and registry keys. A tool like this is the fastest method and doesn’t require an analyst.
It is suited for sifting through large quantities of malware and testing a vast network. Subsequently, it also doesn’t include as much information.
2. Static Properties Analysis
Now that the scan is complete, static property analysis then takes a closer look at the malware. At this stage, analysts would examine the static properties of a threat without executing the malware. This is often something you’d do within an isolated environment or sandbox. Static properties include things like hashes, embedded strings, embedded resources, and header information.
Tools like disassemblers and network analyzers can get information on how the malware works at this stage.
3. Interactive Behavior Analysis
To gain further insight, analysts might want to run a malicious file in an isolated laboratory system to see its effects in action.
Interactive behavioral analysis allows the tester to observe and understand how malware affects the system, its registry, file system, process and network activities and how someone might replicate them.
A safe testing environment can be set up by downloading virtualization software to run a guest operating system. Testing malware in a sandbox like this is also referred to as dynamic analysis.
The one great challenge with this is that malware can often detect when it is being run on a virtual machine and alter its behavior accordingly. Malware may remain dormant until certain conditions are met.
It’s possible to take a hybrid analysis approach by combining static and dynamic analysis methods.
4. Manual Code Reversing
Finally, analysts can manually reverse the file’s code and decode any encrypted data stored in the sample. This allows analysts to determine capabilities that didn’t show up during behavioral analysis and can add valuable insight to the findings.
At this stage, additional tools, like debuggers and disassemblers, are required.
Building a Malware Analysis Environment
For a malware researcher, building the right malware analysis environment is a crucial step in analyzing and investigating malware properly. This consists of downloading, installing and configuring a Windows 10 and REMnux Linux virtual machine, setting up a private network for communication between virtual machines, building a custom Windows environment with SentinelLabs RevCore Tools, and capturing traffic from a Windows 10 virtual machine.
Top Malware Analysis Tools
There are a number of different types of essential tools necessary for performing malware analysis so that you can avoid and understand cyber attacks. While many of the tools listed here are free, in a professional setting, the paid versions are highly recommended.
Disassemblers: A disassembler, like IDA Pro or Ghidra, which was developed by the National Security Agency (NSA), takes apart the assembly code instead of executing it, so that it can be statically analyzed. They also work with decompilers, which can convert binary code into native code.
Debuggers: A debugger, like x64dbg or Windbg is used to manipulate the execution of a program. This provides insights into what happens when the malware is run, and can help you to reverse engineer a malware sample to see how it operates.
It also allows analysts to control areas of the program’s memory to understand how it impacts a network.
Hex editors: A hex editor, like HxD, is a specialized editor that can open any type of file and show its contents byte by byte. This can be used to break down malware entirely and start translating its code.
Monitors: When you need to see real-time file system, Registry, and process/thread activity, you need to use an advanced monitoring tool like Process Monitor. This tool displays a process tree which will show the relationships between all processes referenced in a trace, in addition to providing reliable capture of process details.
PE Analysis: Tools like PeStudio, PE-bear and pefile are great tools to consider when looking for freeware reversing tools for PE files. They’re useful when trying to visualize a PE section layout, and can help you to detect file signatures, hard-coded URLs and IP addresses.
Network analyzers: This type of software, tells analysts how the malware is interacting with other machines. It can showcase the threat’s connections and what data it is trying to send.
Protect Your System with Leading Edge-to-Edge Enterprise Security
SentinelOne gives you a centralized platform to prevent, detect, respond, and hunt in the context of all enterprise assets.
SentinelOne offers endpoint protection, detection and response, and IoT discovery and Control. For more information on malware analysis get in touch today.