Malware Analysis For Beginners

Malware analysis may seem overwhelming yet with the proper resources its even accessible to beginners. The best way to get started is learning the basics & techniques through hands-on learning. A good starter would be a tutorial targeted toward beginners which breaks down the basics & provides step-by-step instructions to enable someone to ease into practice. You can check this article on getting started with malware analysis.

Learn Basics Of Reverse Engineering (2–4 months)​

One key requirement to analyze malicious code is to learn reverse engineering, since malware analysts use IDA Pro to disassemble to malicious code and extract the IOCs from the code. This also means you need to know how to read assembly, and you should be familiar with debugging code in x64dbg, since some samples might be packed. This is should give you an idea of why you need reverse engineering skills to learn malware analysis.

Top Malware Persistence Techniques

Knowing how malware prevents its victimization on a system even after reboots is a crucial part of cybersecurity. Malware persistence techniques can go from simple registry hacks to complex network behaviors that most detection methods struggle with. So for one to be able to protect the system adequately one should be aware of these techniques. You can read this discussion on malware persistence techniques to get more information about how malware ensures that it stays put on infected systems.

List Of Malware Persistence Techniques​

There are several persistence techniques, which an attacker can exploit to achieve persistence on the machine. In most cases, the attacker will either modify the registry keys or create new keys to ensure the malware keeps on running, even after reboot. Although, not all techniques require changes to registry. For instance, the DLL Search Order Hijacking technique simply requires placing the malicious payload DLL in the same folder as the target executable binary.

Tools to Analyze Malware on Windows

For the cybersecurity professional particularly if they are to work with Windows-based systems it is quite essential to know which tools are best suited to analyze malware for effective defense strategies. There are many tools at ones disposal each designed to tackle specific aspects of malware analysis — from packet sniffing to system behavior logging. Being aware of these tools can go a long way in making ones analytical capabilities invaluable. For a more general overview of the most popular tools in this field check out this article on popular tools for Windows malware analysis.

Malware analysis tools like PE Bear, CFF Explorer, and Process Hacker are used by malware analysts to analyze the windows malware code and its behavior. Any public windows malware sample can be analyzed online by using sandboxes like VirusTotal and Triage to find more capabilities that might’ve been missed by the malware analyst when analyzing the windows malware locally.

Processes Monitor for Malware Analysis

The ability to monitor processes is indeed one of the primary skills in malware analysis. A lot of information about what malicious software is actually doing on a system can be gleaned from the systems process table. Process tracing tools can be incredibly effective in helping analysts to identify suspicious behaviors that may otherwise go unnoticed. The ability to use such tools effectively will come in very handy when detecting & mitigating a threat. The use of the tool process monitor for malware analysis is explained in the attached link offering all-inclusive instructions & tips & is a must-read for anyone interested in learning how to use such a tool.

At times, there might be a malware sample that is not available online and might be specifically crafted to attack an organization. When analyzing sensitive malware the organization might inform the forensics team to not use online sand boxes which publish the malware to a public database.

If the attacker knows the malware is being analyzed the attacker can remove traces of the malware on the infected machine. This can make it very difficult to know why the attacker targeted the machine & what information was potentially exfiltrated. In this case the malware should be only analyzed locally by the malware analyst by using dynamic analysis tools like Process Monitor.