Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat.
The key benefit of malware analysis is that it helps incident responders and security analysts:
- Pragmatically triage incidents by level of severity
- Uncover hidden indicators of compromise (IOCs) that should be blocked
- Improve the efficacy of IOC alerts and notifications
- Enrich context when threat hunting
Types of Malware Analysis
The analysis may be conducted in a manner that is static, dynamic or a hybrid of the two.
Static Analysis
Basic static analysis does not require that the code is actually run. Instead, static analysis examines the file for signs of malicious intent. Identifying malicious infrastructure, libraries, or packaged files may be valuable. To detect whether a file is malicious, technical indicators such as file names, hashes, strings containing IP addresses and domain names, and file header data can be used. In order to learn more about how the malware functions, it is also possible to monitor it without executing it using tools like network analyzers and disassemblers.
However, since static analysis does not actually run the code, sophisticated malware can include malicious runtime behavior that can go undetected. For example, if a file generates a string that then downloads a malicious file based upon the dynamic string, it could go undetected by a basic static analysis. Enterprises have turned to dynamic analysis for a more complete understanding of the behavior of the file.
Dynamic Analysis
Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network.
Deeper visibility made possible by dynamic analysis gives threat researchers and incident responders the ability to identify a threat’s genuine nature. Automated sandboxing also saves time by avoiding the need to reverse engineer a file in order to find malicious code.
The challenge with dynamic analysis is that adversaries are smart, and they know sandboxes are out there, so they have become very good at detecting them. To deceive a sandbox, adversaries hide code inside them that may remain dormant until certain conditions are met. Only then does the code run.
Hybrid Analysis (includes both of the techniques above)
Basic static analysis isn’t a reliable way to detect sophisticated malicious code, and sophisticated malware can sometimes hide from the presence of sandbox technology. By combining basic and dynamic analysis techniques, hybrid analysis provide security team the best of both approaches –primarily because it can detect malicious code that is trying to hide, and then can extract many more indicators of compromise (IOCs) by statically and previously unseen code. Hybrid analysis helps detect unknown threats, even those from the most sophisticated malware.
For example, hybrid analysis applies static analysis to data produced by behavioral analysis, such as when malicious code executes and causes changes in memory. Analysts would be informed to go back and conduct fundamental static analysis on the memory dump if dynamic analysis found that. More IOCs would be produced as a result, and zero-day vulnerabilities would be made public.
Malware Analysis Use Cases
Malware Detection
More advanced methods are being used by adversaries to elude existing detection systems. Threats can be detected more successfully by using comprehensive behavioral analysis and by detecting shared code, malicious functionality, or infrastructure. Extraction of IOCs is another result of malware investigation. In order to help teams be alerted to related threats in the future, the IOCs may then be fed into SEIMs, threat intelligence platforms (TIPs), and security orchestration tools.
Threat Alerts and Triage
Malware analysis solutions provide higher-fidelity alerts earlier in the attack life cycle. Therefore, teams can save time by prioritizing the results of these alerts over other technologies.
Incident Response
The goal of the incident response (IR) team is to provide root cause analysis, determine impact and succeed in remediation and recovery. The malware analysis process aids in the efficiency and effectiveness of this effort.
Threat Hunting
Malware analysis can expose behavior and artifacts that threat hunters can use to find similar activity, such as access to a particular network connection, port or domain. By searching firewall and proxy logs or SIEM data, teams can use this data to find similar threats.
Malware Research
Academic or industry malware researchers perform malware analysis to gain an understanding of the latest techniques, exploits and tools used by adversaries.
Stages of Malware Analysis
Static Properties Analysis
Static properties include strings embedded in the malware code, header details, hashes, metadata, embedded resources, etc. This type of data may be all that is needed to create IOCs, and they can be acquired very quickly because there is no need to run the program in order to see them. Insights gathered during the static properties analysis can indicate whether a deeper investigation using more comprehensive techniques is necessary and determine which steps should be taken next.
Interactive Behavior Analysis
Behavioral analysis is used to observe and interact with a malware sample running in a lab. Analysts seek to understand the sample’s registry, file system, process and network activities. They may also conduct memory forensics to learn how the malware uses memory. If the analysts suspect that the malware has a certain capability, they can set up a simulation to test their theory.
Behavioral analysis requires a creative analyst with advanced skills. The process is time-consuming and complicated and cannot be performed effectively without automated tools.
Fully Automated Analysis
Fully automated analysis quickly and simply assesses suspicious files. The analysis can determine potential repercussions if the malware were to infiltrate the network and then produce an easy-to-read report that provides fast answers for security teams. Fully automated analysis is the best way to process malware at scale.
Manual Code Reversing
During this phase, analysts use debuggers, disassemblers, compilers, and other specialized tools to reverse-engineer code in order to decrypt encrypted data, ascertain the reasoning behind the malware algorithm, and comprehend any hidden capabilities that the malware has not yet shown. Code reversals need a lot of time to complete and require a rare skill. Due to these factors, malware investigations frequently skip this phase and omit a wealth of important information on the malware’s makeup.
