Set up a lab that allows you to experiment with malware in an isolated, controlled environment. I shared my recommendations for doing this in the blog post 5 Steps to Building a Malware Analysis Toolkit Using Free Tools. You can use virtualization software to set up Windows and Linux systems to facilitate your analysis.

The following Introduction to Malware Analysis video might feel a bit dated, but is worth your attention. It offers another set of steps (and a malware sample) you can recreate in your lab. Moreover, it provides a glimpse at how you can analyze code dynamically by running the specimen in a debugger. In this demo, I used the now-outdated debugger OllyDbg, but this approach applies to the modern x64dbg alternative:

Malware Analysis Video Tutorial for Beginners

As this video shows, you can start dynamic code analysis of a Windows executable by setting breakpoints on risky API calls inside a debugger. This can bring you to the code worth examining, at which point you can begin figuring out the logic of the malicious assembly instructions. I listed some API calls worth considering in the Reverse-Engineering Malicious Code cheat sheet. The tool FLOSS, mentioned earlier, can help also help with spotting them.

To deepen your understanding of code-level analysis, start experimenting with reviewing malicious code statically, without running it in a debugger. You can do this using Ghidra, which includes a disassembler and decompiler. For an introduction to this powerful tool, see the Code Analysis With Ghidra video by Anuj Soni, and review his accompanying blog post:

Wireshark is a tool used to review packet captures (pcaps) of network activity. Since 2018, I have written various Wireshark tutorials and conducted in-person workshops at conferences across the globe. My in-person workshops were designed to help people in information security roles use Wireshark to review traffic from Windows-based malware infections.

Since early 2020, travel restrictions due to COVID-19 (the coronavirus) have halted these in-person workshops. Due to this setback, we want to announce an initial series of video tutorials developed to replicate most aspects of these formerly in-person workshops.

As the opportunity arises, I will create more Wireshark Workshop videos. Future videos will focus on traffic from specific families of Windows-based malware, and some will cover traffic from other malicious activities like phishing websites.

This blog announced an initial series of five video tutorials for a Unit 42 Wireshark Workshop. These videos are designed to help people use Wireshark to review traffic from Windows-based malware infections. Combined with WIreshark Tutorials already published by Palo Alto Networks Unit 42, these videos can help security professionals build their skills in analyzing malicious traffic caused by Windows-based malware.

2 Hours of Video Instruction2 hours of introductory training covering key malware and incident response conceptsOverview:Threats, viruses, and attacks are unavoidable and as a cybersecurity professional you will need to understand how to analyze these threats. With 2 hours of video training, Malware and Incident Response LiveLessons provides learners with an understanding of basic malware analysis and how to respond to incidents when they happen. Leaners will also explore the basics of how malware works and how to set up a safe environment to analyze malware in a lab. This course is meant to be an introduction to simple tools and techniques for those new to cyber security.Malware and Incident Response LiveLessons is taught by expert trainer, author and cybersecurity expert Aamir Lakhani. Using hands-on demos, in-depth discussions and lightboard work to teach cyber security fundamentals, this video course teaches you cybersecurity best practices in a way that is easy to access and implement in real world situations.Topics include:

Malware analysis is a common component in the incident response process. Once malware has been identified on a system, it is often useful to investigate and learn more about its specific functionality.

Hex editors are some of the simplest of malware analysis tools, but they can also be extremely useful. A hex editor like HxD is designed to show both the raw hexadecimal representation of a file and the ASCII interpretation.

When most people think of malware analysis tools, they think of disassemblers. These tools are designed to help with static code analysis by reversing machine code into assembly instructions, which are more human-readable. Disassemblers can also come with decompilers, which take the code all the way back to source code; however, these are often more expensive and less reliable.

OllyDbg is a commonly-used debugger for the Windows operating system with a wide range of features. WinDbg is another Windows-based debugger. Its main selling point is the fact that it can be used for kernel-mode debugging. On Linux, the most popular debugger for malware analysis is the GNU debugger (gdb).

While debuggers are useful for performing dynamic malware analysis, they run the malware directly on the target system. If the analyst is using a disposable virtual machine, this may be fine, but otherwise it can be a problem.

Sandboxes are designed to run malware in an isolated environment to prevent it from breaking free and infecting the host machine or other devices. Sandboxes also commonly include a great deal of instrumentation designed to observe the execution of the malware and draw conclusions from it. Running malware in a sandbox is often a good starting point for malware analysis, as it requires minimal hands-on interaction from the analyst and provides a great deal of information about the sample.

A variety of different malware analysis sandboxes exist, including Cuckoo Sandbox, Falcon Sandbox, Joe Sandbox and many others. Each one has its own benefits that balance cost with the set of available features.

Malware analysis can seem like a daunting task. Trying to figure out what a compiled executable does is a lot different from reading through some source code. Many malware samples are specifically designed to defy easy analysis.

Howard Poston is a cybersecurity researcher with a background in blockchain, cryptography and malware analysis. He has a master's degree in Cyber Operations from the Air Force Institute of Technology and two years of experience in cybersecurity research and development at Sandia National Labs. He currently works as a freelance consultant providing training and content creation for cyber and blockchain security.

However, since static analysis does not actually run the code, sophisticated malware can include malicious runtime behavior that can go undetected. For example, if a file generates a string that then downloads a malicious file based upon the dynamic string, it could go undetected by a basic static analysis. Enterprises have turned to dynamic analysis for a more complete understanding of the behavior of the file.

Dynamic malware analysis executes suspected malicious code in a safe environment called a sandbox. This closed system enables security professionals to watch the malware in action without the risk of letting it infect their system or escape into the enterprise network.

Adversaries are employing more sophisticated techniques to avoid traditional detection mechanisms. By providing deep behavioral analysis and by identifying shared code, malicious functionality or infrastructure, threats can be more effectively detected. In addition, an output of malware analysis is the extraction of IOCs. The IOCs may then be fed into SEIMs, threat intelligence platforms (TIPs) and security orchestration tools to aid in alerting teams to related threats in the future.

The goal of the incident response (IR) team is to provide root cause analysis, determine impact and succeed in remediation and recovery. The malware analysis process aids in the efficiency and effectiveness of this effort.

Static properties include strings embedded in the malware code, header details, hashes, metadata, embedded resources, etc. This type of data may be all that is needed to create IOCs, and they can be acquired very quickly because there is no need to run the program in order to see them. Insights gathered during the static properties analysis can indicate whether a deeper investigation using more comprehensive techniques is necessary and determine which steps should be taken next. 2ff7e9595c