Malware Analysis
"Know thy enemy's code."
1. Static Analysis (Safe)
Looking at the file without running it.
- Strings:
strings evil.exe. Look for IPs, URLs, PDB paths (developer debug info), or error messages. - PE Headers: Checking the Import Address Table (IAT).
- Suspicious: A "Calculator" app importing
InternetOpenUrl(Outbound connection) orVirtualAlloc(Memory injection). - Packed Malware: Small IAT (only
GetProcAddressandLoadLibrary) usually indicates the file is "Packed" (Compressed/Encrypted) and will unpack itself in memory.
- Suspicious: A "Calculator" app importing
- Hashes: Submit MD5/SHA256 to VirusTotal.
2. Dynamic Analysis (Dangerous)
Running the malware in a controlled Sandbox.
- Tools: Any.Run, Cuckoo Sandbox, Flare VM.
- Observation:
- What files does it create?
- What DNS requests does it make?
- What Registry keys does it set (Persistence)?
3. Advanced: Reverse Engineering
Decompiling the code to assembly/C.
- Tools: Ghidra (NSA tool), IDA Pro.
- Goal: Understand the encryption algorithm used by Ransomware or find the "Kill Switch".
