Informational, InfoSec 101 Green Book, Infosec for Beginners, InfoSec Survival Guide, John Hammond, Malware, Malware Analysis

Malware Analysis: How to Analyze and Understand Malware

written by John Hammond || Guest Author

This article was originally published in the InfoSec Survival Guide: Green Book. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Malware analysis is an amazing field that can be interesting, fun, and useful for your cybersecurity career. If you’re wondering WHY anyone would want to dig into malware, it’s all for a better understanding of cybersecurity! Whether you are on “the blue team” and wanting to track what real threat actors are up to, or on “the red team” and wanting to emulate adversaries and know how their payloads work… malware analysis is an incredibly valuable skill. There are many who want to get started but aren’t quite sure how. We’ve compiled a quick list of tools, tips, and advice to help you begin your journey!

Step 1: Set Up an Analysis Machine

You’ll need a safe environment to analyze malware, as you don’t want to accidentally infect your real system. Luckily, it’s super easy to set up an analysis machine for free.

Here are some starting recommendations for beginners:

Virtualization Software (VirtualBox or VMware Workstation)
A Windows ISO File (you can download these from Microsoft’s website)
The FLARE VM Installation Script (which downloads all the analysis tools for you!)
A REMnux OVA, the reverse engineering malware Linux distribution

Download VirtualBox or VMware Workstation, create a new virtual machine with your Windows ISO, and take a snapshot. I know it sounds crazy, because you haven’t done anything yet, but the best advice is to snapshot frequently so you can always roll back to a known good state. Fresh install? Take a snapshot.

Run the FLARE install Powershell script on your Windows VM (and take a snapshot), and then be sure to lock down your VM settings by disabling networking and host access before starting to work with malware.

Step 2: Get Familiar With the Tools

The number of free analysis tools out there is amazing but also overwhelming. Luckily, you only need a few tools to get started. Here’s a short list of tools that are free, beginner-friendly, and well documented in the form of public content.

Honorable Mentions
These tools are super useful to know but can get a bit advanced for beginners. Keep these in mind, but don’t get caught up on them early on: x64dbg, windbg, Ghidra, IDA, or Binary Ninja.

PeStudio
PeStudio is the ultimate tool for inspecting binary files. It tells you everything prior to the files’ execution, including strings, imported functions, entropy, and more. PeStudio is your best friend to begin analysis and inspect a suspicious binary file.

Process Hacker 2
Process Hacker 2 is like Task Manager on steroids. This tool allows you to easily view running processes, commands, strings, and memory regions.

Procmon
Procmon lets you see different operations that a program might do during execution. Procmon can see everything from executed commands, registry changes, and new files that were created during a program’s runtime.

CyberChef
CyberChef is the Swiss Army Knife of script analysis and deobfuscation. It’s a giant toolset of every operation and action that you might ever need to deobfuscate data.

DnSpy
DnSpy is for debugging and decompiling .NET malware. DnSpy can take a binary file and instantly provide the original source code for you to analyze. Many infostealers and RATs are written in .NET, so this is the perfect tool for analyzing them.

Step 3: Find Some Malware

To begin doing malware analysis, you’ll need some actual malware to analyze. Here are some great resources for finding samples:

Malware Bazaar
Malshare

This can be a little overwhelming because it is a big data dump and feed of malware just being archived and cataloged… but honestly, just search for either a “type of malware” or a strain or variant that sounds interesting to you, or follow along with some other writeups and reports online!

Step 4: Learning Resources

Analyzing malware without any helpful resources can make you feel completely lost. Here are some great resources to get started and give some inspiration as to what to do when:

Practical Malware Analysis (Book)
Practical Malware Analysis & Triage (PMAT) Course
John Hammond (YouTube)
Jai Minton (YouTube, Website)

Step 5: Practice, Practice, Practice!

Sharpening malware analysis skills takes time and dedication… you may find you’ll need to practice for days, weeks, months, or even years to stockpile your strengths and build confidence.

Keep learning, keep practicing, and don’t give up! If you stay active in the community (on Twitter, Discord, Reddit, blogs, etc.) and engage with other learners and researchers, you all improve together.

Many others have been on this same journey and are often happy to help and answer questions. Never be afraid to ask for help and offer help to others!

Explore the Infosec Survival Guide and more… for FREE!

Get instant access to all issues of the Infosec Survival Guide, as well as content like our self-published infosec zine, PROMPT#, and exclusive Darknet Diaries comics—all available at no cost.

You can check out all current and upcoming issues here: https://www.blackhillsinfosec.com/prompt-zine/