Malware Analysis Fundamentals


Introduction

Malware analysis is the art of understanding malicious software — its capabilities, behavior, origin, and impact. Analysts use a combination of static and dynamic techniques to dissect samples, extract indicators of compromise (IOCs), and develop detection signatures.

Static Analysis

Static analysis examines malware without executing it. It provides initial understanding and extracts metadata, strings, and structural information.

Basic Static Analysis




# File type identification


file suspicious.exe




# Extract strings


strings -n 8 suspicious.exe | head -50




# Check embedded hashes


sha256sum suspicious.exe




# PE header analysis with pefile


python3 -c "


import pefile


pe = pefile.PE('suspicious.exe')


print('Sections:')


for section in pe.sections:


print(f' {section.Name.decode():8} {hex(section.VirtualAddress):10} {hex(section.SizeOfRawData):10}')


print('Imported DLLs:')


for entry in pe.DIRECTORY_ENTRY_IMPORT:


print(f' {entry.dll.decode()}')


"








# Automated IOC extraction with pefile


import pefile, hashlib, yara




def extract_iocs(filepath):


pe = pefile.PE(filepath)


iocs = {


'sha256': hashlib.sha256(open(filepath, 'rb').read()).hexdigest(),


'imports': [imp.dll.decode() for imp in pe.DIRECTORY_ENTRY_IMPORT],


'sections': [


{s.Name.decode().strip('\x00'): hex(s.SizeOfRawData)}


for s in pe.sections


],


'compile_time': str(pe.FILE_HEADER.TimeDateStamp),


}




# Detect suspicious imports


suspicious_apis = {'CreateRemoteThread', 'WriteProcessMemory',


'VirtualAllocEx', 'CryptDecrypt'}


found = [api for api in suspicious_apis


if any(api in str(s.imports) for s in ...)]


if found:


iocs['suspicious_apis'] = found




return iocs





Dynamic Analysis

Dynamic analysis executes malware in a controlled environment to observe runtime behavior.




# Process monitor logging (using procmon-like tools)


strace -f -e trace=network,process,file -o malware.log ./sample.bin




# Network traffic capture


tcpdump -i eth0 -w malware.pcap host not analysis-server




# Registry and file system monitoring


inotifywait -rm /tmp /etc --format '%w%f %e' > filesystem_changes.log





Automated Sandboxing

Sandboxes automate dynamic analysis. They record API calls, network traffic, file system changes, and memory modifications.




# Cuckoo sandbox configuration


machinery:


virtualbox:


machines:


- label: win10_analysis


platform: windows


ip: 192.168.56.101




analysis:


time_limit: 120


network:


- dns_redirect: true


- http_redirect: all




reporting:


- module: analysis_json


- module: network_pcap


- module: screenshots





Python-based sandbox hooks:




# Monitor API calls via hooking


api_monitor = {


"kernel32.dll": {


"CreateProcess": {"args": [1, 2], "ret": 0},


"WinExec": {"args": [1], "ret": 0},


"VirtualProtect": {"args": [1, 2, 3], "ret": 0},


},


"ws2_32.dll": {


"connect": {"args": [1, 2], "ret": 0},


"send": {"args": [1, 2, 3], "ret": 0},


}


}





YARA Rules

YARA identifies and classifies malware based on textual or binary patterns. Well-written YARA rules are essential for threat detection and classification.




rule Win32_Ransomware_Generic {


meta:


description = "Generic ransomware detection"


author = "Security Team"


date = "2026-05-01"


hash = "a1b2c3d4..."




strings:


$encrypt_extension = /\.[a-zA-Z0-9]{3,6}$/


$ransom_note = /(README|DECRYPT|HOW_TO_RECOVER)/i


$shadow_copy_delete = /vssadmin|wmic shadowcopy|bcdedit/i


$encrypt_api = /CryptEncrypt|BCryptEncrypt|RSA_private_encrypt/




$s1 = "your files" nocase


$s2 = "bitcoin" nocase


$s3 = "decrypt" nocase




condition:


(uint16(0) == 0x5A4D) and // MZ header


($encrypt_extension) and


(2 of ($ransom_note*)) and


(1 of ($shadow_copy_delete*)) and


(2 of ($s1, $s2, $s3))


}




rule C2_Domain_Pattern_DGA {


strings:


$dga_pattern = /https?:\/\/([a-z]{8,25})\.(com|net|org)\//




condition:


$dga_pattern and filesize < 10KB


}





Analysis Workflow


* **Hash sample** and check against threat intelligence

2\. **Static analysis**: file type, strings, PE structure, embedded resources 3\. **Dynamic analysis**: run in sandbox, record behavior 4\. **Network analysis**: review PCAP for C2 traffic, data exfiltration 5\. **Code analysis**: disassemble or decompile critical functions 6\. **IOC extraction**: hashes, IPs, domains, registry keys, mutexes 7\. **Signature generation**: YARA rules, Snort/Suricata signatures

Conclusion

Malware analysis combines art and science. Static analysis provides quick insights, dynamic analysis reveals runtime behavior, and YARA enables detection automation. Master each technique and understand their limitations — sandbox evasion, packed binaries, and fileless malware require advanced approaches like memory forensics and behavioral analysis.