Mastering 4 Stages of Malware Analysis
Mastering 4 Stages of Malware Analysis
Mastering 4 Stages of Malware Analysis
COM/)
(http
Mastering 4 Stages of
Malware Analysis
MORE ON
Information Security
(https://zeltser.com/information-
security)
Malicious Software
(https://zeltser.com/malicious-
software)
SHARE
Fully-Automated Analysis
The easiest way to assess the nature of a suspicious file is to scan it
using fully-automated tools, some of which are available as
commercial products and some as free ones. These utilities are
designed to quickly assess what the specimen might do if it ran on a
/
system. They typically produce reports with details such as the registry
LENNY ZELTSER (HTTPS://ZELTSER.COM/)
keys used by the malicious program, its mutex values, file activity, (http
network traffic, etc.
For a listing of free services and tools that can perform automated
analysis, see my lists of Toolkits for Automating Malware Analysis
(/malware-analysis-tool-frameworks/) and Automated Malware Analysis
Services (/automated-malware-analysis/).
/
static-properties-of-suspicious-files-on-windows) and Examining XOR
LENNY ZELTSER (HTTPS://ZELTSER.COM/)
Obfuscation for Malware Analysis (http://digital- (http
forensics.sans.org/blog/2013/05/14/tools-for-examining-xor-
obfuscation-for-malware-analysis).
Reversing code can take a lot of time and requires a skill set that is
relatively rare. For this reason, many malware investigations don’t dig
into the code. However, knowing how to perform at least some code
reversing steps greatly increases the analyst’s view into the nature of
the malicious program in a comp
/
To get a sense for basic aspects of code-level reverse engineering in
LENNY ZELTSER (HTTPS://ZELTSER.COM/)
the context of other malware analysis stages, tune into my recorded (http
webcast Introduction to Malware Analysis (/malware-analysis-
webcast/). For a closer look at manual code reversing, read Dennis
Yurichev’s e-book Reverse Engineering for Beginners
(http://yurichev.com/writings/RE_for_beginners-en.pdf).
If you’re interested in this topic, check out the malware analysis course
(http://LearnREM.com/) I teach at SANS Institute. The pyramid
presented in this post is based on a similar diagram by Alissa Torres
(@sibertor (https://twitter.com/sibertor)). Also, Andres Velzquez
(@cibercrimen (https://twitter.com/cibercrimen)) translated this article
into Spanish (http://digital-forensics.sans.org/blog/2014/07/29/etapas-
del-analisis-de-malware).