> Malware Analysis: Static and Dynamic Techniques_
You're handed an unknown executable. Maybe it came from a phishing email, maybe it was found on a compromised host. The question: what does it do?
Malware analysis answers that question. There are two approaches: static analysis (studying the file without running it) and dynamic analysis (running it in a controlled environment and observing behaviour). In practice, you use both.
## Lab setup
Never run malware on a production machine or your host OS.
Recommended setup:
- >REMnux (Linux) — preloaded with analysis tools, runs safely
- >FlareVM (Windows) — FLARE team's Windows analysis VM with 100+ tools
- >Isolated network — VMs on host-only networking, no internet access unless you're intentionally letting malware beacon out
terminal
# REMnux setup
curl -L https://remnux.org/remnux-cli | bash
# Snapshot your VMs before any analysis — restore from snapshot after each sample## Phase 1: Safe initial triage
Before anything else, collect basic information without executing the file.
terminal
# File type (don't trust the extension)
file malware.exe
# PE32 executable (GUI) Intel 80386, for MS Windows
# Cryptographic hashes — search these on VirusTotal
md5sum malware.exe
sha256sum malware.exe
# VirusTotal lookup via API
curl -s "https://www.virustotal.com/api/v3/files/$(sha256sum malware.exe | cut -d' ' -f1)" \
-H "x-apikey: YOUR_VT_KEY" | jq '.data.attributes.last_analysis_stats'
# File entropy — high entropy (>7.0) suggests packing/encryption
python3 -c "
import math, sys
data = open('malware.exe','rb').read()
freq = [0]*256
for b in data: freq[b]+=1
n = len(data)
entropy = -sum((c/n)*math.log2(c/n) for c in freq if c)
print(f'Entropy: {entropy:.2f}')
"## Phase 2: Static analysis
### Strings
The fastest single command in malware analysis:
terminal
strings malware.exe | less
# Interesting patterns to grep for:
strings malware.exe | grep -iE "(http|https|ftp)://" # C2 URLs
strings malware.exe | grep -iE "\b[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\b" # IPs
strings malware.exe | grep -iE "(powershell|cmd\.exe|regsvr32|mshta|wscript|cscript)"
strings malware.exe | grep -iE "(password|passwd|cred|login|token|key)"
strings malware.exe | grep -iE "(registry|HKEY|SOFTWARE\\)"
strings malware.exe | grep -iE "\.(bat|ps1|vbs|js|hta)$"
# Unicode strings (many modern samples use wide chars)
strings -e l malware.exe # little-endian UTF-16### PE header analysis
terminal
# PE structure overview
pecheck malware.exe # REMnux tool
pedump malware.exe
# With Python:
pip install pefile
python3 << 'EOF'
import pefile
pe = pefile.PE('malware.exe')
# Imports — what Windows APIs does it call?
for imp in pe.DIRECTORY_ENTRY_IMPORT:
print(f"\n{imp.dll.decode()}")
for func in imp.imports:
if func.name:
print(f" {func.name.decode()}")
EOFSuspicious imports — what they indicate:
| API | What it suggests |
|---|---|
VirtualAlloc / VirtualProtect | Code injection, shellcode |
CreateRemoteThread / WriteProcessMemory | Process injection |
OpenProcess | Access to other processes |
RegOpenKeyEx / RegSetValueEx | Registry persistence |
CreateService / StartService | Service-based persistence |
WinInet / WinHTTP / socket | Network communication |
CryptEncrypt / CryptGenKey | Encryption (ransomware) |
FindFirstFile / FindNextFile | File enumeration (ransomware, data theft) |
GetProcAddress / LoadLibrary | Dynamic API resolution (evasion) |
### Sections and packing detection
terminal
python3 << 'EOF'
import pefile
pe = pefile.PE('malware.exe')
for section in pe.sections:
name = section.Name.decode().rstrip('\x00')
print(f"{name:10} | VSize: {section.Misc_VirtualSize:#010x} | RawSize: {section.SizeOfRawData:#010x} | Entropy: {section.get_entropy():.2f}")
EOFNormal executables have section names like .text, .data, .rdata, .rsrc. High entropy in .text (>7.0) or unusual section names (.packed, random strings) indicate packing.
Identify packers:
terminal
# YARA rules for common packers
yara /usr/share/yara-rules/packers.yar malware.exe
# PEiD / Detect-It-Easy
die malware.exe## Phase 3: Dynamic analysis
### Automated sandbox
Before manual dynamic analysis, run the sample in a sandbox for a quick overview:
- >Any.run — interactive sandbox, watch execution in real time
- >Cuckoo Sandbox — self-hosted, full network capture and API logging
- >VirusTotal — runs in multiple AVs, but doesn't give detailed behaviour report
- >Joe Sandbox — commercial but has free community tier
### Manual dynamic analysis on Windows VM
Tools to run before executing the sample:
terminal
1. Procmon (Process Monitor) — logs all file, registry, network activity
Filter: Include Process Name contains "malware.exe"
2. Wireshark — capture network traffic
Filter: ip.addr == <your_vm_ip>
3. Autoruns — snapshot before and after
(Compare: File → Save, run sample, load new snapshot → diff)
4. Regshot — snapshot registry before/after
Execute and observe:
terminal
:: Windows - run and watch what happens
malware.exe
:: Useful commands during analysis:
netstat -anob :: network connections with process names
tasklist /v :: running processes
sc query :: services
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dir /a %APPDATA% :: check common drop locations
dir /a %TEMP%
dir /a C:\Windows\System32 /od :: recently modified system files### API tracing with Frida (dynamic instrumentation)
terminal
// Frida script: trace common malware APIs
// frida -l trace.js -f malware.exe --no-pause
const apis = [
['kernel32.dll', 'CreateFileW'],
['kernel32.dll', 'WriteFile'],
['kernel32.dll', 'VirtualAlloc'],
['kernel32.dll', 'CreateRemoteThread'],
['advapi32.dll', 'RegSetValueExW'],
['wininet.dll', 'InternetOpenUrlW'],
];
apis.forEach(([mod, fn]) => {
const addr = Module.findExportByName(mod, fn);
if (addr) {
Interceptor.attach(addr, {
onEnter(args) {
console.log(`[+] ${fn}(${args[0]}, ${args[1]})`);
}
});
}
});terminal
frida -l trace.js --file malware.exe --no-pause## Phase 4: Unpacking
Packed malware decrypts/decompresses itself in memory then jumps to the real payload. To analyse the payload, you need to dump it after unpacking.
Method 1: Memory dump after OEP (Original Entry Point)
terminal
# In x64dbg:
# 1. Run to OEP (set BP on GetProcAddress or use OEP finder plugin)
# 2. When real code is running: Scylla plugin → "IAT Autosearch" → "Dump"
# 3. Fix imports with "Fix Dump"Method 2: Automated with Speakeasy or Pe-sieve
terminal
# pe-sieve: scan running process for injected code, dump
pe-sieve64.exe /pid 1234 /dump 3
# hollows_hunter: find and dump process hollowing
hollows_hunter64.exe /pid 1234## IOC extraction
After analysis, document indicators for detection:
terminal
## Sample IOCs
**Hashes:**
- MD5: d41d8cd98f00b204e9800998ecf8427e
- SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
**Network:**
- C2: evil-domain.ru (185.234.xxx.xxx)
- User-Agent: Mozilla/5.0 (compatible; MSIE 9.0)
- HTTP POST to /api/submit every 5 minutes
**Files dropped:**
- %APPDATA%\Microsoft\Windows\svchost.exe
- %TEMP%\update.ps1
**Registry persistence:**
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemUpdate = "%APPDATA%\Microsoft\Windows\svchost.exe"
**Mutexes (prevent double execution):**
- Global\zGlobal_Mutex_12345## YARA rule writing
Write YARA rules to detect the sample (and variants) at scale:
terminal
rule SuspiciousMalwareSample {
meta:
description = "Detects sample from 2025-11 phishing campaign"
author = "SovietGhost"
hash = "abc123..."
strings:
$c2 = "evil-domain.ru" ascii wide
$mutex = "zGlobal_Mutex" ascii wide
$dropper_path = "%APPDATA%\\Microsoft\\Windows\\svchost.exe" ascii wide nocase
$ua = "MSIE 9.0" ascii
condition:
uint16(0) == 0x5A4D and // MZ header
filesize < 2MB and
2 of ($c2, $mutex, $dropper_path, $ua)
}terminal
# Test the rule
yara -r malware_rule.yar /suspect/directory/## Reference
| Resource | What it is |
|---|---|
| Malware Traffic Analysis (malware-traffic-analysis.net) | PCAP exercises with real samples |
| MalwareBazaar | Public malware sample database |
| VirusTotal | Multi-AV scanning + basic behaviour |
| Hybrid Analysis | Free sandbox with detailed reports |
| The Art of Memory Forensics | Book — best deep-dive on memory analysis |
| Practical Malware Analysis | Book — the standard reference |
Malware analysis is a skill built by repetition. Pick a sample from MalwareBazaar, work through the phases, and write up your findings. After ten samples, the patterns become obvious.
root@sovietghost:/blog/043-malware-analysis# ls -la ../