orgito1015/The-Art-of-Malware-Analysis

# Malware Analysis A curated collection of malware analysis tools, techniques, and references.  ## Contents - Types of malware attacks - Malware analysis workflow - Recommended tools - Useful languages - Analysis tips - Books and references ## Types of Malware Attacks | Type | Description | Example | | --- | --- | --- | | Ransomware | Blocks access to data until a ransom is paid | Ryuk | | Fileless Malware | Operates using native OS components instead of traditional files | Astaroth | | Spyware | Collects user activity data without consent | DarkHotel | | Adware | Displays unwanted advertisements | Fireball | | Trojans | Disguises itself as legitimate software | Emotet | | Worms | Spreads across systems by replicating itself | Stuxnet | | Rootkits | Hides malicious activity and can provide remote control | Zacinlo | | Keyloggers | Records user keystrokes | Olympic Vision | | Bots | Uses infected systems for coordinated attacks | Echobot | | Mobile Malware | Targets mobile devices | Triada | ## Malware Analysis Process - **Static analysis**: Examines a file without executing it. For Windows binaries, Portable Executable (PE) metadata helps identify structure, imports, sections, and embedded resources. - **Dynamic analysis**: Observes behavior while the sample runs in a controlled environment, including registry changes, file activity, API calls, loaded DLLs, and mutex creation. - **Code analysis**: Uses debugging, disassembly, and decompilation to understand program logic and uncover malicious routines. - **Memory analysis**: Reviews memory captures to identify running processes, hidden artifacts, injected code, and encryption material. ## Tools ### Static Analysis - [PeStudio](https://www.winitor.com/download/) - Static analysis for Windows executables. - [CFF Explorer](http://www.ntcore.com/exsuite.php) - PE inspection for imports, exports, sections, and packers. ### Dynamic Analysis - [Process Hacker](https://processhacker.sourceforge.io/) - System resource monitoring. - [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) - File, registry, and process monitoring. - [RegShot](https://sourceforge.net/projects/regshot/) - Registry snapshot comparison. - [ProcDot](http://www.procdot.com/) - Visual analysis of process behavior. ### Code Analysis - Disassembler: [IDA](https://www.hex-rays.com/products/ida/index.shtml) - Decompiler: [IDA Pro](https://www.hex-rays.com/products/ida/index.shtml) - Debuggers: - [x64dbg](https://github.com/x64dbg/) - Open-source x64/x32 debugger for Windows. - [WinDbg](https://developer.microsoft.com/en-us/windows/hardware/download-windbg) - Microsoft Windows debugger. ### Memory Forensics - Acquisition: [Comae-Toolkit](https://github.com/Crypt2Shell/Comae-Toolkit) - Use DumpIt.exe to capture memory. - Analysis: [Volatility](https://github.com/volatilityfoundation/volatility) - Memory forensics framework. ### Online Scanners and Sandboxes - [Cuckoo Sandbox](https://cuckoosandbox.org/) - Open-source automated sandbox. - [VirusTotal](https://www.virustotal.com/) - File and URL scanning service. - [Noriben](https://github.com/Rurik/Noriben) - Procmon-based sandbox analysis collection. - [Intezer Analyze](https://analyze.intezer.com/) - Malware detection and analysis platform. ### Network - [Wireshark](https://www.wireshark.org/) - Network traffic analysis. ### Android - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) - Mobile Security Framework for Android, iOS, and Windows analysis. ### Service Emulation - [INetSim](http://www.inetsim.org/) - Network service emulation for malware labs. - [FakeNet](https://sourceforge.net/projects/fakenet/) - Windows network simulation tool. ## Useful Languages - Python - C++ - Assembly ## Useful Tools - [YARA](https://github.com/VirusTotal/yara) - [Python 3.8.0](https://www.python.org/downloads/release/python-380/) - Required for ret-sync and IDA modules. - [yara-python](https://pypi.org/project/yara-python/) - Required for IDA integration. - [ret-sync](https://github.com/bootleg/ret-sync) - Synchronizes debugging sessions with disassemblers. ## Malicious Windows API ### Downloader - `URLDownloadToFile` - `ShellExecute` ### Dropper - `FindResource` - `LoadResource` - `LockResource` - `SizeofResource` ### Keylogger - `GetKeyState` - `GetAsyncKeyState` - `SetWindowsHook` ### C2 Communication - `InternetOpenUrlA` - `socket` ## Tips - Every `.exe` file may contain imported DLLs, exported functions, or strings worth reviewing. - Modern malware often avoids obvious imports and direct DLL calls, which makes static analysis harder. - Use IDA's views and string analysis to quickly identify relevant code paths. - Ransomware often uses symmetric encryption for data and asymmetric encryption to protect keys. - Some malware carries valid digital signatures stolen from legitimate organizations. - Packers can be used to obfuscate PE files. - Fuzzy hashing tools such as ssdeep help compare related samples. - `WinExec` can be suspicious when used from `kernel32.dll`. - Static analysis can be bypassed by resolving APIs dynamically at runtime. - FASM can be used to build shellcode in assembly. - Basic block analysis is useful when studying program flow in IDA. - Exporting Procmon data to CSV and loading it into ProcDot helps visualize behavior. - Some ransomware requires careful network simulation to reveal command-and-control activity. - FakeNet can expose outbound connections in a controlled environment. - PatchGuard reduces the reliability of certain rootkit techniques on modern Windows versions. - Volatility's `psscan` can help identify hidden processes. - `.pdb` files can reveal function names and improve detection work. - VM memory snapshots are useful for offline memory analysis. - In IDA Pro, `Tab` switches to decompiled code and `X` shows cross-references. - In x64dbg, `F9` continues execution and `F7` / `F8` step through code. ## Books - [Practical Malware Analysis](https://www.amazon.co.uk/Practical-Malware-Analysis-Hands-Dissecting/dp/1593272901/) - [Practical Reverse Engineering](https://www.amazon.co.uk/Practical-Reverse-Engineering-Reversing-Obfuscation/dp/1118787315) ## References - [A Complete Practical Approach to Malware Analysis and Memory Forensics - 2021 Edition](https://www.blackhat.com/eu-21/training/schedule/#a-complete-practical-approach-to-malware-analysis-and-memory-forensics----edition-24217) - [Awesome Malware Analysis](https://github.com/rshipp/awesome-malware-analysis) - [Malware Analysis and Reverse Engineering](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering)