Malware analysis is the art of dissecting malicious software to understand how it infects, spreads, and damages systems. It's a critical skill for any Blue Teamer or Researcher.
The Two Pillars of Analysis
When analyzing a suspicious file, we typically take two approaches:
1. Static Analysis
Examining the code without running it. It's like looking at the blueprints of a bomb.
- Hashing: MD5/SHA256 to identify known samples.
- Strings: Extracting readable text (IPs, URLs, messages).
- Disassembly: Using tools like Ghidra to view Assembly code.
2. Dynamic Analysis
Running the malware in a controlled environment to see what it actually does.
- Registry: Watching for persistence keys.
- Network: Capturing C2 (Command & Control) traffic.
- Filesystem: Checking for dropped payloads.
"Dynamic analysis tells you 'what' happened. Static analysis tells you 'how'."
Setting Up Your Lab
DANGER
Never run malware on your host machine. Use an isolated Virtual Machine (VM) with network adapters set to "Host-only" or disabled entirely.
Essential Tools
Build your toolkit with these industry standards:
# Analysis Toolkit
1. Wireshark -> Network Traffic Analysis
2. Ghidra -> Reverse Engineering (NSA tool)
3. Process Mon -> Real-time system monitoring
4. PEStudio -> Windows Executable Inspection
