This content originally appeared on DEV Community and was authored by Arun kumar G
How Malware Analysis Help SOC Analysts:
US and Israel have created STUXNET (Malware) to disrupt Iran's Nuclear plant. Propagation thru USB drive and had 4 Zero day vulnerabilities.
Steps involved in disruption:
- Infection --> thur USB stick
- Search --> Stuxnet will search whether the machine is part of targeted control systems made by Siemens.
- Update --> If the target system is having a Siemens control system, will search and update the recent version of itself.
- Compromise --> Via Zero day vulnerabilities.
- Control --> Spies the operations of Nuclear plants to control the centrifuges.
- Deceive and Destroy --> Once the required info is received, Stuxnet starts to provide false command to destroy the powerplant.
- Stuxnet had 4 Zero day vulnerabilities
- Stuxnet targetted Siemens company control systems
- Attack happened on 2010.
Malware Definition and it types:
Malware = Malicious Software
Types of Malwares:
- Backdoor: By opening a network port connected to the shell, it enables the attacker to connect to the system through this port.
- Virus: Self replicate and persistence by infecting other files.
- Keylogger: Record the key typed by the user.
- Adware: Flood the ads some time it may change the default search engine of the web browser.
- Worm: Malware spread from infected device - Eg: Wannacry
- Rootkit: Malware that will provide high level access.
- RAT: Remote Access Trojan - Full control over the device by threat actor
- Banking malware: Malware focussing banking softwares and sites.
- Ransomware: Demanding the money by encrypting the files.
** Name of first Worm in the internet --> Morris
** Vunerability code of Wannacry --> ms17-010
** What is the name of the malware that was detected in December 2021, distributed through the Solarwinds Orion product and caused the hacking of many organizations such as FireEye? --> Sunburst
What Should a Malware Analyst Know
- Operating systems Fundamentals:
Malware often taking advantages from the Operating systems features by increasing privelages, making discovery and ensuring persistence.
In Windows, Malware use features such as registry, task scheduler and services to ensure persistence.
- Assembly Language and Programming:
Machines are only understand 0s and 1s, the program that we are writing to create an application will be converted into assembly level language by means of assembler. Assembly level language will then converted into Zeros and ones by compiler ( Machines are only understand 0s and 1s)
Process Flow:
Start
Preprocesser --> MyApp.c
Compiler --> MyApp.i
Assembler --> MyApp.s
Executable --> MyApp.exe
Software that translates the Machine codes to Assembly codes are called as Dissemblers.
- Network protocols and fundamentals:
Cryptography --- Ransomware
** What encryption is used by randsomware --> Assymetric
Which Approach Should You Choose When Analyzing Malware?
2 Approaches:
- Static Malware Analysis
Analyzing Malicious software by reverse engineering methods withour RUNNNING them. Decompile/ Decemble to analyse the each step / process inorder to understand the nature / behaviour of Malware.
Your device will not be infected as you do not run malicious software in static analysis. (However, we do not recommend performing static analysis on your host device, it will be more proper to do your analysis in a virtual operating system.)
The information examined during the static analysis is as follows.
P.E. (Portable Executable) Headers
Imported DLL's
Exported DLL's
Strings in binary
CPU Instructions
- Dynamic Malware Analysis
Examining the malware behaviour while running. While doing dynamic analysis, you should carefully examine the following events.
Network Connections
File Events
Process Events
Registry Event
Static Vs Dynamic analysis:
"DYNAMIC ANALYSIS EXAMPLE"
ANYRUN: Interactive Sandbox environment to perform Malware Analysis dynamically.
https://bazaar.abuse.ch/sample/708e198608b5b463224c3fb77fcf708b845d0c7b5dbc6e9cab9e185c489be089/
Exact Analysis:
https://app.any.run/tasks/e4979ab7-3145-4121-a042-ea91d7e2c86b
To find the Email address associated with the Malware & Password used:
- Go to the Threats Tab in Any.run.
- Click on a message to open Threat Details pop-up.
- Open the Stream Data Tab and switch the view from Hex to Text.
- You'll find the Base64 string "TzhrI1B6NHNrOndf". Decode the string to reveal the password.
29 Addresses to Analyze Malware Faster
We constantly spend time analyzing malware. We have listed 29 addresses that can be useful for blue team members to use time more effectively:
Anlyz
Any.run
Comodo Valkyrie
Cuckoo
Hybrid Analysis
Intezer Analyze
SecondWrite Malware Deepview
Jevereg
IObit Cloud
BinaryGuard
BitBlaze
SandDroid
Joe Sandbox
AMAaaS
IRIS-H
Gatewatcher Intelligence
Hatching Triage 
InQuest Labs
Manalyzer
SandBlast Analysis
SNDBOX
firmware
opswat
virusade
virustotal
malware config
malware hunter team
virscan 
jotti
This content originally appeared on DEV Community and was authored by Arun kumar G
 
	
			Arun kumar G | Sciencx (2025-10-05T13:11:03+00:00) Week 1 / 50 – Cybersecurity Journey – Malware Analysis. Retrieved from https://www.scien.cx/2025/10/05/week-1-50-cybersecurity-journey-malware-analysis/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.
 
		