Read 32 401 - jserpa-p/lisbon-ops-301n1_Reading GitHub Wiki

Malware Traffic Analysis with Wireshark

Malware analysis

Malware analysis is the process of studying and understanding malicious software, or malware. It involves examining the code, behavior, and purpose of malware to learn how it works, what it targets, and how to defend against it. Analysts use different techniques like looking at the code, running the malware in controlled environments, and observing its actions to gain insights. Malware analysis helps in creating defenses, detecting threats, and responding to security incidents.

Malware Analysis Process

  1. Capture the malware

  2. Build a malware lab

  3. Install your tools

  4. Record the baseline

  5. Commence your investigation

  6. Document the results

Types of Malware Analysis

  1. Static malware analysis

This type of analysis focuses on the former, examining static properties like metadata, headers, embedded assets, etc. A quick static analysis often reveals enough information needed to create an indicator of compromise (IOC).

  1. Dynamic malware analysis

Dynamic analysis allows the malware to play itself out in a controlled environment while observing its behavior. VMs are critical when conducting dynamic analysis, as it is likely that the malware will cause irreparable damage to its host environment.

  1. Manual malware analysis

Manual analysis is also known as code reversing since you are essentially beginning with the final software, moving backward into code, and then arriving at the original logic — instead of the other way around.

  1. Automated malware analysis

Automated analysis passes the malware through an automated workflow where its different behavioral and static properties are tested. Automation can generate detailed reports and feeds data into an incident response system, bringing only the most necessary signals to a human analyst.

Key stages of malware analysis

  1. Observing malware behavior

  2. Disassembling the code

  3. Examining the memory

Top 6 Malware Analysis Best Practices for 2021

  1. Use automation to optimize your efforts

  2. Always use a secure environment to run malware

  3. Only analyze malware whose remote infrastructure is running

  4. Capture and store VM image snapshots

  5. Do your research and select the best-fit malware analysis tools

  6. Expand your malware sample size continuously

Questions

1. You just started a new job as a Malware Analyst. Explain your job responsibilities to a family member.

So, in my new work I study and understand malware, malware is what we call the malicious software. My main concern would be detecting threats in my network, responding to security incidents and creating defenses.

2. What are the six steps of the Malware Analysis process? What’s a good mnemonic you can use to remember it?

Malware Analysis Process:

  1. Survey

  2. Examine

  3. Classify

  4. Uncover

  5. Respond

  6. Evaluate

A good mnemonic for these steps could be S.E.C.U.R.E.

3. You are tasked with analyzing a new malware sample. Which type of malware analysis would you conduct first and why?

Since it is a new malware sample, so an unknown piece of code, I would cunduct a manual analysis in order to understand the core of the malware code using tools like debuggers, decompilers, and decrypters.