Malware analysis is a process where experts safely examine a malicious software sample to understand its behavior, purpose, and origin. The process is typically broken down into two main phases: static analysis, where the malware is examined without being run, and dynamic analysis, where its behavior is observed during execution within a secure, isolated environment.
Disclaimer: A Critical Warning Do not attempt to analyze malware on your personal or work on the computer. Malware is dangerous by design. Analysis must only be performed in a specially configured, isolated laboratory environment, typically a Virtual Machine (VM) that is disconnected from your network, to prevent the infection from spreading.
Phase 1: Setting Up Your Safe Lab Environment
Before you do anything else, you must build a safe space.
- Use a Virtual Machine (VM): A VM is a sandboxed computer running inside your actual computer. Use software like VirtualBox (free) or VMware to create a VM. If the malware infects the VM, you can simply delete it without harming your host machine.
- Take Snapshots: Before running the malware, take a “snapshot” of your clean VM. This saves the state of the machine, allowing you to instantly revert to the clean state after the analysis is complete.
- Isolate Your Network: Disconnect your VM’s network adapter or configure it to run on an isolated virtual network to prevent the malware from spreading or contacting its command-and-control server.
Phase 2: Static Analysis (Analyzing Without Running)
The goal here is to learn as much as possible about the malware without executing it.
1. Check File Hashes
A “hash” is a unique digital fingerprint of a file. Use a tool to calculate the malware’s MD5 or SHA-256 hash. You can then search for this hash on websites like VirusTotal. If the sample is known, VirusTotal will give you a report on what other antivirus engines call it and any information the community has gathered.
2. Examine Strings
Malware files often contain readable text snippets (strings) embedded within their code. Using a tool like strings, you can extract these snippets. You might find revealing information like:
- URLs or IP addresses it tries to connect to.
- File names it creates or looks for.
- Error messages or commands.
3. Analyze the File Header
Specialized tools can read the file’s header to tell you what type of file it is (e.g., .exe, .dll), when it was compiled, and whether it has been “packed” or obfuscated to hide its true nature.
Phase 3: Dynamic Analysis (Running the Malware Safely)
This is where you execute the malware inside your isolated VM to observe its behavior.
1. Monitor System Changes
Tools like Process Monitor (ProcMon) from Microsoft’s Sysinternals suite are essential. ProcMon allows you to watch in real-time as the malware:
- Creates, modifies, or deletes files.
- Reads or writes to the Windows Registry.
- Launches new processes.
2. Monitor Network Traffic
Before running the malware, start a network analysis tool like Wireshark. This will capture any network packets the malware tries to send or receive. You can see if it attempts to “call home” to a command-and-control (C2) server, download additional malicious components, or exfiltrate data.
3. Use an Automated Sandbox
For a quick, high-level overview, you can submit the malware sample to an online automated sandbox service. These services run the malware in a secure cloud environment and automatically generate a detailed report of its behavior, including system changes and network traffic.