The State of Malware Analysis

Malware is the thorn in the side of security analysts everywhere. The main question when getting a suspicious file alert is, “Is it malware?”. Analysts employ various techniques and tools to define if a suspicious file is indeed a threat and if it turns out to be true, learn as much as possible about it. However, attackers are continuously improving their techniques, and what once could be solved with simple sandboxing now requires multiple different tools. Malware analysis tools make the task of alert triage more straightforward and effective.  

This post will explore malware analysis tools, their challenges, and what to look for when choosing a solution. 

The State of Malware Analysis
What is a Malware Analysis Tool?
What is a Sandbox Environment?
Key Features of Malware Analysis Tools
Types of Malware Analysis Software
Intezer Analyze All-In-One Malware Analysis Platform
Related Resources

What is a Malware Analysis Tool?

Malware analysis examines a sample of malware to determine its origin, impact, and functionality. Malware analysis tools enable us to specify how a threat is working its way into the system and what actions it is taking, in a quick and effective way. 

Years ago, malware analysis was conducted manually, but this is not applicable anymore. Since malware has such a financial incentive, criminals constantly develop new malware varieties. Therefore, malware analysis technologies needed to evolve, leveraging advanced analytics. 

Modern malware analysis tools enable analysts to have the information they need to reverse engineer malware samples accurately. As such, today, organizations may employ modern solutions such as malware dynamic analysis tools. But more about this in the next section. 

Static Analysis and Dynamic Analysis Tools

There are mainly two ways of analyzing a piece of malware. You can explore the malware sample without running the program or test it while running it. These two ways gave origin to the two types of malware analysis tools: static and dynamic analysis tools. 

Static Analysis

Once SIEM captures the suspicious file, they can conduct a static analysis. Since static analysis checks a suspicious file without executing it, it is one of the safest ways to examine malware. Executing the code can spread the infection through your system. 

Analysts use static malware analysis tools to conduct these types of tests. Static analysis tools can gather information from malware without needing to run the file. For instance, they can get the malware’s file name, type, and size. An analyst can also review the imports and strings in the file which can help them understand if a file is malicious or not. However, it’s hard to get the malware family using static analysis tools.  

There are also advanced static analysis tools that do inspect the malware code. These tools examine the file, scrutinizing each component but without executing the program. Static analysis tools help reverse engineer the code by translating the code into assembly instructions, which can give the reverse engineer a clue about the program’s purpose. 

Modern hackers can evade static malware analysis. Some of the tactics attackers use include obfuscation and encryption. Malware obfuscation involves concealing the malware data so static code analyzers don’t detect it by rendering it unreadable. The code is revealed when the malware is executed. 

Advanced tactics like encryption encode the information so only parties with the decryption key can access and read the data. 

Attackers can use encryption for malicious intent, like in ransomware. There criminals hold files hostage by using encryption. Attackers encrypt malware to thwart reverse engineering disassembly processes. 

Dynamic Analysis Tools

Dynamic analysis is mainly different from static analysis in that it runs the malware to inspect it. But in the previous section, we said that running the malware can spread it. To prevent those risks, analysts conduct dynamic analysis in a safe environment called a sandbox. A sandbox environment is fully monitored, which is why it is more effective than running the malware in a VM. 

Dynamic analysis tools monitor the sandbox and check how and if the malware modifies. Running the malware could offer new indicators that don’t appear in static code—for instance, new registry keys, IP addresses, file path locations, or domain names. 

Similar to static analysis, cyber attackers developed techniques to evade dynamic analysis. For instance, they may program the malware to refuse to run if nothing is debugging. 

What is a Sandbox Environment?

Antivirus is not enough to protect against advanced threats. When you get a suspicious file, you need to test if it is malicious or not without putting the rest of your system at risk. In cybersecurity, a sandbox is a secure, isolated testing environment to run programs and test them to determine if it is malicious or not. 

A sandbox is also called an automated malware analysis solution. Most sandboxes are software applications, but there are also hardware alternatives. Other types of sandbox include third-party software, embedded software, browser plug-ins, and virtual machines. 

Sandbox solutions differ by their set of features to help with malware analysis. Features common to major vendors include threat analysis, reporting, automation, and pre-filtering. These solutions enhance threat detection methods like advanced monitoring and antivirus, providing a safe environment to check if suspicious software is a threat.

Key Features of Malware Analysis Tools

Different types of tools help during various stages of the malware analysis process, and the list of features varies according to the vendor. Static and dynamic malware analysis tools have different features: 

Static Analysis Features

• Enables reverse engineers to see the suspicious file code and examine it for signs of malware. It can also help malware analysts gather general information about the file in order to determine if it’s trusted or malicious, although sometimes static analysis is not enough.
• Checks the dynamically linked imports of a Portable Executable (PE). The static analysis enables analysis of the PE header, sections, characteristics, and imports. Analyzing the PE imports allows detecting potential malicious attempts. This is one of the most useful functions of static analysis. 

Dynamic Analysis Features

• Enables malware analysts to look over what suspicious processes run on the device. This feature is helpful to detect what are normal processes and which are created by the malware. 
• It can also pull information from the memory of a process. 
• Detects registry changes in near real-time. 

How does malware analysis typically work? Analysts perform static analysis on the malware to gather suspicious indicators. When analysts have as much data as possible about the malware sample, they perform dynamic analysis on it. Engineers run the malware and try to detonate it in a sandbox or virtual machine.  

To understand how malware analysis works, we need first to understand the different analysis techniques: 

Static Analysis

The process of analyzing a binary file without running it, enabling you to extract the file’s metadata. Static analysis is easy to perform and might give you useful information on where to focus the next analysis. 

Static malware analysis tools usually carry on the following functions: 

• Identifies the malware’s target architecture
• Fingerprints the malware 
• Scans the suspicious file with an antivirus 
• Extracts metadata, functions, and strings 
• Identifies if the malware has evading techniques 
• Classifies and compares the malware to known threat signatures 

Dynamic Analysis

Also called behavioral analysis, this process executes the suspect file in a controlled, isolated environment to monitor its behavior. This analysis technique gives you insights on how the suspicious file is behaving when running. However useful, this technique cannot give information about the intrinsic functionalities of the suspicious program. 

Dynamic analysis malware tools carry on the following steps to analyze the software: 

• Execute the malware sample with administrator privileges
• Monitor it
• Inspect processes
• Collect data and reports
• Analyze the results and determine if there are indicators of compromise 

Hybrid Analysis

This technique involves combining both static and dynamic analytics tools. This helps detect malicious software and discover behavioral threat patterns in unknown code. By combining both techniques and tools, analysts can detect unknown threats. 

Code Analysis

This technique focuses on analyzing the code to understand how the binary works and classifying the malware. Malware classification is assigning a malware sample to a specific malware family. It gives a deeper insight that complements static and dynamic analysis. 

Memory Analysis

Although most used for forensic analysis, this technique helps you understand how malware behaves after infection, especially evasion and stealth techniques. 

Types of Malware Analysis Software

Now that you know what is and how it works, let’s explore what essential tools you need in your malware analysis stack. Most static and dynamic analysis will perform these functions, but there are also several stand-alone tools you can use in your stack: 

• Dissasemblers: as we explained above, these tools help you translate malware code into assembly code, getting insights on the purpose of the malware. 

• Debuggers: these useful tools identify coding issues and mistakes across various development stages. In malware analysis, these tools help you reverse engineer by executing the code line-by-line. 

• HEX editors: these software tools open any type of file and display exactly the contents of the fundamental binary data. They are used to analyze the hexadecimal coded files on a computer and are also called binary file editors. 

• Process monitors: these tools show the activity of file systems, registries, and processes in real-time. 

Intezer Analyze All-In-One Malware Analysis Platform

Intezer is innovating malware analysis by introducing genetic code sequencing into software analysis. Since most attackers reuse code, identifying the reused code can immediately point to the original threat. 

This approach is an improvement over the traditional sandbox method. Most malware-related alerts point to suspicious endpoint activity instead of a specific file. Sandboxes and endpoint security solutions also lack context, and you need more information to understand what Trojan.Generic and other vague alert verdicts mean. The result is security teams have to use multiple tools for each investigation. 

Another challenge for malware analysis is the complexity of the information. More often than not, low-level security analysts escalate an incident because the tools report is too complex to understand, causing unnecessary strain on reverse engineers. 

To solve these issues, Intezer created an all-in-one malware analysis tool that reimagines the analysts’ experience: 

• Covers every potential malware incident

• Easy-to-understand reports that security teams of all skill levels can understand

• Offers integration and automation with EDR, SOAR and analysis tools to automate IR workflows

Some of the key features of Intezer Analyze include: 

• Analyzes non-binary formats 
• Sandboxing and behavior analysis 
• Automatically extracts indicators of compromise 
• Static code analysis including mapping for MITRE ATT&CK®
• Simplified reports 

Intezer redefines malware analysis, making it simpler and most effective, accelerating incident response automation and alert triage. Get started by analyzing and classifying 10 suspicious or unknown files per month for free analyze.intezer.com 

Related Resources

Learn more about Intezer’s malware analysis and its capabilities: 

ELF Malware Analysis 101

Teaching Capa New Tricks: Analyzing Capabilities in PE and ELF Files

How to Detect Cobalt Strike

Get Fast Insights for a Microsoft-signed Netfilter Rootkit

Covering the Infection Chain: Analyze Documents and Scripts with Intezer Analyze

Intezer

Count on Intezer’s Autonomous SOC solution to handle the security operations grunt work.