Why It Matters
Modern threats deliver custom-built or rapidly-evolving malware faster than vendors can issue signatures. When endpoints flag a suspicious binary or incident response teams find an unknown executable on a compromised host, malware analysis converts a single sample into the IOCs, behavioral patterns, and detections that protect the rest of the environment.
The 2017 NotPetya analysis revealed it was a destructive wiper, not ransomware, redirecting global response. Reverse engineering of Stuxnet exposed nation-state capability. Analysis of the SolarWinds SUNBURST backdoor produced detections used worldwide.
The Analysis Workflow
1. Triage
Quick wins before deep analysis:
- Hash lookup on VirusTotal, MalwareBazaar, Hybrid Analysis
- File type and architecture identification
- Strings and entropy to detect packing
- AV/EDR signature matches
2. Static Analysis
Examining the binary without execution:
# Common static analysis commands
file suspicious.exe # File type
strings -n 8 suspicious.exe # Printable strings
sha256sum suspicious.exe # Hash
exiftool suspicious.exe # Metadata
pefile / pe-bear / CFF Explorer # PE structure
yara rules.yar suspicious.exe # YARA matching
capa suspicious.exe # Capability detectionLook for imports (suspicious WinAPI calls like VirtualAllocEx, WriteProcessMemory, CreateRemoteThread), embedded resources, and indicators of packing (high entropy, few imports, unusual section names).
3. Dynamic Analysis
Run the sample in an isolated environment and observe:
- Process tree changes
- File system writes (autostart locations, dropped payloads)
- Registry modifications (persistence keys)
- Network behavior (DNS, C2 beaconing, exfiltration)
- Mutex creation and named pipes
Sandboxes automate much of this: Cuckoo, Any.run, Joe Sandbox, Hybrid Analysis.
4. Code-Level Analysis
For sophisticated samples, reverse engineer with disassemblers and decompilers:
- IDA Pro: industry standard with decompiler add-on
- Ghidra: free NSA-developed alternative with strong decompilation
- Binary Ninja: modern UI with scripting
- x64dbg / WinDbg: dynamic debugging
Manual analysis recovers algorithms (encryption schemes, custom protocols), evasion techniques (anti-debug, anti-VM), and unique fingerprints suitable for high-fidelity detections.
Anti-Analysis Techniques
Outputs
Malware analysis produces tangible defensive products:
| Output | Used By | Example |
|---|---|---|
| File hashes | SOC, EDR | SHA256 of dropper |
| YARA rules | Hunters | Pattern matching across files |
| Sigma rules | SIEM detection | Behavioral telemetry rules |
| Network IOCs | NDR, firewalls | C2 domains, IPs, JA3 |
| ATT&CK mapping | Threat intel | TTPs used by sample |
| Family attribution | Strategic intel | Links to known actor |
Frameworks and Standards
- MITRE ATT&CK: standard taxonomy of TTPs
- MAEC: Malware Attribute Enumeration and Characterization
- STIX/TAXII: structured threat information sharing
- YARA: rule language for pattern-matching
- Capa: identifies capabilities in executables
Best Practices
- Always work in isolated VMs with reliable snapshot/revert.
- Maintain analysis-only network segments with simulated internet.
- Hash and document everything for chain of custody.
- Time-box deep analysis, most samples do not warrant week-long reversing.
- Share findings with the community via MISP, MalwareBazaar, or industry ISACs.
- Map findings to ATT&CK for consistent intelligence integration.
Related Concepts
How We Teach Malware Analysis
In our Cybersecurity Bootcamp, you won't just learn about Malware Analysis in theory. You'll practice with real tools in hands-on labs, guided by industry professionals who use these concepts daily.
Covered in:
Module 8: Advanced Security Operations
360+ hours of expert-led training • CompTIA Security+ included