What is Malware Analysis?
Malware analysis is the process of understanding the behavior and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat. It is a crucial process that ensures computer/network security as well as the safety and security of an organization with regard to sensitive information. Malware analysis addresses vulnerabilities before they get out of hand.
There are two different approaches to analyzing malware and they are :-
1. Static Analysis
In static analysis, analyzes malwares by reverse engineering methods. That means without executing it functionally. Generally, reverse engineering is done by decompiling/disassemble the malware. Here, each step that the malware will execute is analyzed. Hence the behavior of malware can be analyzed. Static analysis has only been done in an isolated or virtual machine due to security measures.
Information examined in Static Analysis :-
- Portable Executable (P.E) Headers.
- Imported DLLs.
- Exported DLLs.
- Strings in binary.
- CPU instructions.
2. Dynamic Analysis
In dynamic analysis, examines the behavior of malware by running it on the system. Here, application that can examine registry files, network and process events are installed in the system and their behavior is examined by running the malicious software.
Events examined in Dynamic Analysis :-
- Network connections.
- File events.
- Process events.
- Registry events.
Difference between Static Analysis and Dynamic Analysis
- Static analysis takes long time where, dynamic analysis takes short time.
- In static analysis, helps to understand capacity of malware where, dynamic analysis helps to only understand the activities on the system on which it is run.
- Static analysis provide detailed analysis results where, dynamic analysis provide less detailed analysis results.
Cuckoo Sandbox and Remnux Sandbox are the most used sandboxes environment for malware analysis.
