Malware Analysis Introduction

Understanding malware enables defenders to assess threats, extract indicators, and improve detection. Safe analysis requires proper environments and techniques.

Malware Categories

Ransomware - Encrypts files and demands payment. May exfiltrate data before encryption.

Trojans - Disguised as legitimate software. Provides remote access or downloads additional payloads.

RATs (Remote Access Trojans) - Enable full remote control of compromised systems.

Backdoors - Provide persistent access, often surviving reboots.

Droppers/Loaders - Download and execute additional malware.

Worms - Self-propagate across networks without user interaction.

Keyloggers - Capture keystrokes for credential theft.

Rootkits - Hide malware presence from security tools and users.

Analysis Types

Static analysis - Examine malware without execution. Safe but limited.

• File hashes


• Strings extraction


• Import/export analysis


• PE header examination

Dynamic analysis - Execute malware and observe behavior. More revealing but risky.

• Network connections


• Process activity


• File modifications


• Registry changes

Code analysis - Reverse engineering the malware code. Most detailed but most difficult.

Safe Handling

Isolation - Never analyze on production systems.

Virtual machines - Snapshots enable easy restoration. Use snapshot before execution.

Network isolation - Disconnect or use isolated networks. Prevent malware reaching real targets.

Password protection - Store malware samples in password-protected archives.

Documentation - Track what you have, where it came from, and what you did with it.

Analysis Environment Setup

Dedicated hardware - Analysis VM should not share physical host with sensitive systems.

Snapshot baseline - Create clean snapshots before introducing malware.

Tool preparation - Install analysis tools before exposure.

Network simulation - Fake network services for dynamic analysis.

Consider commercial solutions like ANY.RUN or Joe Sandbox for production use.