Introduction
Hello, my dear hackers out there and to you, my blog readers. This is the first blog I’m writing, and I’m trying my best to bring together my research and my newly discovered content writing skills to deliver a simplified and comprehensive blog. In my first blog, which is about dynamic malware analysis, I’m presenting content that is a critical yet significant part of a cybersecurity professional’s life. So let me first brief you. Dynamic malware analysis is identified as one of the comprehensive methods among the two main malware analysis methods, the other being static analysis. The reason for choosing this method over the other is because it automates the process of malware analysis while providing data-driven results and insight into malware behavior. Though it seems easy and simple, it's not. The easier it looks, the more in-depth and technically demanding it becomes. Analyzing and simulating malware in a controlled manner requires substantial technical knowledge to ensure it does not affect normal operations. Since malware is executed—regardless of how harmful it is—it’s important that this is done in a controlled environment, as we don’t know what the malware is intended to do. This ties back to what I mentioned earlier—one should have deep technical knowledge of what they're doing.
1. Why Use Dynamic Analysis in Cybersecurity?
This method is most popular among entry-point SOC analysts, i.e., SOC Tier 1, where they try to understand the initial phase of security monitoring. In this phase, they analyze what activity occurred, and they often use dynamic analysis to automate and fast-track the process. More precisely, this method is used at almost all SOC analyst levels. Components such as an organization’s network, files accessed or received by employees from external sources, and other suspicious elements flagged by firewalls or security mechanisms are analyzed. Various sandboxes (which I’ll cover later in this blog) are used to automate the dynamic malware analysis process.
2.Preparing for Malware Analysis
Before starting the dynamic analysis process, we need to have a well-organized setup. By “well-organized,” I mean a secure and isolated environment to test the malware. If you’ve read the above paragraph, you’ll understand why this is necessary. We need several hardware and software components.
Virtualized Environment
Before doing anything, we need a completely virtualized environment where we install a fresh, separate OS like Windows or Linux. Since we don’t want to risk our actual systems, we use these virtualized environments to isolate our systems from the operating systems on which we test malware. However, we must have proper and advanced knowledge of the configurations in these virtualization software tools to prevent malware from escaping the test OS and affecting our actual system. Common virtualization solutions include VirtualBox and VMware Workstation Pro.
Though VMware Workstation Pro used to be a professional (paid) version, it is now offered free of cost. I recommend taking full advantage of it, as many premium features are available with better functionality.
Utility Software
The next step after setting up the virtual environment and installing your preferred OS is downloading utility software. Let me break this down. Utility software refers to installing common programs and functionalities like Word, Adobe Photoshop, PowerPoint, and other applications that we typically use. The reason behind this is to trick the malware into believing it's running on a normal OS and not in a sandbox environment. Many malwares are coded to detect sandbox environments by checking if typical utility software is missing. If they don’t find such programs, there’s a chance the malware might not perform its intended actions.
Debuggers
Next, we use debuggers. Debuggers help identify a program’s instructions and modify its execution flow. During dynamic malware analysis, we use debuggers to understand the operations and structure of the malware in detail. For example, we can bypass mechanisms like malware that only runs if the user is named “JOHN.”
Common debuggers include OllyDbg, WinDbg, and Radare2.
Network Monitoring Tools
This is one of the most important aspects—network monitoring tools. Most malware aims to establish a connection to an external server controlled by an attacker. Rather than causing damage immediately, establishing this connection can enable more significant effects and give the attacker unauthorized privileges. So, we use network monitoring tools to observe network activity when executing malware in a sandbox. This helps us identify what connections the malware is attempting, which IPs it contacts, and how these connections are made. These tools also help the security team understand the malware better and safeguard the systems.
Common tools include Wireshark and Burp Suite.
Process Monitoring Tools
Process monitoring tools are also crucial. When malware executes, these tools let us see what new processes it creates. Windows comes with its own tool: Task Manager.
Other tools include Process Hacker and Process Explorer (Sysinternals).
File Activity Monitoring Tools
The file system is where we must be most cautious when running malware. Malware can target sensitive paths to modify or access unauthorized files. It can also upload malicious files, which execute when opened. Some even set startup entries so that the malicious file executes automatically when the system boots up.
Common tools include Sysmon.
Conclusion
So, this was a brief explanation—I’ve tried my best to explain it the way I understand the concept. I hope you all now have a better idea of what dynamic malware analysis is. If you have anything to clarify or ask—whether related or not—feel free to comment or email me. I’ll be happy to explain in more detail anything I may have missed here. My next blog will be out soon on a related and very interesting topic. Stay tuned!
My next blog will be out soon on a related and very interesting topic. Stay tuned!