Malware analysis is a subject that may seem easy from the outside, but in essence, it requires expertise in many aspects. While malware analysis is a separate field in its own right, some Tier 3 SOC Analysts (Subject Matter Experts) focus their careers in malware analysis only. Although malware analysis is a separate field, it is often used by Security Analysts in their daily work routines.
In order to be able to analyze malicious software correctly and successfully, it is necessary to have the basics in many subjects. Let’s take a look at these topics.
Malware often takes advantage of the features offered by the operating system, increasing its privileges, making discovery and ensuring persistence. To give an example on Windows operating systems, malicious software uses the features of the operating system such as Task Scheduler, Services, Registry to ensure persistence.
In addition to the features of the operating system, API, Syscalls, Memory Architecture and lower level issues are also important for successful malware analysis. We will focus on these topics more on the “Static Malware Analysis” training.
Malware often exhibits network activity in order to hijack information, connect to a command and control server, or download second payloads. Understanding these network traffics while analyzing malware is extremely important for us to understand the purpose of the malware.
For this reason, malware analysts should have basic network knowledge.
Many technologies make use of cryptography to provide security. It is also used by attackers for purposes such as complicating, preventing detection and preventing access.
Popular ransomware uses cryptography nowadays to encrypt files and prevent access to files without paying a ransom.
We often encounter cryptography during malware analysis.
