Malware Analysis Road Map and essential tools

[teto2005]

Hello Guys
I am new here and I am not sure if I am at the right place or not.
I am seeking your advice to learn Malware Analysis "static" as I am not good at Assembly.
Besides, to the required tools to perform the analysis and the road map.
Thanks alot

 

[Winter Soldier]

Hello

Well the static analysis consists in analyzing a malware without starting it, studying the code, and the functions to determine its behavior but it is really very difficult to explain concepts, especially if you don't know assembly.

Lets say that usually .NET malware (not obfuscated) can be investigated by accessing the code with ILSpy for example.
About malware written in C/C++, it is more complex because it is virtually impossible to go back to the source code, starting from the executable.

Here you can use PEiD, which can be useful for the investigation of strings and file sections both useful to understand the malware's behavior.

For example here the files sections:

- .text contains instructions that CPU will run (the executable code);
- .rdata usually contains the information to import and export. It can also save from the read-only data used by malware;
- .data contains the global data of the executable;
- .rsrc contains the resources used by the executable that are not considered to be part of it, such as icons, images, and strings.

Of course the topic is very complex.

 

[teto2005]

Thanks alot for your reply.
Would you please recommend assembly ref.?

Hello

Well the static analysis consists in analyzing a malware without starting it, studying the code, and the functions to determine its behavior but it is really very difficult to explain concepts, especially if you don't know assembly.

Lets say that usually .NET malware (not obfuscated) can be investigated by accessing the code with ILSpy for example.
About malware written in C/C++, it is more complex because it is virtually impossible to go back to the source code, starting from the executable.

Here you can use PEiD, which can be useful for the investigation of strings and file sections both useful to understand the malware's behavior.

For example here the files sections:

- .text contains instructions that CPU will run (the executable code);
- .rdata usually contains the information to import and export. It can also save from the read-only data used by malware;
- .data contains the global data of the executable;
- .rsrc contains the resources used by the executable that are not considered to be part of it, such as icons, images, and strings.

Of course the topic is very complex.

 

[Winter Soldier]

Thanks alot for your reply.
Would you please recommend assembly ref.?

You can find something online for sure but to be honest, I studied Assembly as a part of my study path (years ago).

Hey found something here:

https://malwaretips.com/threads/assembly-quick-tutorial.48161/

 

[teto2005]

You can find something online for sure but to be honest, I studied Assembly as a part of my study path (years ago).

Hey found something here:

https://malwaretips.com/threads/assembly-quick-tutorial.48161/

Thanks alot. Much appreciated