By Staff Malware Analysis Rules

Status
Not open for further replies.
L

LabZero

Thread author
We would like to improve and make more professional our Malware Analysis forum and then establish the rules for proper and safe conduct of the analysis.

Of course these rules are applied only to static and dynamic analysis threads.

About: help, questions, and more, our general rules are already in place.


We can post these analysis modes:


- Static: the sample is analysed, without running it, studying the code and functions that determine its behavior.

- Dynamic: it allows to study the malware in live mode: by running its functions and routines.

- Static + Dynamic: if you find executable strings during the static analysis, it is not certain that they are carried out and it is possible to start the malware as second step.




MALWARE ANALYSIS RULES

To be approved a malware analysis thread must follow these rules.

It is required:


  • Online automatic analysis link of analyzed sample: Malwr or Hybrid Analysis.
  • VirusTotal link: post the most recent VT analysis.
  • Indicate the type of analysis: static, dynamic or static + dynamic.
  • Host operating system.
  • Guest operating system.
  • Containment: VM, Shadow Defender.
  • Used analysis tools.
  • Protect your confidential and personal data: VM is created specifically for the analysis of the malware and it must not contain personal data. Shadow Defender virtualizes the current session and the data that it contains : they are still present and accessible to a possible malware, dynamically analyzed, that could share them via the internet. In this case, it is necessary to encrypt or move the personal data.
  • Switch off your internet connection if you are doing a static analysis.
  • In the case of dynamic analysis the internet connection must be active to monitor for any malware connection.
  • We consider that the analysis of malware code must be performed without active Antivirus, so specifically, IP address assigned to the VM that is on the NAT is translated into the IP address assigned to the physical network adapter when NAT needs tocommunicate with the internet. In short, VM under NAT usually uses real physical IP and It's the same with Shadow Defender.
  • Then, it is necessary to use a outbond firewall on interactive mode to stop and analyse any malware connections, some of them triggering spam and botnets, causing our IP blacklist or privacy problems.
  • Firewall report and screenshots are mandatory only in the dynamic analysis in the case of malware connections but It must be active also in static one because of possible not voluntary malware activations.
  • Some malware can recognize the virtual machine, for example bychecking the presence of VM specific drivers or certain registry keys, or by using mechanisms of communication guest-host / host-guest, privileged instructions, or return values of some instructions. In this case, the malware doesn't start ifself and the dynamic test is failed.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top