In this topic, I will tell you how Malware Analysis is done, what types of analysis are, what it is for, which programs are used.You will have information about how to perform malware analysis and which methods to examine.
First of all, I would like to mention that the methods I describe here are the methods that I use and you can develop your own methods by improving yourself.
What is Malware Analysis?
Malware: Software running on our system without our permission. As an example, software such as rat, trojan, rootkit, ransomware
Malware Analysis: As can be understood from the definition of Malware, it is to detect malicious software by analyzing files. In some cases, anti-viruses are insufficient. In such cases, you have to analyze the file yourself. Many viruses of today can easily enter the systems by bypassing anti viruses. The best way to prevent this is to perform a malware analysis.
There are two types of malware analysis: Static Analysis and Dynamic Analysis
Static Analysis: It is a type of analysis performed by examining the codes without running the suspicious file to be examined.
Dynamic Analysis: It is a type of analysis made by running the suspicious file to be examined on the system and looking at what it does in the system.
How to do Malware Analysis?
You have gained basic technical knowledge about malware analysis. Now let's move on to how malware analysis is done.
The first step in malware analysis is to collect information about the file to be examined. There are many software for information gathering. As I said before, the methods and programs used by each person are different. I will tell you about the programs I use myself.
> PEiD
> DIE
> PE Insider
> CFF Explorer
PEiD Usage:
At first, we get information about the file with the PEiD program. In this way, it gives us information about the language in which the file we will examine is written. The PEiD program does not have much else, the most important feature is that we learn in which language the file is written. We drag and drop the file we want to examine onto the program and that's all.
DIE Usage:
DIE program is a more advanced version of PEiD program. We can get a lot of information about the file from the DIE program. We drag and drop the file we want to examine onto the program. And it gives us a lot of information about the file.
Using CFF Explorer:
After downloading the CFF Explorer program, we need to install it. After installing, we open the CFF Explorer program. From the File tab, we press Open and select the file we want to examine. And it gives us a lot of information about the file.
Yes guys, we have enough information about the file we will examine using the tools above. Now it's time to read the codes of the file. If there is a malware in the file, we will find out by reading the code of the file.
I use the dnSpy program to read the codes. If you want, you can use another program. We drag and drop the file onto the dnSpy program and make all the codes of the file readable.
NOTE: If the file we will examine is obfuscate or compressed, the codes may not be readable. For this, we can deobfuscate with various software and make the codes of the encrypted file readable.
Using the dnSpy program, we read all the codes of the file one by one. If we detect a malicious code in this reading process, we can believe that the program is malicious.
By reading the codes, we are doing Static analysis. So, if we do the above steps, we do a static analysis. Let's move on to how Dynamic Analysis is done.
How is Dynamic Analysis Performed?
Dynamic analysis is a type of analysis performed by examining what the file to be examined does on the system by running it on the systems. For this, you must have a windows in the virtual machine. Or you need to have a sandboxie program.
We run the file we will examine in our virtual windows and watch what it does in the system. The file is harmful if applications that you do not know are running in the background without your permission.
Or after running the wiresshark program, we run our file and listen. With the Wiresshark program, we can find out if it is harmful by watching what it does on our network.
In general, a simple malware analysis is done this way. You can learn about advanced malware analysis by doing research. What I'm describing here is a basic and simple level.
source: https://www.turkhackteam.org/zararli-yazilim-analizi/1744311-basit-malware-analizi-senzero.html
çeviri/translator: Captainyarimca
First of all, I would like to mention that the methods I describe here are the methods that I use and you can develop your own methods by improving yourself.
What is Malware Analysis?
Malware: Software running on our system without our permission. As an example, software such as rat, trojan, rootkit, ransomware
Malware Analysis: As can be understood from the definition of Malware, it is to detect malicious software by analyzing files. In some cases, anti-viruses are insufficient. In such cases, you have to analyze the file yourself. Many viruses of today can easily enter the systems by bypassing anti viruses. The best way to prevent this is to perform a malware analysis.
There are two types of malware analysis: Static Analysis and Dynamic Analysis
Static Analysis: It is a type of analysis performed by examining the codes without running the suspicious file to be examined.
Dynamic Analysis: It is a type of analysis made by running the suspicious file to be examined on the system and looking at what it does in the system.
How to do Malware Analysis?
You have gained basic technical knowledge about malware analysis. Now let's move on to how malware analysis is done.
The first step in malware analysis is to collect information about the file to be examined. There are many software for information gathering. As I said before, the methods and programs used by each person are different. I will tell you about the programs I use myself.
> PEiD
> DIE
> PE Insider
> CFF Explorer
PEiD Usage:
At first, we get information about the file with the PEiD program. In this way, it gives us information about the language in which the file we will examine is written. The PEiD program does not have much else, the most important feature is that we learn in which language the file is written. We drag and drop the file we want to examine onto the program and that's all.
DIE Usage:
DIE program is a more advanced version of PEiD program. We can get a lot of information about the file from the DIE program. We drag and drop the file we want to examine onto the program. And it gives us a lot of information about the file.
Using CFF Explorer:
After downloading the CFF Explorer program, we need to install it. After installing, we open the CFF Explorer program. From the File tab, we press Open and select the file we want to examine. And it gives us a lot of information about the file.
Yes guys, we have enough information about the file we will examine using the tools above. Now it's time to read the codes of the file. If there is a malware in the file, we will find out by reading the code of the file.
I use the dnSpy program to read the codes. If you want, you can use another program. We drag and drop the file onto the dnSpy program and make all the codes of the file readable.
NOTE: If the file we will examine is obfuscate or compressed, the codes may not be readable. For this, we can deobfuscate with various software and make the codes of the encrypted file readable.
Using the dnSpy program, we read all the codes of the file one by one. If we detect a malicious code in this reading process, we can believe that the program is malicious.
By reading the codes, we are doing Static analysis. So, if we do the above steps, we do a static analysis. Let's move on to how Dynamic Analysis is done.
How is Dynamic Analysis Performed?
Dynamic analysis is a type of analysis performed by examining what the file to be examined does on the system by running it on the systems. For this, you must have a windows in the virtual machine. Or you need to have a sandboxie program.
We run the file we will examine in our virtual windows and watch what it does in the system. The file is harmful if applications that you do not know are running in the background without your permission.
Or after running the wiresshark program, we run our file and listen. With the Wiresshark program, we can find out if it is harmful by watching what it does on our network.
In general, a simple malware analysis is done this way. You can learn about advanced malware analysis by doing research. What I'm describing here is a basic and simple level.
source: https://www.turkhackteam.org/zararli-yazilim-analizi/1744311-basit-malware-analizi-senzero.html
çeviri/translator: Captainyarimca
Moderatör tarafında düzenlendi:
