If you work in the defensive field, analyzing malware becomes part of your job.
In this article, we will discuss with which approaches you can analyze malware and the advantages / disadvantages of these approaches to each other.
There are 2 different approaches to analyzing malware.
- Static Analysis
- Dynamic Analysis
What is Static Analysis?
It is the approach of analyzing malicious software by reverse engineering methods without running them.
Generally, by decompile / disassemble the malware, each step that the malware will execute is analyzed, hence the behavior / capacity of the malware can be analyzed.
Your device will not be infected as you do not run malicious software in static analysis. (However, we do not recommend performing static analysis on your host device, it will be more proper to do your analysis in a virtual operating system.)
The information examined during the static analysis is as follows.
- P.E. (Portable Executable) Headers
- Imported DLL’s
- Exported DLL’s
- Strings in binary
- CPU Instructions
You can obtain malware sample from blue team training platform LetsDefend
What is Dynamic Analysis?
It is the approach that examines the behavior of malicious software on the system by running it.
In dynamic analysis, applications that can examine registry, file, network and process events are installed in the system, and their behavior is examined by running malicious software.
While doing dynamic analysis, you should carefully examine the following events.
- Network Connections
- File Events
- Process Events
- Registry Events
Static Analysis vs Dynamic Analysis
Which approach to use when analyzing malware depends on the current circumstances. In cases where you want to get fast results, you can choose dynamic analysis, but we cannot say that the analysis is complete without doing both static and dynamic analysis.
It should also be noted that using only one approach may not be sufficient to analyze malware. Using both approaches together will lead you to victory!
|Static Analysis||Dynamic Analysis|
|Static analysis takes long time.||Dynamic analysis in general takes a short while.|
|You can learn the capacity of the malware.||As a result of dynamic analysis, you can learn only the activities on the system on which it is run.|
|Detailed analysis result||Analysis result is not detailed|
As a result, we cannot say that one approach is better than another. Each has an advantage over each other in different conditions.
If you work as a Level 1-2 SOC analyst, you can usually take action by quickly obtaining the address c2 with the help of dynamic analysis.