Static Analysis
The process of examining malware without executing it.
What is static analysis?
Running malware in a controlled environment to observe its behavior.
What is dynamic analysis?
A very common method of obfuscation used by malware authors to hide strings within their code.
What is base64 encoding?
This type of malware encrypts files and demands payment to unlock them.
What is ransomware?
This allows malware to survive reboots and remain active on a system.
What is persistence?
MD5, SHA-1, and SHA-256 are examples of these, used to identify files by generating unique values.
What are hash algorithms?
A tool used to identify programs configured to run automatically at startup, which can reveal persistence.
What is Autoruns?
A tool used to obtain strings from malware samples that also de-obfuscates extracted strings. Or a funny dance move.
What is FLOSS?
This type of malware disguises itself as legitimate software to trick users.
What is a Trojan?
A common registry key that malware modifies to achieve persistence.
What is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run?
A tool used in static analysis to inspect the structure of Portable Executable (PE) files.
What is PE Studio?
Isolating malware in this environment is essential to prevent it from affecting other systems.
What is a sandbox?
The file signature for an executable file.
What is 4D 5A or MZ?
A self-replicating malware that spreads across networks without user interaction.
What is a worm?
Malware can use this Windows feature to schedule tasks that automatically execute at set times.
What is the Task Scheduler?
Extracting these can reveal hard-coded URLs, IPs, or other readable text within malware.
What are strings?
The strings found from malware samples such as URLs, IP addresses, C2 Server names, filenames, paths, and functions are called these which we can send to the SOC to look for other instances of the malware across the organization.
What are Indicators of Compromise?
These contain functions that the malware can use to interact with the Windows Operating System.
What are libraries?
Specialized malware used to hide the presence of other malicious files on a system.
What is a rootkit?
Installing itself as one of these allows malware to start automatically at boot and is a stealthy way to achieve persistence.
What is a Windows service?
Renaming or modifying a malware file to prevent accidental execution.
What is defanging?
This feature in virtual machines allows analysts to save the current state, making it easy to revert back after running malware.
What is a snapshot?
Malware creates this to ensure only one copy of itself can run at a time.
What is a Mutex?
Malware designed to secretly gather information on a user or organization.
What is spyware?
Placing malware here ensures it runs automatically when the user logs in.
What is the startup folder?