Static Analysis
The process of examining malware code without executing it.
What is static analysis?
Running malware in a controlled environment to observe its behavior.
What is dynamic analysis?
A framework that describes the stages of a cyber-attack, from reconnaissance to achieving objectives.
What is the Cyber Kill Chain?
This type of malware encrypts files and demands payment to unlock them.
What is ransomware?
This allows malware to survive reboots and remain active on a system.
What is persistence?
MD5, SHA-1, and SHA-256 are examples of these, used to identify files by generating unique values.
What are hashing algorithms?
A tool used to identify programs configured to run automatically at startup, which can reveal persistent malware.
What is Autoruns?
The first stage in the Cyber Kill Chain, involving information gathering about the target.
What is reconnaissance?
This type of malware disguises itself as legitimate software to trick users.
What is a Trojan?
A common registry key that malware modifies to achieve persistence.
What is HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run?
A tool used in static analysis to inspect the structure of Portable Executable (PE) files.
What is PE Studio?
Isolating malware in this environment is essential to prevent it from affecting other systems.
What is a sandbox?
This stage involves transmitting the malware to the victim, often through phishing or drive-by downloads.
What is delivery?
A self-replicating malware that spreads across networks without user interaction.
What is a worm?
Malware can use this Windows feature to schedule tasks that automatically execute at set times.
What is the Task Scheduler?
Extracting these can reveal hard-coded URLs, IPs, or other readable text within malware.
What are strings?
This tool is used to inspect running processes and detect unusual behavior.
What is Process Explorer?
During this stage, the attacker exploits a vulnerability to gain access to the system.
What is exploitation?
Specialized malware used to hide the presence of other malicious files on a system.
What is a rootkit?
nstalling itself as one of these allows malware to start automatically at boot.
What is a Windows service?
Renaming or modifying a malware file to prevent accidental execution.
What is defanging?
This feature in virtual machines allows analysts to save the current state, making it easy to revert back after running malware.
What is a snapshot?
The final stage, where the attacker achieves their primary objectives, such as data exfiltration.
What is actions on objectives?
Malware designed to secretly gather information on a user or organization.
What is spyware?
Placing malware here ensures it runs automatically when the user logs in.
What is the startup folder?