Introduction to Malware Analysis

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

If you want to get started learning about malware analysis, this guide is for you. We will first start by setting up suitable environments in which malware can safely be analyzed.

It is very important that when dealing with malware samples, you only download them from trusted sources and only ever unpack them within your VM setup.

Analysis Enviroments

Of course, there are very many different malware analysis environments you can choose from. But for the sake of simplicity, this guide will focus on two fairly well-known software systems: Flare VM and Remnux. The main difference between these two operating systems is that Flare VM runs on Windows and Remnux runs on Ubuntu (Linux). What they have in common is that they offer a wide range of tools that should easily be enough to get you started!

Installing and setting up Remnux is simplified by only having to download the pre-built .ova virtual machine file (

There is already a different article about setting up a Windows malware analysis environment. However, I found it way easier to just use the Flare VM scripts to automate the process. Setting up FlareVM is somewhat time-intensive, but I have written a step-by-step guide to help get you started: Flare VM Installation. If you prefer using a video as guidance, I can recommend this video:

In a different article, (Malware Lab: VM Setup and AWS EC2) it will be described how we can combine FlareVM and Remnux within a single malware lab environment, in which malware can be detonated on the FlareVM and the Remnux machine acts as a fake DNS server using inetsim.

In the end, the type of malware you want to analyze influences which operating system you will use for analysis. Later on throughout this guide, we will also analyze IoT malware, this is practially always malware in an ELF Linux executable format.

General knowledge about Malware Analysis

Before you start setting up your malware analysis lab, make sure you understand the following basic concepts.

Static vs. Dynamic Analysis

Static analysis deals with extracting data about a malware sample without actually executing it. The main objective is to extract features from the malware that could help us understand what a certain malware does upon execution.

The following steps are important when approaching a malware sample:

  • Identifying the file type (Target OS, architecture and format)
  • Trying to identify the malware: Hashing the malware file gives it a unique identifier. The hash can be entered into various malware search engines, which attempt to find malware that has an identical hash.
  • String extraction: Strings extracted from the binary file can give the malware analyst an idea of what the malware can do.
  • (Un)packing and (De)obfuscation: These are techniques used to prevent detection and make it harder to find readable strings. Unpacking and deobfuscating reveals more information about the sample.
  • PE headers: Reveal a lot about the functionality of the malware

Dynamic analysis involves executing the malware sample in a controlled environment to observe its behaviour. This type of analysis provides insights into the runtime behavior of the malware, such as network communication, file system modifications, and process interactions. From observing this behaviour, important conclusions can be drawn.

To perform dynamic analysis, follow these steps:

  1. Set up a suitable sandbox environment: Create a virtual machine to isolate the malware from your host system. Using LXC containers is generally not advisable.
  2. Execute the malware: Run the malware sample in the sandbox environment, monitoring its behavior and capturing any relevant data.
  3. Monitor network activity: Use tools like Wireshark or tcpdump to capture network traffic generated by the malware. Analyze the captured data to understand the communication patterns and potential malicious activities.
  4. Monitor file system changes: Use file monitoring tools like inotify or Sysmon to track file system modifications made by the malware. This can help identify any files created, modified, or deleted during the execution.
  5. Analyze process interactions: Use process monitoring tools like Process Monitor or Procmon to monitor the malware’s interactions with other processes on the system. This can provide insights into any suspicious or malicious behavior.
  6. Capture system calls: Use tools like strace or API monitoring tools to capture system calls made by the malware. This can reveal the underlying functionality and interactions with the operating system.
  7. The last step should be to aggregate and analyze all captured activity.

Dynamic analysis is very useful when the full behaviour and intent of the malware cannot be inferred from static analysis alone.

Remember to always perform dynamic analysis in a controlled and isolated environment to prevent any unintended consequences or damage to your system.

Safely sourcing malware samples

It is very important to be careful where you get your malware samples from. To begin with, I can recommend the GitHub repository It contains a wide selection of live malware samples that can be used for static and dynamic analysis.

It is common practice to download the samples as .zip files. The folders should always be encrypted, usually using the password “infected”.