Getting Started with Malware Analysis and Reverse Engineering
This page is from internal enterprise documentation that was created for introducing common malware analysis topics. This is not a comprehensive document, and many sections link to online resources. Tool selection and documentation is largely based on what is present in the enterprise lab the document was created for.
Contents
Malware Analysis Workflow
+-------------------------------------+
| Malware Analysis Workflow |
+-------------------------------------+
|
v
+-----------------------------+
| Threat Intelligence |
+-----------------------------+
| - Hash Lookups (VT, HA) |
| - IP/Domain Reputation |
| (AbuseIPDB, ThreatFox) |
| - Sample Pivoting (Any.run) |
| - YARA/IoC Extraction |
+-----------------------------+
|
v
+----------------------------+
| Static Analysis |
+----------------------------+
| - File Analysis | <-- Tools: PEStudio, DIE, HashMyFiles
| - Code Analysis |
| - Disassembly | <-- Tools: Ghidra, IDA Free
+----------------------------+
|
v
+----------------------------+
| Dynamic Analysis |
+----------------------------+
| - Network Monitoring | <-- Tools: Wireshark, INetSim
| - Process Monitoring | <-- Tools: ProcMon, ProcExp
| - API Call Monitoring | <-- Tools: API Monitor
| - Logging | <-- Tools: Sysmon, PowerShell logs
+----------------------------+
|
v
+-------------------------------------+
| Debugging & Reverse Engineering |
+-------------------------------------+
| - IDA | <-- Tools: IDA Pro, Ghidra
| - x64dbg | <-- Tools: x64dbg, Scylla
+-------------------------------------+
Threat Intelligence
Threat intelligence gathering is an important step in scoping the work that needs to be done during the analysis. Often, a sample has defining traits that can be serached for in public threat intel spaces like VirusTotal, Tria.ge, or any other sandboxing/intel platform. By searching for these traits, like hashes, filenames, networking indicators, etc., you can determine if a sample needs to be reversed, categorized as a variant, or simply documented as a known sample.
Read more...