Static Malware Analysis VS Dynamic Malware Analysis
Malware Analysis is a process of analyzing the malware that is detected. In a SOC team, it is usually done by the Level 1 or Level 2 Analyst.
What is a Malware?
Malware consists of two words, Mal( Malicious) and Ware( Software). So, Malware is nothing but malicious software or software built with malicious intent.
Types of Malware:
Backdoor: Leaving a backdoor on the device where the malware is installed, allows the attacker to access the system through this backdoor
Adware often comes with downloaded software, causing unwanted advertisements to be displayed on the device. While not all adware is harmful, some change the default search engine.
Ransomware is a type of malware that has been on the world's plan for the last few years. It demands ransom from people by encrypting and exfiltrating all files on the device.
Virus: It is one of the first types of malware seen in the wild. So we see that it is often called a virus instead of the term malware in daily life. Viruses have a self-replicate feature. It provides persistence by infecting other files on the device.
The Worm is a type of malware that spreads from infected devices to other devices, it is named worm. WannaCry, a worm malware exploiting MS17–010 vulnerability, caused panic around the world.
A Rootkit is a type of malware that disguises itself by providing access to a high level of authority on the device.
RAT (Remote Access Trojan) is a type of malware that provides full control over the device to the threat actor.
Banking malware targets banking applications and causes money to be stolen from the victim.
Keylogger is a type of malware that logs pushed keys and send this information to the attacker.
Malware may contain more than one feature, so malware can belong to more than one type. For example, WannaCry malware includes both worm and ransomware malware features.
What is Static Analysis?
It is the approach of analyzing malicious software by reverse engineering methods without running them. Generally, by decompiling/disassembling the malware, each step that the malware will execute is analyzed, hence the behavior/capacity of the malware can be analyzed.
The device will not be infected as you do not run malicious software in static analysis. (However, we do not recommend performing static analysis on your host device, it will be more proper to do your analysis in a virtual operating system.)
The information examined during the static analysis is as follows.
- P.E. (Portable Executable) Headers
- Imported DLL’s
- Exported DLL’s
- Strings in binary
- CPU Instructions
What is Dynamic Analysis?
It is the approach that examines the behavior of malicious software on the system by running it.
In dynamic analysis, applications that can examine registry, file, network, and process events are installed in the system, and their behavior is examined by running malicious software.
While doing dynamic analysis, you should carefully examine the following events.
- Network Connections
- File Events
- Process Events
- Registry Events
Static Analysis vs Dynamic Analysis
Which approach to use when analyzing malware depends on the current circumstances. In cases where you want to get fast results, you can choose dynamic analysis, but we cannot say that the analysis is complete without doing both static and dynamic analysis.
It should also be noted that using only one approach may not be sufficient to analyze malware. Using both approaches together will lead you to victory!
As a result, we cannot say that one approach is better than another. Each has an advantage over the others in different conditions.