Crack the Code: How Malware Analysts Use Static & Dynamic Analysis to Uncover Evil (And You Can Too)

Listen to this Post

🐢▶️ Listen🚀

Introduction:

In the ever-escalating arms race against cyber threats, understanding the inner workings of malware is a non-negotiable skill. Modern defense hinges on malware analysis—the forensic dissection of malicious software to uncover its purpose, functionality, and indicators of compromise. As showcased in practical exercises like TryHackMe’s Advent of Cyber, this process is bifurcated into two core methodologies: static analysis (examining the code without execution) and dynamic analysis (observing behavior during runtime in a safe, isolated environment).

Learning Objectives:

• Understand the fundamental difference between static and dynamic malware analysis and when to apply each.
• Gain hands-on proficiency with essential free tools like PeStudio, Regshot, and Procmon for real-world analysis.
• Learn to identify key malware behaviors, including persistence mechanisms, command-and-control (C2) communication, and system fingerprinting.

You Should Know:

1. Static Analysis: The Safe First Look with PeStudio
   Static analysis is the initial reconnaissance phase. It involves inspecting the malware file without ever running it, minimizing risk. Analysts examine hashes, embedded strings, header information, imported libraries, and potential obfuscation. This can quickly reveal indicators like hardcoded IP addresses, suspicious domain names, or flags (as found in the challenge).

Step-by-step guide:

1. Acquire the Sample: Always work within an isolated lab (VM with no network access). Obtain your suspect file (e.g., HopHelper.exe).
2. Calculate Hashes: Use these to get a unique fingerprint for threat intelligence sharing.

Windows (PowerShell): `Get-FileHash -Algorithm SHA256 C:\path\to\HopHelper.exe`

Linux (Terminal): `sha256sum /path/to/HopHelper.exe`

1. Analyze with PeStudio: Open the file in PeStudio.
   Check the `indicators` tab: PeStudio automatically highlights suspicious characteristics.
   Examine the `strings` tab: This is gold. Look for readable text, URLs, IPs, file paths, and potential flags. Use the “find” function.
   Review the `imports` tab: Lists functions the executable calls from Windows DLLs. Imports like WinExec, URLDownloadToFile, and `RegSetValue` are immediate red flags.
   Inspect the `DOS Header` & PE Header: Check for anomalies like an incorrect `TimeDateStamp` or unusual section names.

2. Dynamic Analysis: Runtime Behavior in a Sandbox

Dynamic analysis runs the malware in a controlled, monitored environment (a sandbox) to see its actual behavior. This uncovers actions static analysis may miss, like network calls, registry changes, and file drops.

Step-by-step guide:

1. Prepare Your Sandbox: Use a disposable virtual machine (e.g., VMware, VirtualBox) with tools pre-installed. Disable shared folders and use host-only/networking. Take a snapshot before execution.
2. Establish a Baseline: Before running anything, use a tool like Regshot to capture the state of the filesystem and registry.
3. Execute and Monitor: Run the malware. Let it operate for a few minutes.
4. Capture the Aftermath: Take a second snapshot with Regshot and compare. It will show you every registry key created/modified and every file added/deleted.

3. Monitoring with Procmon: From Noise to Intelligence

Process Monitor (Procmon) is an overwhelming firehose of data by default. The power lies in strategic filtering to isolate the malware’s activities from system noise.

Step-by-step guide:

1. Launch Procmon (as Admin). It will immediately start capturing all system events.
2. Set a Filter for Your Process: Go to `Filter` > Filter.... Add a filter: `Process Name` is `HopHelper.exe` then Include. Click `Add` and Apply.
3. Clear the event log. Now execute your malware. Procmon will now only show events from that process.
4. Filter for Key Operations: Use the filter toolbar for quick toggles.

`RegSetValue`: Shows registry modifications (for persistence).

`TCP Connect` / UDP Connect: Reveals network connections to C2 servers.
`CreateFile` / WriteFile: Shows files being created or written to (e.g., dropping a payload).

4. Analyzing Network Calls for C2

Command-and-Control communication is a malware’s lifeline. Identifying it is critical.

Step-by-step guide:

1. Use a Tool like Wireshark: Start a capture on your sandbox’s network interface before executing the malware.
2. Run the Malware and allow it to generate network traffic.
3. Stop the Capture and Analyze: Look for DNS queries to suspicious domains, HTTP/HTTPS calls to unfamiliar IPs, or beaconing behavior (regular, periodic calls to a single endpoint). Filter in Wireshark with `dns` or http.

5. Setting Up a Basic Detonation Lab

A proper lab is essential for safe dynamic analysis.

Step-by-step guide:

1. Virtualization Software: Install VMware Workstation Player or VirtualBox.
2. Create a Windows VM: Use an easy-to-revert OS like Windows 10. Do not install VMware Tools/VirtualBox Guest Additions in the analysis VM if analyzing malware that may exploit them.
3. Isolate the Network: Configure the VM’s network adapter to Host-Only. This allows tool communication from host to guest but blocks the VM from accessing the internet.
4. Install Analysis Tools: Install your suite (Procmon, Regshot, PeStudio, Wireshark).
5. Take a Snapshot: Label it “Clean Baseline”. Revert to this after every analysis.

6. Decoding Common Persistence Mechanisms

Malware often survives reboot by modifying the registry or startup folders.

Step-by-step guide to investigate:

Check Common Run Keys: Using Regshot comparison or manually in regedit:

`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`

`HKLM\Software\Microsoft\Windows\CurrentVersion\Run`

`HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`

Check Scheduled Tasks: In a command prompt, run: `schtasks /query /fo LIST /v`

Check Startup Folder: `C:\Users\[bash]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\`

7. Extracting and Analyzing Dropped Files

Malware often deploys secondary payloads.

Step-by-step guide:

1. During dynamic analysis, use Procmon filtered on your malware’s process name and look for `WriteFile` operations to unusual locations (e.g., C:\Users\Public\, C:\Windows\Temp\).
2. Navigate to that directory in your sandbox and retrieve the dropped file.
3. Subject this new file to the same rigorous static analysis process (PeStudio, hashing) to understand the full attack chain.

What Undercode Say:

• The 1-2 Punch is Non-Negotiable: Relying solely on static analysis leaves you blind to runtime tricks like packed code that unpacks in memory. Dynamic analysis in a contained sandbox is the only way to see the full picture.
• Filtering is the Analyst’s Superpower: Raw logs are useless. The skill lies in knowing how to use filters in Procmon, Wireshark, and other tools to isolate the signal from the noise, turning terabytes of data into actionable intelligence.

The practical, tool-driven approach demonstrated in challenges like Advent of Cyber represents the foundational bedrock of modern threat intelligence. Mastering these free tools provides a tangible skill set that directly translates to roles in SOCs and incident response teams. The future of malware analysis will be shaped by AI-assisted reverse engineering and hyper-realistic deception environments, but the core principles of static examination and isolated behavioral observation will remain the critical first line of defense. As malware becomes more evasive, the analyst’s ability to meticulously orchestrate and interpret these tools will only increase in value.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Khadijat Suleiman – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky