If you work in the defensive field, analyzing malware becomes part of your job.
In this article, we will discuss with which approaches you can analyze malware and the advantages / disadvantages of these approaches to each other.
There are 2 different approaches to analyzing malware.
It is the approach of analyzing malicious software by reverse engineering methods without running them.
Generally, by decompile / disassemble the malware, each step that the malware will execute is analyzed, hence the behavior / capacity of the malware can be analyzed.
Your device will not be infected as you do not run malicious software in static analysis. (However, we do not recommend performing static analysis on your host device, it will be more proper to do your analysis in a virtual operating system.)
The information examined during the static analysis is as follows.
You can obtain malware sample from blue team training platform LetsDefend
It is the approach that examines the behavior of malicious software on the system by running it.
In dynamic analysis, applications that can examine registry, file, network and process events are installed in the system, and their behavior is examined by running malicious software.
While doing dynamic analysis, you should carefully examine the following events.
Which approach to use when analyzing malware depends on the current circumstances. In cases where you want to get fast results, you can choose dynamic analysis, but we cannot say that the analysis is complete without doing both static and dynamic analysis.
It should also be noted that using only one approach may not be sufficient to analyze malware. Using both approaches together will lead you to victory!
Static Analysis Dynamic Analysis Static analysis takes long time. Dynamic analysis in general takes a short while. You can learn the capacity of the malware. As a result of dynamic analysis, you can learn only the activities on the system on which it is run. Detailed analysis result Analysis result is not detailed
As a result, we cannot say that one approach is better than another. Each has an advantage over each other in different conditions.
If you work as a Level 1-2 SOC analyst, you can usually take action by quickly obtaining the address c2 with the help of dynamic analysis.