Feed All posts
Search…
Cybersecurity from Scratch · Part 10
· 15 min read · Cybersecurity

Malware types and analysis basics

In this series (16 parts)
  1. How attackers think: the attacker mindset
  2. Networking fundamentals for security
  3. Cryptography fundamentals
  4. Public key infrastructure and certificates
  5. Authentication and authorization
  6. Web application security: OWASP Top 10
  7. Network attacks and defenses
  8. Linux privilege escalation
  9. Windows security fundamentals
  10. Malware types and analysis basics
  11. Reconnaissance and OSINT
  12. Exploitation basics and CVEs
  13. Post-exploitation and persistence
  14. Defensive security: hardening and monitoring
  15. Incident response
  16. CTF skills and practice labs

Malware is software designed to do harm. It ranges from simple scripts that delete files to sophisticated programs that encrypt entire networks for ransom. Understanding what malware looks like, how it behaves, and how to safely analyze it is essential for incident responders, security analysts, and anyone who deals with compromised systems.

Prerequisites

You should understand how attackers think and basic Linux command line tools.

Types of malware

Virus

A virus attaches itself to a legitimate program or file. When the host file runs, the virus code executes too. Viruses need human action to spread (opening a file, running a program).

Worm

A worm is self-replicating malware that spreads automatically across networks without human interaction. It exploits vulnerabilities in network services to move from machine to machine. Notable example: WannaCry (2017) exploited an SMB vulnerability to spread across networks in minutes.

Trojan

A trojan disguises itself as legitimate software. The user installs it thinking it is useful, but it contains hidden malicious functionality. Unlike viruses, trojans do not self-replicate.

Ransomware

Ransomware encrypts files and demands payment for the decryption key. Modern ransomware also steals data before encrypting (double extortion: pay to decrypt AND pay to prevent data leak).

The encryption typically uses a combination of symmetric and asymmetric cryptography: files are encrypted with AES (fast), and the AES key is encrypted with the attacker’s RSA public key (so only the attacker can decrypt it).

Rootkit

A rootkit hides deep in the system, modifying the operating system to conceal its presence. Kernel-level rootkits are particularly dangerous because they can hide files, processes, and network connections from all userspace tools.

Spyware

Spyware silently collects information: keystrokes, screenshots, browsing history, credentials. It sends the collected data to the attacker’s server.

Static vs dynamic analysis

AspectStatic analysisDynamic analysis
ExecutionMalware is NOT runMalware IS run
EnvironmentAny machineIsolated sandbox
SpeedFast initial triageSlower, requires setup
EvasionCannot detect runtime behaviorCan trigger anti-analysis checks
Toolsstrings, file, hexdump, disassemblersSandboxes, debuggers, process monitors

Static analysis: examining without executing

Step 1: File identification

# Determine file type
file suspicious_file

Output:

suspicious_file: PE32+ executable (GUI) x86-64, for MS Windows
# Calculate hash for threat intel lookup
sha256sum suspicious_file

Output:

a1b2c3d4e5f6...7890abcdef  suspicious_file
# Check the hash against VirusTotal (using their API or web)
# https://www.virustotal.com/gui/file/a1b2c3d4e5f6...

Step 2: String extraction

# Extract readable strings
strings suspicious_file | head -50

Output:

!This program cannot be run in DOS mode.
.text
.rdata
cmd.exe
powershell.exe -enc
http://evil.com/beacon
/tmp/.hidden_config
CreateRemoteThread
VirtualAllocEx
WriteProcessMemory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Red flags:

  • References to cmd.exe and powershell.exe with encoded commands
  • A URL that looks like a command-and-control (C2) server
  • Windows API calls related to process injection (CreateRemoteThread, VirtualAllocEx)
  • Registry paths for persistence (Run key)
  • Hidden config files in /tmp

Step 3: Examine metadata

# For PE files, check import tables
objdump -x suspicious_file | grep -A 5 "Import"

# For scripts
cat suspicious_script.ps1 | head -30

Dynamic analysis: observing behavior

⚠ Only run malware in an isolated sandbox environment. Never on your host machine, never on a network connected to production systems.

Common sandbox tools:

  • Cuckoo Sandbox / CAPE: automated malware analysis
  • Any.run: interactive cloud sandbox
  • REMnux: Linux distribution for malware analysis

What to observe:

  • File system changes (what files does it create, modify, delete?)
  • Network connections (what IPs/domains does it contact?)
  • Process creation (what child processes does it spawn?)
  • Registry changes (Windows, for persistence)
  • System calls

Example 1: Triage a suspicious file

You received a suspicious email attachment. Here is the triage workflow:

# Step 1: Identify the file
file attachment.pdf

Output:

attachment.pdf: PE32 executable (GUI) Intel 80386, for MS Windows

The file claims to be a PDF but is actually a Windows executable. This is a classic social engineering trick.

# Step 2: Hash it
sha256sum attachment.pdf
md5sum attachment.pdf

Output:

e3b0c44298fc1c149afbf4c8996fb924...  attachment.pdf
d41d8cd98f00b204e9800998ecf8427e    attachment.pdf
# Step 3: Check strings for indicators
strings attachment.pdf | grep -iE "http|cmd|powershell|exe|dll|registry|tmp|temp"

Output:

cmd.exe /c
http://198.51.100.23:8080/payload
C:\Users\Public\update.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
powershell -WindowStyle Hidden -enc JABzAD0ATg...

Indicators found:

  • C2 server at 198.51.100.23:8080
  • Drops a file to C:\Users\Public\update.exe
  • Adds registry run key for persistence
  • Executes encoded PowerShell
# Step 4: Decode the Base64 PowerShell
echo "JABzAD0ATg..." | base64 -d
# Step 5: Search the hash on VirusTotal or other threat intel platforms
# If the hash is already known, you get detection names and behavioral reports

Example 2: Identify common malware indicators

Here are patterns to look for when analyzing files:

Network indicators (IOCs):

# Extract URLs and IPs from a binary
strings suspicious_file | grep -oP 'https?://[^\s"]+' 
strings suspicious_file | grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'

Output:

http://evil.com/gate.php
http://198.51.100.23/update
198.51.100.23
203.0.113.42

Persistence indicators:

# Windows registry run keys in strings
strings suspicious_file | grep -i "currentversion\\\\run"

# Linux persistence in strings
strings suspicious_file | grep -iE "crontab|\.bashrc|systemd|init\.d"

Obfuscation indicators:

# High entropy sections (encrypted or compressed payloads)
# Check if strings output is very sparse compared to file size
echo "File size: $(wc -c < suspicious_file) bytes"
echo "Strings found: $(strings suspicious_file | wc -l) lines"

If a 500KB file only has 10 readable strings, it is likely packed or encrypted.

Behavioral categories to document:

CategoryIndicatorMeaning
C2 communicationURLs, IPs, DNS lookupsCalls home for commands
PersistenceRegistry keys, cron, servicesSurvives reboot
Credential theftStrings referencing SAM, shadow, LSASSStealing passwords
Lateral movementSMB, WMI, SSH referencesSpreading to other systems
Data exfiltrationUpload functions, external IPsStealing data
Anti-analysisVM detection, debugger checksTrying to evade sandboxes

What comes next

The next article covers Reconnaissance and OSINT, where you will learn how attackers gather information before launching an attack, and what defenders can do about it.

For the incident response process that follows malware discovery, see article 15.

Future article ideas:

  • Reverse engineering with Ghidra
  • Writing YARA rules for malware detection
  • Memory forensics with Volatility
← Back to all series
Start typing to search across all content
navigate Enter open Esc close