MALWARE ANALYSIS CHEAT SHEET Adjust the runtime environment for the specimen as Edit data in memory or Select

as Edit data in memory or Select data or

it requests additional local or network resources. instruction opcode instruction » Ctrl+e
The analysis and reversing tips behind this reference
are covered in the SANS Institute course FOR610: Ghidra for Static Code Analysis Extract API call Right-click in disassembler
Reverse-Engineering Malware. references » Search for » Current
Go to specific destination g
module » Intermodular calls
Overview of the Malware Analysis Process Show references to instruction Ctrl+Shift+f
1. Use automated analysis sandbox tools for an Unpacking Malicious Code
Insert a comment ;
initial assessment of the suspicious file. Determine whether the specimen is packed by using
Follow jump or call Enter
2. Set up a controlled, isolated laboratory in which Detect It Easy, Exeinfo PE, Bytehist, peframe, etc.
Return to previous location Alt+Left
to examine the malware specimen. To try unpacking the specimen quickly, infect the lab
Go to next location Alt+Right system and dump from memory using Scylla.
3. Examine static properties and meta-data of the
Undo Ctrl+z For more precision, find the Original Entry Point
specimen for triage and early theories.
Define data type t (OEP) in a debugger and dump with OllyDumpEx.
4. Emulate code execution to identify malicious
capabilities and contemplate next steps. Add a bookmark Ctrl+d To find the OEP, anticipate the condition close to the
Text search Ctrl+Shift+e end of the unpacker and set the breakpoint.
5. Perform behavioral analysis to examine the
specimen’s interactions with its environment. Add or edit a label l Try setting a memory breakpoint on the stack in the
unpacker’s beginning to catch it during cleanup.
6. Analyze relevant aspects of the code statically Disassemble values d
with a disassembler and decompiler. To get closer to the OEP, set breakpoints on APIs
x64dbg/x32dbg for Dynamic Code Analysis such as LoadLibrary, VirtualAlloc, etc.
7. Perform dynamic code analysis to understand
the more difficult aspects of the code. Run the code F9 To intercept process injection set breakpoints on
Step into/over instruction F7 / F8 VirtualAllocEx, WriteProcessMemory, etc.
8. If necessary, unpack the specimen.
Execute until selected instruction F4 If cannot dump cleanly, examine the packed
9. Repeat steps 4-8 above as necessary (the order
specimen via dynamic code analysis while it runs.
may vary) until analysis objectives are met. Execute until the next return Ctrl+F9
Rebuild imports and other aspects of the dumped
10. Augment your analysis using other methods, Show previous/next executed instruction - / +
file using Scylla and pe_unmapper.
such as memory forensics and threat intel. Return to previous view *
11. Document findings, save analysis artifacts and Bypassing Other Analysis Defenses
Go to specific expression Ctrl+g
clean-up the laboratory for future analysis. Decode obfuscated strings statically using FLOSS,
Insert comment / label ; / : xorsearch, Balbuzard, etc.
Behavioral Analysis Show current function as a graph g Decode data in a debugger by setting a breakpoint
Be ready to revert to good state via virtualization Select instruction after the decoding function and examining results.
Set software breakpoint
snapshots, Clonezilla, dd, FOG, PXE booting, etc. » F2
on specific instruction Conceal x64dbg/x32dbg via the ScyllaHide plugin.
Monitor local interactions (Process Hacker, Process Go to Command prompt
Set software To disable anti-analysis functionality, locate and
Monitor, ProcDOT, Noriben). » SetBPX API Name
breakpoint on API patch the defensive code using a debugger.
Detect major local changes (RegShot, Autoruns). h » Click on
Highlight all occurrences of Look out for tricky jumps via TLS, SEH, RET, CALL, etc.
Monitor network interactions (Wireshark, Fiddler). the keyword in disassembler keyword
when stepping through the code in a debugger.
Redirect network traffic (fakedns, accept-all-ips). Assemble instruction in Select instruction
If analyzing shellcode, use scdbg and runsc.
Activate services (INetSim or actual services) place of selected one » Spacebar
Disable ASLR via setdllcharacteristics, CFF Explorer.
requested by malware and reinfect the system.

Authored by Lenny Zeltser, who is the CISO at Axonius and Faculty Fellow at SANS Institute. You can find him at twitter.com/lennyzeltser and zeltser.com.
Download this and other Lenny’s security cheat sheets from zeltser.com/cheat-sheets. Creative Commons v3 “Attribution” License for this cheat sheet version 2.2.