Malware Analysis Basics

Advanced Security
filestringsstraceltracesandboxYARA

Objective

Perform basic static and dynamic analysis of suspected malicious files in an isolated environment.

Tools & Technologies

  • file
  • strings
  • strace
  • ltrace
  • sandbox
  • YARA

Key Commands

file suspicious
strings suspicious | grep -i 'http\|password\|cmd'
strace ./suspicious 2>&1 | head -50
md5sum suspicious && curl https://virustotal.com

Architecture Overview

flowchart TD SAMPLE[Suspicious File] --> STATIC[Static Analysis] STATIC --> HASH[Hash & VirusTotal] HASH --> STRINGS[strings extraction] STRINGS --> DISASM[Disassembly\nghidra / radare2] SAMPLE --> DYNAMIC[Dynamic Analysis] DYNAMIC --> SANDBOX[Isolated Sandbox\nno real network] SANDBOX --> STRACE[strace / ltrace\nsyscall monitoring] STRACE --> NETWORK[tcpdump\nnetwork artifacts] NETWORK --> REPORT[IOC Report] style STATIC fill:#1a1a2e,stroke:#00d4ff,color:#e0e0e0 style DYNAMIC fill:#1a1a2e,stroke:#ffd700,color:#ffd700 style SANDBOX fill:#1a1a2e,stroke:#ff4444,color:#ff4444

Step-by-Step Process

01
Static Analysis

Examine the file without executing it.

# Identify file type
file suspicious_binary

# Extract printable strings
strings suspicious | head -100
strings suspicious | grep -iE 'http|password|exec|/tmp|/etc/passwd'

# Hash for VirusTotal lookup
sha256sum suspicious
md5sum suspicious

# Check PE headers (Windows EXE on Linux)
objdump -f suspicious
readelf -h suspicious
02
Dynamic Analysis in Sandbox

Run in an isolated environment and observe behaviour.

# Isolate first: snapshot VM, disable network or use fakenet
# Monitor system calls
strace -f ./suspicious 2>&1 | grep -E 'open|connect|exec|write'

# Monitor library calls
ltrace ./suspicious 2>&1 | head -50

# Monitor file changes
inotifywait -r -m /tmp /etc 2>&1 &
./suspicious
03
YARA Rules

Write detection signatures for the found IOCs.

# Example YARA rule
rule SuspiciousStrings {
  strings:
    $url = "http://malicious.domain"
    $cmd = "/bin/sh -i"
  condition:
    any of them
}

# Scan
yara myrule.yar /suspect/file
yara -r myrule.yar /tmp/

Challenges & Solutions

  • NEVER run malware on a production system or connected network
  • Malware may detect sandbox environment and behave differently

Key Takeaways

  • Isolate analysis VM: disable host networking, use snapshots
  • Hash lookup on VirusTotal is safe — only upload samples to trusted services