Back to Portfolio Security Write-up
// blogs & write-ups

Malware Analysis
for Beginners

A structured walkthrough of malware analysis techniques — from sample acquisition through static and dynamic analysis — using industry-standard tools.

Digital Forensics
Wireshark
Volatility
Incident Response

01 Introduction

Malware analysis is the process of examining malicious software to understand its structure, functionality, behavior, and impact on a system or network. The goal is not only to identify that a file is malicious, but to determine how it operates, what systems it targets, and what actions it performs after infection.

Malware analysts investigate suspicious files to uncover techniques used by attackers — such as data exfiltration, credential theft, system persistence, or command-and-control (C2) communication. Through careful examination, analysts can identify Indicators of Compromise (IOCs) such as malicious IP addresses, domains, file hashes, registry keys, and suspicious processes.

Why it matters: These indicators help organizations detect similar attacks across their infrastructure and improve their overall security posture. Malware analysis is an essential capability in SOCs, incident response teams, threat intelligence units, and digital forensics investigations.
Malware Analysis
Malware analysis overview

02 Background

Malicious software has evolved significantly over the past decades. Early malware was relatively simple and intended to cause disruption. Modern malware is often developed by organized cybercriminal groups or nation-state actors and designed to achieve objectives such as financial gain, espionage, or system sabotage.

Today, malware can enter systems through multiple attack vectors:

  • Phishing emails with malicious attachments
  • Drive-by downloads from compromised websites
  • Exploitation of software vulnerabilities
  • Malicious removable devices
  • Compromised software supply-chain updates

Once inside a system, malware can steal sensitive data, encrypt files for ransom, create backdoors for remote access, or spread laterally across a network. Because of this increasing sophistication, organizations rely heavily on cybersecurity analysts to investigate suspicious files and understand attacker tactics.

03 Tools Used

Malware analysis relies on specialized tools that help investigators examine how malicious software behaves within a system — monitoring network communication, inspecting memory, detecting suspicious processes, and identifying hidden components.

🌐
Wireshark
Network Protocol Analyzer
Wireshark
Wireshark capturing live network traffic

Wireshark captures and inspects network traffic in real time. During malware analysis, it reveals how malware communicates with external servers — exposing critical information about attacker infrastructure including C2 connections, DNS requests, and data exfiltration attempts.

Wireshark helps analysts identify:

  • Suspicious outbound connections to remote servers
  • DNS requests to malicious or newly registered domains
  • Data exfiltration attempts via HTTP/HTTPS
  • Command-and-control communication patterns
  • Unusual encrypted traffic or protocol anomalies
🧠
Volatility
Memory Forensics Framework
Volatility
Volatility memory forensics output

Volatility is an open-source memory forensics framework used to analyze RAM dumps from infected systems. Unlike disk-based analysis, memory analysis provides visibility into processes and activities that may never touch the hard drive — making it essential for detecting fileless malware and process injection techniques.

Using Volatility, analysts can:

  • Identify running and hidden processes
  • Detect injected malware code within legitimate processes
  • Analyse active network connections at time of capture
  • Extract malware components directly from memory
  • Investigate registry and file system artifacts
Together, Wireshark and Volatility provide complementary insights — network communication vs. in-memory process activity — giving investigators a complete picture of malware behavior in a compromised environment.

04 Investigation Process

A structured investigation process ensures that malicious samples are examined safely and methodically. Analysts follow a series of phases, from initial acquisition through detailed behavioral analysis.

01
Sample Collection
The suspicious file is obtained from compromised systems, security alerts, IDS, or endpoint tools. Handled carefully in an isolated VM or malware lab to prevent accidental execution. File integrity is preserved in encrypted archives.
02
Initial Identification
File hashes (MD5, SHA1, SHA256) are calculated and compared against known malware databases. File extension, format, and true file type are verified using header inspection — attackers often disguise malicious files with misleading extensions.
03
Static Analysis
The malware is examined without executing it. Investigators extract strings, inspect imported API calls, and examine binary structure. Suspicious functions related to networking, file manipulation, or privilege escalation are flagged as potential indicators.
04
Dynamic Analysis
The malware is executed in an isolated sandbox or VM. Analysts monitor file creation, registry changes, process spawning, and network connections in real time — revealing behaviors hidden during static analysis such as decrypted payloads or staged downloads.
05
Network Monitoring
Network traffic is captured during execution to identify C2 connections, unusual protocols, encrypted communications, and bypass attempts. IP addresses, domains, and URLs discovered become actionable IOCs for blocking and detection.
Static Analysis
Static analysis — examining binary structure without execution
Dynamic Analysis
Dynamic analysis — observing runtime behavior in an isolated environment
Network Monitoring
Network monitoring — capturing traffic during malware execution

05 Findings

During malware analysis, investigators commonly uncover several key indicators that reveal how the malicious software operates and what objectives the attacker is pursuing.

📡
C2 Communication
Malware connects to attacker-controlled servers via HTTP, HTTPS, or DNS to receive commands and exfiltrate data. Identifying and blocking C2 infrastructure disrupts attacker control.
📁
Suspicious File Creation
Malware drops additional files — hidden executables, config files, or secondary payloads — often stored in system or temp directories to evade detection.
🔑
Registry Modifications
Persistence mechanisms via Windows registry entries ensure the malware survives reboots. Removing malware without addressing these results in reinfection.
⬇️
Payload Downloads
Many malware variants act as initial loaders, fetching sophisticated components — ransomware, spyware, credential stealers — once the initial foothold is established.

06 Lessons Learned

Malware investigations provide valuable insights that improve security posture and strengthen incident response capabilities. Recurring patterns across investigations reveal systemic weaknesses and attacker preferences.

  • Phishing remains the most common initial access vector — user awareness training and strong email security controls are essential first lines of defense.
  • Persistence is almost universal — registry modifications, scheduled tasks, and malicious services ensure malware survives reboots. Thorough removal must address all persistence mechanisms.
  • Network monitoring is critical — monitoring outbound connections and flagging unusual traffic patterns frequently reveals compromised systems before significant damage occurs.
  • Isolated analysis environments are non-negotiable — executing suspicious files outside a sandbox or VM can lead to uncontrolled spread and severe consequences.
  • Memory forensics uncovers what disk analysis misses — fileless malware and process injection are only visible in RAM, making Volatility-style analysis indispensable.

07 Conclusion

Malware analysis is a fundamental capability in modern cybersecurity operations. As threats continue to evolve, organizations must be able to quickly identify, analyze, and respond to malicious software to protect their systems and sensitive information.

By studying malware behavior, security analysts gain valuable insight into attacker techniques, tools, and strategies. This knowledge enables them to identify IOCs, improve detection mechanisms, and implement stronger defensive controls — and feeds directly into threat intelligence that benefits the wider security community.

Key takeaway: Developing strong malware analysis skills allows cybersecurity professionals to better understand the threat landscape and proactively defend against emerging attacks. Through continuous learning and careful investigation, analysts can reduce the impact of malware and help maintain the security and resilience of modern digital systems.