Malware analysis is a process of identifying malware behavior, what they are doing, what they want, and what their main goals are. Malware analysis involves a complex process in its activity. Forensics, reverse engineering, disassembly, debugging, these activities take a lot of time in the progress. The goal of malware analysis is to gain an understanding of how a malware works, so that we can protect our organization by preventing malware attacks.
There are two common methodologies of the malware analysis process commonly used by malware analysts: static analysis (or code analysis) and dynamic analysis (or behavior analysis). These two techniques allow analysts to understand quickly, and in detail, the risks and intentions of a given sample malware.
For performing static analysis, you need a strong understanding in programming and x86 assembly language concept. During the static analysis process, you don't have to execute the malware. Generally, the source code of malware samples is not readily available. You have to do disassembling and decompiling first, and after successfully performing reverse engineering you can analyze the low-level assembly code. Most malware analysts perform a static analysis at an earlier stage in the malware analysis process because it is safer than dynamic analysis. The challenge in static analysis is the complexity in modern malware, where some of the malware implement anti-debugging systems to prevent malware analysts from analyzing the pieces of code.
Dynamic analysis (behavior analysis) is a process in malware analysis that performs an execution of the malware itself and observes the malware activity. It also observes the changes that occur when the malware is being executed. Infecting a system with malware from the wild can be very dangerous. Malware infection on your system can cause damage to your system such as file deletion, change in registry, file modification, stealing confidential data/information, and so on. When performing malware analysis, you need a safe environment and the network should not connect to production networks. With dynamic analysis, you can monitor the changes made to the filesystem, registry, processes, and its network communication. The advantage of performing dynamic analysis is that you can fully understand how a malware works.
To handle the number of malware samples, some automated malware analysis techniques have been developed. Automating some aspects of malware analysis is critical for organizations processing large numbers of malicious programs. Automation will allow analysts to focus more on the tasks that need more attention in human analysis.
When using Cuckoo as an automated malware analysis tool, it is expected to reduce the amount of time analyzing a malware in a conventional way. There are some steps in dynamic malware analysis that require a lot of time; one of the instances are while we're setting up a virtualized environment for a malware to run. The process may seem easy, but if we have several malware to analyze, it will be pretty time-consuming.