Basic static analysis examines malware without viewing the actual code or instructions. It employs different tools and techniques to quickly determine whether a file is malicious or not, provides information about its functionality and collect technical indicators to produce simple signatures. Technical indicators gathered with basic static analysis can include file name, MD5 checksums or hashes, file type, file size, and recognition by antivirus detection tools |
Basic dynamic analysis actually runs malware to observe its behavior, understand its functionality and identify technical indicators that can be used in detection signatures. Technical indicators revealed with basic dynamic analysis can include domain names, IP addresses, file path locations, registry keys, additional files located on the system or network, or communication with an attacker-controlled external server in an attempt to download additional malware files. |
Analysis Advanced static analysis loads malware into a disassembler to reverse engineer and analyze the program instructions and determine program functionality. Advanced analysis requires deeper skills and understanding of assembly, code constructs, and the concept of how Operating systems use code libraries. Advanced techniques can provide additional details about malware that are not generally revealed through basic analysis.
|
Analysis Advanced dynamic analysis uses a debugger and other specialized tools to examine the execution of malware while it is active. In some cases, the basic dynamic analysis may not provide fruitful results or malware may require additional information to run. Using a debugger to manually step through malware program code provides another way to extract detailed information from malware files. |