Tools

Note: Download Sysinternals Suite. It contains a lot of the tools.

Stages

Basic Static Analysis
Advanced Dynamic Analysis
Basic Dynamic Analysis
Advanced Dynamic Analysis

Basic Static Analysis Steps (Any.run, VirusTotal, FileScan.io is helpful)

Hash the file & Virustotal
File command Linux
Strings & FLOSS
Detect It Easy, CFF Explorer, PE Studio
- Entropy (0-4=Low, 4-6=Normal, 6-7=High, 7-8=Very High)
Dependency Walker
Resource Hacker
ELF Analysis Commands:
- objdump -d sample
- objdump -h sample
- readelf -a sample
- readelf -S sample
- objdump -x sample
- ldd sample
- nm sample

Custom

ClamAV
YARA

Advanced Static Analysis (Disassembly - Any one of the below)

IDA
Ghidra
Cutter

Basic Dynamic Analysis

ProcMon
ProcExp
Wireshark
Volatility
RegShot
TCPView

Advanced Dynamic Analysis

WinDBG
OllyDBG

Malware Analysis Workflow: What to Look For in Each Tool

1. Basic Static Analysis

Goal:
Understand capabilities without execution.

Hashing +

VirusTotal + ANY.RUN + Filescan.io

Look For

Detection ratio
Existing malware family names
Community comments
MITRE ATT&CK techniques
Network IOCs
Domains/IPs
Dropped files
Behavior tags
Similar samples

Important

0 detections ≠ safe
New malware may be undetected
Check behavior, not only signatures

`file`

Command (Linux)

file suspicious.exe

Look For

PE32 / PE64
ELF
Script type
DLL
Packed executable
Architecture

Examples:

PE32 executable
ELF 64-bit LSB executable
Python script

Strings

strings sample.exe

Look For

URLs / Domains

C2 servers
Download URLs
Telegram/Discord webhooks

Commands

cmd.exe
powershell
wget
curl

File Paths

Temp folders
Startup folders
AppData

Registry Keys

Run
RunOnce

Malware Indicators

Mutexes
Ransom notes
Crypto wallet strings
Encoded blobs
Base64
XOR artifacts

APIs

CreateRemoteThread
WriteProcessMemory

FLOSS

floss sample.exe

Look For

Decoded hidden strings
Stack strings
Runtime-generated strings
XOR/Base64 decoded data

Important when normal strings look empty.

Detect It Easy (DIE)

Look For

Packers

UPX
Themida
VMProtect

Compiler

Visual Studio
GCC
Delphi
Golang
Rust

Entropy

High entropy = packed/encrypted

Guide:

0-4 → low
4-6 → normal
6-7 → suspicious
7-8 → packed/encrypted

Architecture

x86
x64
.NET

Suspicious Sections

Random names
UPX sections
RWX permissions

PE Studio

Look For

Suspicious APIs

Networking

InternetOpen
WinHttpSendRequest
WSAStartup

Injection

VirtualAllocEx
WriteProcessMemory
CreateRemoteThread

Persistence

RegSetValueEx
CreateService

Anti-Debugging

IsDebuggerPresent

Crypto

CryptEncrypt

Indicators

Blacklisted strings
Embedded URLs
Suspicious imports
TLS callbacks
Suspicious manifests

CFF Explorer

Look For

PE Headers

Suspicious entry point
Broken timestamps
Fake metadata

Sections

RWX permissions
Weird section names
Tiny import table

Import Table

Infer capabilities from imported APIs.

Resources

Embedded payloads
DLLs
Configs

Dependency Walker

Look For

DLL Dependencies

Networking DLLs
Crypto DLLs
Process manipulation DLLs

Injection APIs

CreateRemoteThread
VirtualAllocEx
WriteProcessMemory

Dynamic Loading

LoadLibrary
GetProcAddress

Can indicate:

Runtime API resolution
Evasion
Packers

Resource Hacker

Look For

Embedded EXEs
DLLs
Scripts
Configs
Encoded blobs
Hidden payloads
Ransom notes
Fake icons

Check .rsrc section carefully.

ELF Analysis (Linux Malware)

Commands

readelf -a sample
objdump -x sample
ldd sample
nm sample
strings sample

Look For

`readelf`

Sections
Entry point
Dynamic imports

`objdump`

Assembly
Suspicious syscalls

`ldd`

Shared libraries

`nm`

Exported symbols

Linux Malware Indicators

Reverse shell commands
/bin/sh
execve
ptrace
wget
curl

Custom Detection

ClamAV

clamscan sample.exe

Look For

Known malware signatures
Existing malware family

Remember:
Packed malware often bypasses it.

YARA

yara rules.yar sample.exe

Look For

Malware family patterns
Specific strings
Hex signatures
ATT&CK behavior patterns

Useful for:

Threat hunting
Classification
IOC matching

2. Advanced Static Analysis

Goal:
Understand exact logic and code flow.

IDA Free / Ghidra / Cutter

Look For

Main Function

Program flow
Startup logic

API Calls

Network
Injection
Registry

Encryption Routines

XOR loops
AES
RC4

C2 Logic

URLs
IPs
DNS

Persistence

Registry writes
Scheduled tasks
Services

Anti-Analysis

IsDebuggerPresent
RDTSC
VM checks

Process Injection

Remote thread creation
Memory allocation

Obfuscation

Junk code
Opaque predicates
Flattened control flow

Config Extraction

Hardcoded keys
Domains
Wallets

3. Basic Dynamic Analysis

Goal:
Observe runtime behavior.

Run ONLY in:

VM
Sandbox
Snapshot-enabled lab

Process Monitor (ProcMon)

Look For

File Activity

Dropped payloads
Temp files
Self-copying

Registry Activity

Run keys
Service creation
Defender tampering

Process Activity

Child processes
PowerShell spawning
LOLBins

Persistence

Startup folders
Scheduled tasks

Process Explorer (ProcExp)

Look For

Parent-child relationships
Suspicious DLL injection
Unsigned modules
High CPU/network usage
Strange handles
Process tree anomalies

Wireshark

Look For

DNS requests
HTTP POSTs
Beaconing
C2 traffic
Exfiltration
TOR traffic
Suspicious TLS

Indicators

Repeating intervals
Unknown IPs
Base64 payloads

RegShot

Look For

Take:

Before snapshot
Execute malware
After snapshot

Detect:

Registry changes
Persistence keys
Security modifications

TCPView

Look For

Outbound connections
Listening ports
Repeated callbacks
Unknown foreign IPs

Volatility 3

Look For

Processes

windows.pslist

Injected Code

windows.malfind

DLLs

windows.dlllist

Network

windows.netscan

Handles

windows.handles

Persistence

Hidden processes
RWX memory
Hollowed processes

4. Advanced Dynamic Analysis

Goal:
Understand execution at instruction level.

WinDBG

Look For

Exceptions
Thread creation
API tracing
Memory allocations
Unpacking routines
Shellcode execution
Kernel interactions

Best for:

Kernel malware
Drivers
BSOD analysis

OllyDbg

Look For

Breakpoints

Entry point
API calls

Unpacking

OEP recovery
Memory dumps

Anti-Debugging

Debugger checks
Timing tricks

Execution Flow

Conditional branches
Decryption routines

Runtime Strings

Decrypted config
C2 domains

Big Picture Mindset

Always correlate:

Strings
Imports
Runtime behavior
Memory artifacts
Network traffic

Example:

Observation	Likely Meaning
`WriteProcessMemory` + RWX memory	Injection
High entropy + tiny imports	Packed
PowerShell spawn + HTTP POST	Downloader
Run key modification	Persistence
Beacon every 60 sec	C2
`IsDebuggerPresent`	Anti-debugging

The tools give evidence. Your job is correlating evidence into behavior.

Command Palette

Tools

Stages

Basic Static Analysis Steps (Any.run, VirusTotal, FileScan.io is helpful)

Custom

Advanced Static Analysis (Disassembly - Any one of the below)

Basic Dynamic Analysis

Advanced Dynamic Analysis

Malware Analysis Workflow: What to Look For in Each Tool

1. Basic Static Analysis

Hashing +

Important

file

Look For

Strings

Look For

URLs / Domains

Commands

File Paths

Registry Keys

Malware Indicators

APIs

FLOSS

Look For

Look For

Packers

Compiler

Entropy

Architecture

Suspicious Sections

Look For

Suspicious APIs

Networking

Injection

Persistence

Anti-Debugging

Crypto

Indicators

Look For

PE Headers

Sections

Import Table

Resources

Look For

DLL Dependencies

Injection APIs

Dynamic Loading

Look For

ELF Analysis (Linux Malware)

Commands

Look For

readelf

objdump

ldd

nm

Linux Malware Indicators

Custom Detection

Look For

Look For

2. Advanced Static Analysis

Look For

Main Function

API Calls

Encryption Routines

C2 Logic

Persistence

Anti-Analysis

Process Injection

Obfuscation

Config Extraction

3. Basic Dynamic Analysis

Look For

File Activity

Registry Activity

Process Activity

Persistence

Look For

Look For

Indicators

Look For

`file`

`readelf`

`objdump`

`ldd`

`nm`