Malware Analysis: What Reverse Engineering Your Attacker's Tools Tells You

September 24, 2024

When a malicious file is found during an incident investigation, the immediate instinct is to delete it and move on. That instinct is understandable but expensive. The malicious file is evidence. More than that, it is a source of intelligence. Analysed properly, it can tell you where it was calling home, how it was maintaining persistence, what other capabilities it had, whether it left additional copies of itself elsewhere in the environment, and sometimes who wrote it or what campaign it belongs to. Deleting it without analysis is like finding a letter from the attacker and burning it unread.

Malware analysis is the process of examining malicious software to understand how it works, what it does, and what it reveals about the attacker. In an incident context, it is not primarily an academic exercise. It is a practical investigation technique that produces findings that directly inform the response. Understanding the malware's command-and-control infrastructure tells you what network traffic to block. Understanding its persistence mechanisms tells you what registry keys, scheduled tasks, or service entries to look for on other systems. Understanding its capabilities tells you what data it could have accessed or exfiltrated.

Static and Dynamic Analysis

Malware analysis begins with static analysis, which examines the file without executing it. This involves inspecting strings embedded in the binary, which often include domain names, IP addresses, file paths, and error messages that reveal the malware's intended behaviour. It involves examining the file's structure, imports, and metadata. It involves comparing cryptographic hashes against known malware databases. Static analysis can be done quickly and safely, and it frequently yields enough information to guide the initial response before more detailed analysis is completed.

Dynamic analysis involves executing the malware in a controlled, isolated environment and observing what it does. This reveals behaviours that are not visible from static analysis alone: how it establishes persistence, what registry changes it makes, what network connections it initiates, what files it creates or modifies. The controlled environment is critical. Dynamic analysis performed without proper isolation risks spreading the malware further or alerting the attacker's command-and-control infrastructure that the sample has been detected. Proper dynamic analysis requires a sandboxed environment that is monitored comprehensively and completely isolated from production systems.

What Malware Analysis Reveals

The intelligence value of malware analysis extends well beyond confirming that a file is malicious. Command-and-control domains and IP addresses extracted from a sample tell you what to block at the perimeter and, importantly, whether those connections have already occurred from other systems in your environment. If the attacker's infrastructure is identifiable, your team can search historical network logs for connections to those addresses and discover whether systems other than the initial compromised endpoint were also reaching out.

Persistence mechanisms revealed through analysis tell you exactly what to look for during the broader investigation sweep. If the malware establishes persistence through a specific scheduled task name or a particular registry key, your team can search every system in scope for those indicators rather than performing a general sweep. This makes the investigation more targeted, faster, and more reliable. It also reduces the chance of missing a compromised system because the search criteria were too generic.

Malware Families and Attribution

In many incidents, the malware found is not custom-built for your organisation. It belongs to a known family of tools used by specific threat actor groups. Identifying the malware family through analysis connects the incident to a broader body of knowledge about how that family behaves, what its full capability set is, and how similar incidents involving that family have played out. This intelligence informs decisions about scope and response: some malware families are known to exfiltrate data before deploying ransomware, while others focus purely on persistence and credential theft.

Attribution to a specific threat actor or group is not always possible and is not the primary goal in most incident investigations. What matters more is the tactical intelligence: what this specific sample does in this specific environment. However, when attribution is possible, it can inform decisions about data exfiltration risk, likely ransom demand behaviour, and whether law enforcement involvement is appropriate. Attribution findings also have value for Australian organisations with obligations under security-sensitive regulations, where knowing that a state-aligned threat actor was involved changes the reporting requirements.

Integrating Malware Analysis Into the Investigation

Malware analysis findings should feed directly back into the investigation timeline. The compilation timestamp of a binary, if not spoofed, can confirm or narrow down when the attacker introduced it to the environment. The version number embedded in the malware can indicate whether it was a first-stage or later-stage tool in the attack chain. The command-and-control infrastructure can be compared against network logs to determine exactly when the attacker established communications and how long they maintained them.

This integration requires the malware analyst and the incident investigator to work closely together, sharing findings in real time rather than treating analysis as a separate workstream that delivers a report at the end. In our investigations, malware analysis is a concurrent activity from the point of evidence collection, with findings flowing back into the investigation team as they emerge rather than accumulating into a final deliverable.

If you have found suspicious files in your environment or are dealing with an active incident that involves malware, contact us at info@cyberlinx.com.au. We provide malware analysis as part of our forensic investigation capability and as a standalone service.

Table of Contents
Resource Type
Blogs
Category
DFIR
Written by
Shahbaz Rasheed
Managing Director
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?