# Malware Analysis

* Signatures are not enough today.
* [Virus Total](https://www.virustotal.com/gui/home/upload)
* Yara
* MAEC
* Sandbox – Running malware inside an isolated virtual environment
  * Mointor changes to system files
  * Monitor changes to processes and services
  * Network Activity
  * Low level system calls
  * File creation, change, deletion during execution
  * Scheduled tasks
* Cuckoo Sandbox
* Careful with hypervisor vulnerabilities
* Reverse-Engineering: Figuring out how software works
  * Decompiler
    * Determine high level source code
    * Obfuscation
    * Pseudo-code
  * Disassembler
    * Binary to assembly code
    * Better file identification
    * Difficult to follow
  * String searching
    * Static string stored together
    * Reveals file names, domains, keys, etc
  * Program packers
    * Sort of a self extracting archive
    * Compression, obfuscation
* Exploit Techniques – Methods used by malware to attack a target
  * Viruses
    * Infect files
    * Requires user interaction
  * Worms
    * Propagate over network
    * Does not require interaction
  * Fileless malware
    * Executable code passed through a script in a request
    * RAT dropper
  * Code injection
    * Shellcode
    * Masquerading
    * DLL sideloading, hijacking
    * Process hollowing – empty process that starts safe, but changes dynamically to malicious
  * “Living off the land”
    * Just a practice
    * Malware relies on existing tools on the host
    * Powershell, python, bash

###

###


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cysa.coantech.net/malware-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.