Sharing notes from my ongoing learning journey — what I build, break and understand along the way.
Understanding Malware: My Introduction to Static & Dynamic Analysis
Static vs Dynamic Malware Analysis
When I first got into malware analysis, it seemed a bit overwhelming. I imagined I’d need to be some kind of reverse engineering wizard fluent in assembly. But what helped me get started was learning about the two foundational approaches: Static Analysis and Dynamic Analysis.
Both are about figuring out what malware does — but they take completely different routes to get there.
Static Analysis — Understanding Without Execution
Static analysis means inspecting the malware without actually running it. Think of it like getting an X-ray of a file before opening it.
Tools I Use:
file→ to identify the file type (PE, ELF, etc.)strings→ to extract readable textGhidraorradare2→ for deeper disassemblyVirusTotal→ to check known reputation (but I never fully trust it)
file suspicious.exe
strings suspicious.exe | less
In this phase, I look for hardcoded IP addresses, suspicious function names, base64-encoded strings, or URLs. In some samples, I’ve seen obfuscated PowerShell commands or indicators of C2 (command and control) infrastructure embedded in the binary.
Dynamic Analysis — Executing in Isolation and Observing Behavior
Sometimes, malware won’t reveal much statically. That’s when I move to dynamic analysis — running the sample in a safe, controlled environment to see what it does in real time.
My Lab Setup:
- VirtualBox (always with snapshots)
- Windows VM with FLARE-VM
- Or a Linux-based Remnux VM
Tools I Keep Running:
- Procmon — to trace file and registry activity
- Process Explorer — to monitor processes
- Wireshark — for network traffic
- Regshot — for before/after registry diff
- Sysmon — to log advanced behavior
What I Look For:
- File system activity:
Is the malware copying itself to%APPDATA%? Dropping new binaries?
→ I check with Procmon and Autoruns. - Network behavior:
Does it try to contact a C2 server or resolve a shady domain?
→ Wireshark usually helps here. - Persistence mechanisms:
Adding registry keys likeHKCU\Software\Microsoft\Windows\CurrentVersion\Run
→ Tracked with Regshot - Suspicious process behavior:
Malware might launchcmd.exe,powershell, orrundll32with strange arguments.
When to Use Which?
| Scenario | Best Approach |
|---|---|
| Quick inspection, low risk | Static |
| Obfuscated or packed executable | Dynamic |
| Need to understand runtime behavior | Dynamic |
| Investigating callbacks or domains | Dynamic |
| Looking for embedded payloads | Static |
I usually begin with static. If that gives me enough insight, great. But when things get evasive or intentionally hidden, I switch to dynamic.
A Realistic Example
Let’s say someone hands me a suspicious file named invoice.pdf.exe.
Static:
- I use
fileto verify it’s a PE32 Windows executable stringsreveals a domain likeupdate-check[.]xyz- I upload it to VirusTotal — maybe only one engine flags it
Dynamic:
- I run it in the sandbox while capturing traffic
- Procmon shows it creates a hidden
.batfile and runscmd.exe - Wireshark reveals POST requests with base64-encoded data
- Regshot shows a registry key added for persistence
By the end, I have both behavior-based indicators and IoCs to feed into detection rules or reporting.
Learning malware analysis changed how I view threats. Reading about malware is one thing — watching it act in real time is something else entirely.
My recommendation?
Start small. Learn static analysis first so you understand what “normal” code looks like. Then build yourself a safe lab and experiment with dynamic analysis — even on harmless samples. It really deepens your understanding of how malware behaves under the hood.
And most importantly: always isolate your lab. Malware is not a toy — treat it like you’re working with live explosives.