If you started your malware analysis journey fairly recently, you have probably wondered a few times: where do I start from? What do I prioritize? That’s exactly what happened to me: at times, the amount of information collected can be overwhelming and this can make it tricky to focus on a single aspect of the findings.
And that’s why I came up with the idea of this Malware Analysis & Investigation Framework: I needed to organize my malware reverse engineering work in a flow that could be fairly repeatable, following a reference that could guide me through different steps in the reverse engineering process as well as helping me fight the habit of jumping from one tactic to the other without really getting to the bottom of it.
This framework is modeled after MITRE ATT&CK and is meant to be used in a proactive way to focus on one tactic at a time. After collecting information through static properties and behavioral analysis, the analyst can start reverse engineering by examining how the sample gets executed. They would be able to look at the example APIs included under the “Execution” tactic of the framework, make a note of the “keywords” these functions leverage, and compare them with patterns they see in the sample. After that, the analyst could move on by looking at persistence mechanisms, and so on.
Even though the framework is presented similarly to MITRE ATT&CK, it isn’t necessarily meant to be used in a linear fashion: a sample might require the analyst to prioritize certain tactics over others. For example, malware samples that include anti-analysis mechanisms might require the analyst to prioritize those over persistence.
Beyond the analysis phase, the framework can also be useful as a guide to draft reports and technical presentations.
It’s also important to state that this project wouldn’t have been possible without crucial community contributions such as Malapi.io and The Unprotect Project.
This is obviously a draft, a first attempt and a work in progress that I plan to keep updated as much as possible. Please, send feedback to cyb3rkitties@proton.me or shoot me a message on LinkedIn.