(Forensic) Malware Analysis = Reverse Engineering?

Hello friends,

currently I’m doing some Forensic challenges. These challenges are pretty cool, but I’m stuck at the harder ones (obfscation an Windows Infinity Edge). To solve these tasks, I do not want to just google or read a writeup and follow the steps described.
I want to understand what I’m doing, how specific tools are working, how an excel-document is constructed/how bad code is implemented by attackers etc…

My questions are: Is Malware Analysis (MA) an own field of expertise or just a part of Reverse Engineering (RE)? How could I get better in MA? Are there some books, online tutorials, courses etc. for beginners? Should I first start with some basics of RE and the dive deeper into MA?
I found this post (Reverse Engineering resources - #2 by jairocb - Video Tutorials - Hack The Box :: Forums) but I don’t know, whether this is the right way to start, because the focus lies on RE.

Thanks :slight_smile:

Its a good question but it has a complex (IMHO) answer.

First - the forensic challenges on HTB aren’t always aligned to real-world forensic practices. Its more a case that they use forensic techniques to a varying degree. I will use forget-me-not as an example (as it has retired). Yes the extraction of the string uses what could be described as memory forensics but thats about it.

So on to malware analysis. The vast majority of this uses some reverse engineering techniques but the goals are different which means the workflows can be different.

I would say that Malware Analysis is a different field to Reverse Engineering but there is overlap (for example, SANS has a course called Reverse Engineering Malware: FOR610: Reverse Engineering Malware Training | Malware Tools & Techniques | SANS Institute just to muddy the waters).

It is worth noting that malware analysis ranges from trying to get some simple IOCs to use for the incident response process through to understanding the malware enough to describe what it does.

Reverse engineering is normally focused on finding out what the application does (and in the context here, working out how to exploit it). As you can see this is part of what a malware analyst needs to do and probably aligns with the needs of more advanced practitioners.

Also, a vast majority of the time, malware analysis is looking at malicious documents and scripts rather than pulling apart the internals of a PE/ELF/Mach-O file. A malware analyst is likely to be using oletools as much as they use gdb. At a basic level, malware analysis can be as simple as dropping a file into PEStudio - that gets a massive amount of the information you need for DFIR.

As a reverse engineer, you need a deeper understanding of the file, the ability to walk through what it is doing etc.

So, tl;dr - they are very similar. A good reverse engineer will be good at malware analysis. A good malware analyst will probably have learned reverse engineering.

@tXxc said:
Should I first start with some basics of RE and the dive deeper into MA?

I dont think it matters. If you start with RE of executables, the main MA you’d need to cover is the script/maldoc stuff. If you start with MA, then at somepoint you are going to need to learn RE.

Type your comment> @TazWake said:

Also, a vast majority of the time, malware analysis is looking at malicious documents and scripts rather than pulling apart the internals of a PE/ELF/Mach-O file. A malware analyst is likely to be using oletools as much as they use gdb. At a basic level, malware analysis can be as simple as dropping a file into PEStudio - that gets a massive amount of the information you need for DFIR.

Hello. Thank’s for your detailled answer.

The things you wrote about a malware analyst is the way I’m more interested. I think as a defender/blue teamer the identification of IOCs or

So, tl;dr - they are very similar. A good reverse engineer will be good at malware analysis. A good malware analyst will probably have learned reverse engineering.

@tXxc said:
Should I first start with some basics of RE and the dive deeper into MA?

I dont think it matters. If you start with RE of executables, the main MA you’d need to cover is the script/maldoc stuff. If you start with MA, then at somepoint you are going to need to learn RE.

I interpret this to mean, that I should just start with the ‘analysis’ of the forensics challenges. There is no straighter path. I think I will dive deeper into some topics, when I’m doing the tasks (e.g. usage of oletools, what means OLE, Visual Basic/macros, structure of excel documents etc… based on the challenge/topic)

Type your comment> @sparkla said:

I’m an expert in neither of those things but in my opinion to do proper MW you should be strong in RE, same time you gotta have the patience to reverse heavily obfuscated interpreter-code like JavaScript, PHP and as someone mentioned, Office documents, Word macros, etc. Good knowledge how DNS works in conjuction (C&C servers…) and knowledge of modern irl attack pathes would round that up.

The only thing I don’t see fitting here is Forensics: sure MWA is part of forensics, but other way round forensics is a lot more than MWA.

There’s couple of youtube channels dedicated to MWA that may give you an idea which organisations actually focus on MWA.

Yeah I think you are right. MWA is a part of forensics. So (in my opinion) if you know something about forensics, forensic-tools or a general procedure, would help you to get better in MWA. Or in general: there are different fields of expertise, that are relevant, if you want to get an expert in MWA.
Edit: I found the youtube-channel of “HackerSploit”. He has a playlist about MA. This looks pretty good.

@tXxc said:

I interpret this to mean, that I should just start with the ‘analysis’ of the forensics challenges. There is no straighter path. I think I will dive deeper into some topics, when I’m doing the tasks (e.g. usage of oletools, what means OLE, Visual Basic/macros, structure of excel documents etc… based on the challenge/topic)

Pretty much. On the whole I wouldn’t say it matters which approach you want, if you start from Binary RE, you will need to learn Maldoc, if you start with Maldoc you need Binary RE etc.

It is an open ended field though because you learn more, you largely learn just how much more is still to go.

It is not a free resource ( it does have free trials and can be cost effective ) but it can be worth checking out Pluralsight.

The courses by Tyler Hudak (especially setting up a malware analysis lab and malicious document analysis) and Josh Stroschein (especially defeating obfuscation/packing) are very good quality.

Most of the IT crowd thinks the pentesting/redteaming is the sexy stuff in cybersec but that’s some sexy stuff in the Blue Team and i’m actually considering diving a bit more into that.

Type your comment> @TazWake said:

@tXxc said:

I interpret this to mean, that I should just start with the ‘analysis’ of the forensics challenges. There is no straighter path. I think I will dive deeper into some topics, when I’m doing the tasks (e.g. usage of oletools, what means OLE, Visual Basic/macros, structure of excel documents etc… based on the challenge/topic)

Pretty much. On the whole I wouldn’t say it matters which approach you want, if you start from Binary RE, you will need to learn Maldoc, if you start with Maldoc you need Binary RE etc.

It is an open ended field though because you learn more, you largely learn just how much more is still to go.

It is not a free resource ( it does have free trials and can be cost effective ) but it can be worth checking out Pluralsight.

The courses by Tyler Hudak (especially setting up a malware analysis lab and malicious document analysis) and Josh Stroschein (especially defeating obfuscation/packing) are very good quality.

Thanks for the hint.
When I’ve got more freetime, I will watch some videos. For the beginning will youtube be my friend