Modern cyberattacks are powered by malware that is increasingly evasive, modular, and difficult to understand through alerts alone. From ransomware and infostealers to remote access trojans, malicious code now adapts dynamically to environments, hides behind obfuscation, and actively resists analysis.

This installment of the SOC Analyst Study Notes series focuses on Malware Analysis and Reverse Engineering, a critical skill set that enables SOC analysts to understand how threats operate at a technical level. Building on SOC fundamentals, insider threats, and threat hunting covered in earlier parts, Part IV moves deeper into hands-on investigation of malicious software.

The emphasis is practical and analyst-focused. Rather than abstract theory, the material walks through how to safely analyze malware, extract indicators of compromise, and translate findings into actionable detection and response improvements within real SOC workflows

Download SOC Analyst Study Notes Part III here ⬇️

Soc Analyst Notes Part 4

1.11MB ∙ PDF file

Download

Download

Who this document is for

This study guide is designed for analysts and defenders seeking deeper technical visibility into malware-driven incidents:

• SOC analysts investigating malware alerts and suspicious binaries

• L2 and L3 analysts supporting incident response and threat hunting

• Blue team practitioners working with EDR, sandboxing, and memory forensics

• Security engineers developing detections and containment strategies

• Students learning malware behavior, analysis techniques, and lab workflows

The progression moves from understanding malware categories to analysis methods, tooling, hands-on case studies, and safe operational practices.

First Time Seeing This? Please Subscribe

Malware Analysis Overview

Malware analysis is the process of examining malicious software to understand its behavior, functionality, and impact. For SOC teams, this capability is essential not only for containment but also for improving detections, extracting IOCs, and anticipating future attacker behavior.

Part IV emphasizes a balanced approach that combines static analysis, dynamic analysis, and reverse engineering, enabling analysts to move beyond surface-level alerts and observe how malware behaves under the hood.

Common Types of Malware

The document outlines several major malware categories SOC analysts encounter most frequently:

• Ransomware, which encrypts or locks systems and demands payment while often spreading laterally and establishing persistence

• Trojans, which masquerade as legitimate software and deliver backdoors or secondary payloads

• Infostealers, designed to quietly harvest credentials, browser data, and cryptocurrency wallets

• Remote Access Trojans (RATs), which give attackers persistent interactive control over compromised systems

Understanding these categories helps analysts quickly recognize behavioral patterns during investigations and prioritize response actions.

Static vs Dynamic Malware Analysis

Effective malware analysis relies on two complementary techniques.

Static analysis examines a file without executing it. Analysts inspect headers, imports, entropy, and embedded strings to identify suspicious characteristics. This approach is fast and safe but can be limited by packing and obfuscation.

Dynamic analysis executes malware in an isolated environment to observe real behavior, such as file system changes, registry modifications, process injection, and network communication. Sandboxes and monitoring tools reveal runtime activity but may be evaded by anti-analysis techniques.

Using both methods together provides a more complete understanding of malware functionality.

Tools and Lab Setup

The document provides a practical toolkit for malware analysis and reverse engineering, including:

• Disassemblers and decompilers such as Ghidra and IDA Free

• Static inspection tools like PE Studio and FLOSS

• Execution and monitoring tools including Procmon, Process Explorer, and Wireshark

• Automated sandboxes such as Cuckoo and ANY.RUN

• Debuggers for unpacking and step-by-step code analysis

• Persistence and memory forensics tools including Autoruns, Regshot, and Volatility

Together, these tools form a controlled lab environment where analysts can safely dissect real malware samples.

Hands-On Malware Walkthroughs

Part IV includes detailed walkthroughs of real-world malware families.

The Zeus banking trojan demonstrates credential theft, process injection, persistence mechanisms, and command-and-control communication through both static and dynamic analysis.

The WannaCry ransomware case illustrates how exploit-based propagation, file encryption, service creation, and kill-switch logic appear during analysis.

These examples show how technical findings translate into actionable IOCs and detection logic.

Extracting Indicators of Compromise

A core outcome of malware analysis is extracting reliable indicators, including:

• Dropped files and modified binaries

• Registry keys and persistence mechanisms

• Processes, mutexes, and injection behavior

• Network indicators such as domains and IPs

• Behavioral patterns like mass encryption or data exfiltration

Documenting and mapping these indicators to MITRE ATT&CK strengthens detection engineering and reporting workflows.

Safe Analysis Practices

Malware analysis carries inherent risk. The document emphasizes strict safety controls, including isolated lab environments, controlled networking, snapshotting, avoidance of real credentials, comprehensive logging, and ethical handling of samples.

These practices ensure analysts gain insight without endangering production systems or violating legal boundaries.

Building Long-Term Expertise

To develop confidence and skill, analysts are encouraged to practice continuously using training platforms, CTFs, lab environments, malware repositories, and community knowledge sharing.

Malware constantly evolves. Ongoing hands-on experience is essential for maintaining effective defensive capability.

Conclusion

Malware analysis and reverse engineering give SOC analysts the ability to understand how attacks truly work, not just how they trigger alerts. By combining static and dynamic techniques, documenting indicators, and practicing on real samples, defenders can respond faster, build stronger detections, and reduce future risk.

As malware grows more sophisticated, hands-on analysis remains one of the most valuable skills in modern SOC operations.

If you find this material useful, subscribe to CyberMaterial’s Substack for daily cybersecurity briefings, practical insights, and structured learning resources.