--- id: wiki-2026-0508-malware-analysis title: Malware Analysis category: 10_Wiki/Topics status: verified canonical_id: self aliases: [malware-rev, threat-analysis, reverse-engineering-malware] duplicate_of: none source_trust_level: A confidence_score: 0.9 verification_status: applied tags: [security, malware, reverse-engineering, threat-intel, forensics] raw_sources: [] last_reinforced: 2026-05-10 github_commit: pending tech_stack: language: Python/C framework: Ghidra/IDA/YARA --- # Malware Analysis ## 매 한 줄 > **"매 악성 binary의 매 behavior + capability + IOC 의 추출"**. 매 static (disassembly, string, import) ↔ dynamic (sandbox, instrumentation) ↔ hybrid 의 3-tier — 매 2026 매 LLM-assisted reversing 의 confluence — 매 incident response의 bottleneck. ## 매 핵심 ### 매 3 가지 분석 mode 1. **Static**: 매 비실행 — strings, PE header, import table, YARA, signature. 2. **Dynamic**: 매 sandbox 실행 — API calls, network, file mod, registry. 3. **Hybrid**: 매 static 으로 매 hint 추출 → dynamic 으로 매 path 매 trigger. ### 매 IOC types - **File**: SHA256, imphash. - **Network**: domain, IP, URL, JA3 fingerprint. - **Host**: registry key, mutex, persistence path. - **Behavior**: MITRE ATT&CK technique. ### 매 응용 1. 매 SOC incident triage. 2. 매 threat intel feed 의 enrichment. 3. 매 detection rule (YARA, Sigma) 의 author. ## 💻 패턴 ### 매 file triage ```bash file suspicious.bin sha256sum suspicious.bin strings -n 8 suspicious.bin | head -50 exiftool suspicious.bin ``` ### 매 PE inspect ```bash pefile-info suspicious.exe # python pefile # 매 imphash 매 family clustering python -c "import pefile; print(pefile.PE('m.exe').get_imphash())" ``` ### 매 YARA rule ```yara rule SuspiciousLoader { meta: author = "analyst" date = "2026-05-10" strings: $s1 = "VirtualAlloc" ascii $s2 = "WriteProcessMemory" ascii $s3 = { 48 8B ?? ?? E8 ?? ?? ?? ?? 48 85 C0 74 } condition: uint16(0) == 0x5A4D and 2 of ($s*) } // scan: yara -r rules.yar samples/ ``` ### 매 Ghidra script (headless) ```bash analyzeHeadless /tmp/proj proj1 -import sample.exe \ -postScript ExtractStrings.java -deleteProject ``` ### 매 sandbox (CAPE / Cuckoo) ```bash cape submit suspicious.exe --timeout 120 --options "procmemdump=yes" # 매 result: API trace, network pcap, dropped files ``` ### 매 IDA Python ```python import idautils, idaapi for func in idautils.Functions(): name = idaapi.get_name(func) if 'crypt' in name.lower(): print(hex(func), name) ``` ### 매 unpacking heuristic ```python # 매 entropy >7.0 매 packed 의 강한 signal import math, collections def entropy(data): cnt = collections.Counter(data) total = len(data) return -sum((c/total) * math.log2(c/total) for c in cnt.values()) ``` ### 매 LLM-assisted (Claude Opus 4.7) ```python # 매 disassembly chunk 의 의미 의 explain prompt = f"Analyze this x86_64 function and identify behavior:\n{disasm}" # 매 Ghidra plugin → MCP → Claude API 매 round-trip ``` ### 매 MITRE ATT&CK mapping ```yaml behaviors: - tactic: Defense Evasion technique: T1055 # Process Injection evidence: VirtualAllocEx + WriteProcessMemory + CreateRemoteThread - tactic: Persistence technique: T1547.001 # Registry Run Keys ``` ## 매 결정 기준 | 상황 | Approach | |---|---| | 매 known-bad triage | hash/imphash lookup | | 매 unknown sample | static + sandbox 병행 | | 매 packed | unpack + dump 후 static | | 매 APT custom | 매 hybrid + LLM-assisted reversing | **기본값**: 매 imphash + YARA 의 quick pass → 매 sandbox detonate → 매 manual reverse. ## 🔗 Graph - 부모: [[Security]] - 변형: [[Static Analysis]] - 응용: [[Anomaly-Detection]] - Adjacent: [[SAST]] · [[Code Obfuscation]] ## 🤖 LLM 활용 **언제**: 매 disassembly 의 의미 해석, 매 obfuscated string 의 deobfuscation. **언제 X**: 매 IOC extraction 의 numeric — 매 deterministic tooling 사용. ## ❌ 안티패턴 - **production 매 sandbox**: 매 lateral movement 의 위험. - **YARA rule 매 too generic**: 매 false positive 폭발. - **strings only**: 매 packed 매 useless. - **LLM 답 의 blind trust**: 매 hallucinated API behavior 위험. ## 🧪 검증 / 중복 - Verified (Ghidra 11.x, YARA 4.5, MITRE ATT&CK v15, 2026). - 신뢰도 A. ## 🕓 Changelog | 날짜 | 변경 | |---|---| | 2026-05-08 | Phase 1 | | 2026-05-10 | Manual cleanup — static/dynamic/hybrid 분석 + LLM-assisted 정리 |