bluemsi/2nd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0165cd367e5886856257e40d1102eae2b8e30285
2nd/10_Wiki/Topics/DevOps_and_Security/Malware-Analysis.md
T
Antigravity Agent f8b21af4be Wiki cleanup: error-doc removal, dedup merge, link normalization 
10_Wiki/Topics 대규모 정리:
- 오류 캡처/미완성 stub 문서 227개 제거
- 교차폴더 중복 43클러스터 병합 (63파일 → redirect)
- 링크명 정규화: 깨진 링크 수정·redirect 직결·개념 매핑 ~2,400건
- 카테고리 MOC 6개 신규 생성
- Graph 섹션 미해결 related-keyword 링크 10,058건 제거

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-20 23:52:15 +09:00

160 lines
4.4 KiB
Markdown
Raw Blame History

---
id: wiki-2026-0508-malware-analysis
title: Malware Analysis
category: 10_Wiki/Topics
status: verified
canonical_id: self
aliases: [malware-rev, threat-analysis, reverse-engineering-malware]
duplicate_of: none
source_trust_level: A
confidence_score: 0.9
verification_status: applied
tags: [security, malware, reverse-engineering, threat-intel, forensics]
raw_sources: []
last_reinforced: 2026-05-10
github_commit: pending
tech_stack:
language: Python/C
framework: Ghidra/IDA/YARA
---
# Malware Analysis
## 매 한 줄
> **"매 악성 binary의 매 behavior + capability + IOC 의 추출"**. 매 static (disassembly, string, import) ↔ dynamic (sandbox, instrumentation) ↔ hybrid 의 3-tier — 매 2026 매 LLM-assisted reversing 의 confluence — 매 incident response의 bottleneck.
## 매 핵심
### 매 3 가지 분석 mode
1. **Static**: 매 비실행 — strings, PE header, import table, YARA, signature.
2. **Dynamic**: 매 sandbox 실행 — API calls, network, file mod, registry.
3. **Hybrid**: 매 static 으로 매 hint 추출 → dynamic 으로 매 path 매 trigger.
### 매 IOC types
- **File**: SHA256, imphash.
- **Network**: domain, IP, URL, JA3 fingerprint.
- **Host**: registry key, mutex, persistence path.
- **Behavior**: MITRE ATT&CK technique.
### 매 응용
1. 매 SOC incident triage.
2. 매 threat intel feed 의 enrichment.
3. 매 detection rule (YARA, Sigma) 의 author.
## 💻 패턴
### 매 file triage
```bash
file suspicious.bin
sha256sum suspicious.bin
strings -n 8 suspicious.bin | head -50
exiftool suspicious.bin
```
### 매 PE inspect
```bash
pefile-info suspicious.exe # python pefile
# 매 imphash 매 family clustering
python -c "import pefile; print(pefile.PE('m.exe').get_imphash())"
```
### 매 YARA rule
```yara
rule SuspiciousLoader {
meta:
author = "analyst"
date = "2026-05-10"
strings:
$s1 = "VirtualAlloc" ascii
$s2 = "WriteProcessMemory" ascii
$s3 = { 48 8B ?? ?? E8 ?? ?? ?? ?? 48 85 C0 74 }
condition:
uint16(0) == 0x5A4D and 2 of ($s*)
}
// scan: yara -r rules.yar samples/
```
### 매 Ghidra script (headless)
```bash
analyzeHeadless /tmp/proj proj1 -import sample.exe \
-postScript ExtractStrings.java -deleteProject
```
### 매 sandbox (CAPE / Cuckoo)
```bash
cape submit suspicious.exe --timeout 120 --options "procmemdump=yes"
# 매 result: API trace, network pcap, dropped files
```
### 매 IDA Python
```python
import idautils, idaapi
for func in idautils.Functions():
name = idaapi.get_name(func)
if 'crypt' in name.lower():
print(hex(func), name)
```
### 매 unpacking heuristic
```python
# 매 entropy >7.0 매 packed 의 강한 signal
import math, collections
def entropy(data):
cnt = collections.Counter(data)
total = len(data)
return -sum((c/total) * math.log2(c/total) for c in cnt.values())
```
### 매 LLM-assisted (Claude Opus 4.7)
```python
# 매 disassembly chunk 의 의미 의 explain
prompt = f"Analyze this x86_64 function and identify behavior:\n{disasm}"
# 매 Ghidra plugin → MCP → Claude API 매 round-trip
```
### 매 MITRE ATT&CK mapping
```yaml
behaviors:
- tactic: Defense Evasion
technique: T1055 # Process Injection
evidence: VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
- tactic: Persistence
technique: T1547.001 # Registry Run Keys
```
## 매 결정 기준
| 상황 | Approach |
|---|---|
| 매 known-bad triage | hash/imphash lookup |
| 매 unknown sample | static + sandbox 병행 |
| 매 packed | unpack + dump 후 static |
| 매 APT custom | 매 hybrid + LLM-assisted reversing |
**기본값**: 매 imphash + YARA 의 quick pass → 매 sandbox detonate → 매 manual reverse.
## 🔗 Graph
- 부모: [[Security]]
- 변형: [[Static Analysis]]
- 응용: [[Anomaly-Detection]]
- Adjacent: [[SAST]] · [[Code Obfuscation]]
## 🤖 LLM 활용
**언제**: 매 disassembly 의 의미 해석, 매 obfuscated string 의 deobfuscation.
**언제 X**: 매 IOC extraction 의 numeric — 매 deterministic tooling 사용.
## ❌ 안티패턴
- **production 매 sandbox**: 매 lateral movement 의 위험.
- **YARA rule 매 too generic**: 매 false positive 폭발.
- **strings only**: 매 packed 매 useless.
- **LLM 답 의 blind trust**: 매 hallucinated API behavior 위험.
## 🧪 검증 / 중복
- Verified (Ghidra 11.x, YARA 4.5, MITRE ATT&CK v15, 2026).
- 신뢰도 A.
## 🕓 Changelog
| 날짜 | 변경 |
|---|---|
| 2026-05-08 | Phase 1 |
| 2026-05-10 | Manual cleanup — static/dynamic/hybrid 분석 + LLM-assisted 정리 |
Reference in New Issue View Git Blame Copy Permalink