Even an organization most advance defenses such as antivirus, firewall and IPS are no match for the sophisticated attacks deployed today. Malware forensics investigation is the study or process of determining the functionality, origin and potential impact of a given malware sample such as a virus, worm, Trojan horse, rootkit, or backdoor. The Malware Process can be summarized below. 

Malware Investigation Steps

• Analysis of suspicious web code and executable files
• Performs deep forensic analysis through the full attack life cycle
• Disassembly analysis that examines elements of the code          

Our Approach

The following first-level analysis is conducted to quickly tally threat scores.

• Product Name
• Product Version
• Company Name, etc.
• Functions included in the Import Table
• Network
• Process
• Security
• Registry
• Dynamic Loading, etc.
• Does the binary have high entropy (obfuscated)?
• Does the binary have signatures of:
• Internet Relay Chat ("IRC")
• Shellcode
• Cryptography ("Crypto")
• Does the binary contain strings associated with autoruns?
• Digital Signature Verification

Stage two:

Stage two involves more complex disassembly analysis to give you  more detailed behavioral information. This simulation and data flow  analysis is possible without running binaries in a sandbox, and there  is no reliance on white lists or signatures.

• Integrated disassembly engine
• If using network functionality, potentially what host it is  communicating with and over what protocol(s)
• If using network functionality, can it bypass proxy servers?
• For functions that require usernames and/or passwords, does  the executable contain a static string, indicating insider or advanced  knowledge?
• More advanced Functionality Interpretation
• IP addresses and Domain Names Used
• Debugger and Sandbox avoidance
• Command and Control Functionality
• Hooking Techniques
• Arbitrary Code Execution
• Host Forensic Artifacts
• Registry Settings
• Temp Files
• Configuration Files