Assignment Chef icon Assignment Chef
All English tutorials

Programming lesson

Malware Analysis Tutorial: Static & Dynamic Techniques for Windows, Linux, and Android

Learn how to analyze Windows, Linux, and Android malware using tools like Wireshark, Cuckoo Sandbox, angr, jadx, and more. This tutorial covers static and dynamic analysis, symbolic execution, and emulator bypass techniques.

malware analysis tutorial static and dynamic analysis Wireshark malware analysis Cuckoo Sandbox guide angr symbolic execution radare2 tutorial jadx decompile APK apktool reverse engineering Android SMS malware bypass emulator detection CS6262 project 3 Windows malware analysis Linux malware analysis C2 server reconstruction symbolic execution loop detection 2026 cybersecurity skills

Introduction to Malware Analysis

Malware analysis is a critical skill in cybersecurity, especially with the rise of sophisticated threats in 2026. This tutorial covers key techniques for analyzing Windows, Linux, and Android malware, using tools like Wireshark, Cuckoo Sandbox, angr, jadx, and apktool. Whether you're a student in a cybersecurity course like CS6262 or a professional, these methods will help you understand malware behavior and extract indicators of compromise.

Setting Up a Secure Analysis Environment

Before diving into analysis, you must set up a secure environment. Running malware on your host system can cause serious damage. Use a virtual machine (VM) with tools pre-installed. For this tutorial, we assume you have a VM with Windows, Linux, and Android emulators, along with analysis tools. Configure network settings to use a host-only adapter to prevent malware from spreading.

Windows Malware Analysis: Stage 1 and Stage 2

Windows malware often arrives as executables like stage1.exe and stage2.exe. Your goal is to uncover their behavior using static and dynamic analysis.

Network Behavior Analysis with Wireshark

Use Wireshark to capture network traffic. Start Wireshark on the host-only interface, then run the malware. Look for HTTP requests, DNS queries, and unusual traffic patterns. For example, the malware might contact a C2 server at a specific IP. Filter traffic with http.request or dns to find valid commands.

Dynamic Analysis with Cuckoo Sandbox

Cuckoo Sandbox automates dynamic analysis. Submit the sample to Cuckoo and review the report. It shows file system changes, registry modifications, and network traffic. Look for dropped files like stage2.exe or configuration files.

Control Flow Graph (CFG) Analysis

Use tools like IDA Pro or radare2 to generate a CFG. This helps identify key functions, such as those handling decryption or command parsing. In the CFG, look for loops that decode strings or compare input.

Symbolic Execution with angr

Symbolic execution can find valid command strings. Use angr to explore paths from a start address to an end address. For example:

python ./sym_exec.py ~/shared/stage1.exe 0x4050c0 0x40518a

This will output the input that reaches the target, revealing the correct command.

Linux Malware Analysis: payload.exe

Linux malware, like payload.exe, may use instruction traces to hide communication. Use radare2 to disassemble and find system calls. Look for connect, send, or recv calls. Custom scripts can automate trace analysis to find the attack logic.

Loop Detection and Symbolic Execution

Use angr to detect loops and symbolic variables. This helps find where the malware reads input or sends data. For example, a loop that XORs data before sending it can be identified and reversed.

Android Malware Analysis: sms.apk

Android malware like sms.apk often uses SMS for C2 communication. Use jadx and apktool to decompile and analyze the app.

Manifest Analysis

Decompile the APK with apktool:

apktool d sms.apk

Open AndroidManifest.xml and look for permissions like RECEIVE_SMS and SEND_SMS. Also check for broadcast receivers that handle incoming SMS.

Static Analysis with jadx

Use jadx to decompile to Java. Look for classes that handle SMS messages. For example, a class named SmsReceiver might contain the C2 logic. Find the country code and commands needed to trigger actions.

Bypassing Emulator Checks

Stage 2 of the analysis requires bypassing emulator detection. The app might check TelephonyManager.getDeviceId() for all zeros. To bypass, modify the smali code to always return a valid value. Use apktool to decompile, edit the smali file, then recompile and sign the APK.

For example, find a method that checks getDeviceId() and change it to return a hardcoded string like "1234567890".

Testing on Emulator

Start the emulator with:

~/bin/run-emulator

Install the modified APK and send SMS commands using adb. Use logcat to observe behavior:

adb logcat | grep sms

If successful, the app will contact the C2 server.

Conclusion

Malware analysis is a hands-on skill. By combining static and dynamic analysis, symbolic execution, and reverse engineering, you can uncover the inner workings of malware. Practice with real samples in a safe environment to build expertise. In 2026, as threats evolve, these techniques remain essential for cybersecurity professionals.