Malware Analysis – Malware Classification And Identification

Malware Classification & Identification

Malware classification is the process of classifying malware samples based on shared characteristics with previously analyzed samples. An example of these characteristics are: strings and binary code.


What’s wrong with hash-based identification/classification?

  • The content of the samples are changed by attackers to evade hash based identification/classification.
  • Cryptographic hashing is only accurate if the data/content of the samples remain the same, if just one line of code is changed, the hash changes. 

Note: The attacker may only change a small portion of the sample, but the functionality of the malware remains the same, while the hash changes completely. For example; many attackers will usually plant random data/strings to change the hash and avoid hash-based detection/identification. (Garbage strings)

What is my point? – Hash based signature identification/detection is inaccurate and should not be relied upon for accurate classification/identification of samples. 

This is where YARA comes in to play.

What is YARA?

YARA is an fantastic malware identification & classification tool that works by matching patterns across various malware samples.


What can you do with YARA?

  • Signature identification based on particular signatures.
  • You can generate rules that identify particular signatures that can then be used to detect future similar infections. (AV’s)


Liked it? Take a second to support Alexis on Patreon!
Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *


Malware Analysis – Creating YARA Rules

YARA Rules YARA rules are used to identify samples based on specific strings or binary data.   Structure of a YARA rule   rule <rule_name> { meta: description = “Sample YARA rule”   strings: $a = “example” $b = “example2”   condition: ($a or $b) } Our completed YARA rule looks like this: rule creds_ru […]

Share this post

Malware Analysis – Examining The Resources Section

Examining The Resources Section (.rsrc) The resources section contains all the necessary files and information that are used/required by the executable. For example: icons, dialogs   Why is it important? Attackers can utilize the resources section to store more malicious files and data like payloads, droppers, configuration info etc. The resource section is also useful […]

Share this post