What can you do with the help of malware analysis
Determine the functions of a suspicious program, assess the nature and extent of the threat during infection.
Get indicators of compromise by which the threat can be detected and removed from the network.
Establish whether the attack is directed specifically at your company or is it part of a mass mailing (if possible, determine which cybercrime group the malware belongs to).
- We helped clients neutralise such threats as WannaCry, Lurk, Carbanak, RTM, Silence, Emotet.
- Our specialists take part in court proceedings as cybercrime experts.
- We constantly follow the latest trends in malware and share our knowledge with the public. We regularly give talks at conferences, publish research papers, and produce articles for the media.
Fast and thorough examination of malicious programs
When a malicious program enters your infrastructure, your cybersecurity team needs to know as much as possible about the threat: how it works, how it hides and how it can be eradicated. This kind of intel requires an abundance of resources and specific expertise.
We have all it takes to get the job done: the tools, the knowledge bases and a team of seasoned experts with a lot of experience in malware analysis. We can provide all the information necessary for incident response. You will start to learn about the threat in a few hours after sending us the sample.
Malware analysis is carried out in three stages:
1. Preliminary analysis
(~2 hrs after receiving the sample)
We collect statistics and sample program metadata. If possible, we determine the family to which the program belongs, and analyse the textual information. Thus, we can identify key facts about the threat as early as in the first stage of the analysis, and these include: the functions, the C&C server and the commands being executed.
2. Behavioural analysis
(~4 hrs after receiving the sample)
We run a malicious program in a managed environment and monitor its behaviour: what the program does with files, how it changes system settings, which processes it infects, and which server it communicates with. This procedure helps us identify indicators of compromise of infected systems and describe the characteristic signs of the program being present in the infrastructure.
3. Code analysis
(~2 days after receiving the sample)
We carry out reverse engineering using static and dynamic code analysis methods. As a result, we can accurately describe the algorithm of the malicious program and identify all its functions — including the hidden ones.