The analysis of encrypted malware utilizes traditional Dynamic Analysis, Active Memory Analysis and cutting edge “Trace Analysis”, allowing for a more holistic approach towards malware analysis from three differing perspectives. All three “prongs” of this methodology involve the analysis of “Data In Execution” which significantly reduces, and in some cases negates, the effectiveness of the anti-forensic techniques employed by malware authors attempting to implement countermeasures.
This multi-layered methodology has the benefit of targeting the weaker and less protected aspect of malware, its execution. It provides an analyst with multiple avenues for analysis which complement each other and provide a means to analyze advanced malware which may employ defenses designed to obfuscate the binary and foil Static Analysis, which come in the form of packers, obfuscation or other encryption techniques. With the de-obfuscation of such techniques, the playing field has been leveled allowing an analyst to become more effective. This paper provides a brief demonstration of this methodology and stands as an example of the benefit of this approach in identifying and analyzing malware which utilizes anti-forensic techniques, such as encryption.