‭ HORT ANSWER QUESTIONS:‬

S
‭1Q)‬
‭Types of Malware Analysis‬
‭1. Static Malware Analysis‬
‭Here,‬ ‭the‬ ‭malware‬ ‭components‬ ‭or‬ ‭properties‬ ‭are‬ ‭analyzed‬ ‭without‬ ‭actually‬
‭executing‬‭the‬‭code.‬‭Static‬‭malware‬‭analysis‬‭is‬‭used‬‭to‬‭examine‬‭the‬‭file‬‭for‬‭signs‬‭of‬
‭malicious‬ ‭intent.‬ ‭It‬ ‭is‬ ‭a‬ ‭signature-based‬ ‭technique,‬ ‭i.e.,‬ ‭the‬ ‭signature‬ ‭of‬ ‭the‬
‭malware's binary is determined by calculating its cryptographic hash.‬
‭2. Dynamic Malware Analysis‬
‭Malware‬ ‭components‬ ‭are‬ ‭executed‬ ‭within‬ ‭a‬ ‭safe‬ ‭virtual‬ ‭environment‬ ‭(called‬
‭sandbox)‬ ‭to‬ ‭observe‬ ‭its‬ ‭behavior.‬ ‭Dynamic‬ ‭malware‬ ‭analysis‬ ‭is‬ ‭a‬ ‭behavior-based‬
‭approach to detect and analyze the malware under observation.‬
‭3. Hybrid Malware Analysis‬
‭Security‬ ‭teams‬ ‭resort‬ ‭to‬ ‭a‬ ‭combination‬ ‭of‬ ‭static‬ ‭and‬ ‭dynamic‬ ‭malware‬ ‭analysis,‬
‭known‬ ‭as‬ ‭hybrid‬ ‭analysis‬ ‭that‬ ‭is‬ ‭the‬ ‭best‬ ‭of‬ ‭both‬ ‭approaches.‬ ‭Hybrid‬ ‭Malware‬
‭Analysis‬ ‭can‬ ‭easily‬ ‭detect‬ ‭hidden‬ ‭malicious‬ ‭codes‬ ‭and‬ ‭extract‬ ‭indicators‬ ‭of‬
‭compromise‬ ‭(IOCs)‬ ‭statically‬ ‭from‬ ‭the‬ ‭unseen‬ ‭code.‬ ‭It‬‭also‬‭helps‬‭in‬‭the‬‭detection‬
‭of unknown threats from some of the most sophisticated malware.‬

2‭ Q)‬
‭Dead Malware Analysis‬
‭Dead‬‭malware‬‭analysis,‬‭also‬‭known‬‭as‬‭static‬‭malware‬‭analysis,‬‭is‬‭a‬‭technique‬‭used‬
‭to‬ ‭examine‬ ‭a‬ ‭malware‬ ‭sample‬ ‭without‬ ‭executing‬ ‭it.‬ ‭This‬ ‭method‬ ‭is‬ ‭crucial‬ ‭for‬
‭understanding‬ ‭a‬ ‭malware’s‬ ‭structure,‬ ‭functionality,‬ ‭and‬ ‭potential‬ ‭impact‬ ‭in‬ ‭a‬ ‭safe‬
‭and controlled environment.‬

‭ hat is Dead Malware Analysis?‬

W
‭Dead‬‭malware‬‭analysis‬‭involves‬‭dissecting‬‭a‬‭malware‬‭sample‬‭without‬‭running‬‭it‬‭on‬
‭a‬‭system.‬‭Analysts‬‭use‬‭tools‬‭to‬‭disassemble,‬‭decompile,‬‭and‬‭inspect‬‭the‬‭binary‬‭file‬
‭for malicious code, strings, and embedded resources.‬

‭ hy is Dead Malware Analysis Important?‬

W
‭Safe Analysis: Since the malware isn’t executed, there is no risk of infection.‬
‭Code‬ ‭Examination:‬ ‭Analysts‬ ‭can‬ ‭inspect‬ ‭assembly‬ ‭code‬ ‭and‬ ‭understand‬ ‭its‬
‭behavior.‬
‭Detection‬ ‭of‬ ‭Obfuscation‬ ‭&‬ ‭Packing:‬ ‭Identifies‬ ‭encryption,‬ ‭packing,‬ ‭and‬
‭anti-analysis techniques.‬
‭Indicator‬ ‭of‬ ‭Compromise‬ ‭(IOC)‬ ‭Extraction:‬ ‭Helps‬ ‭in‬ ‭finding‬ ‭static‬ ‭signatures,‬
‭hashes, and malicious API calls.‬
 3‭ Q)‬
‭In the context of malware analysis, a virtual machine (VM) is a controlled and‬
‭isolated environment created to execute and study potentially malicious code‬
‭without affecting the host system. The structure of a virtual machine for malware‬
‭analysis typically involves several components and configurations to ensure a‬
‭secure and effective analysis environment. Here is an overview of the structure:‬
‭1. Host Machine:‬
‭‬
● ‭The physical computer on which the virtualization software runs.‬
‭●‬ ‭Provides resources such as CPU, memory, and storage for creating and running‬
‭virtual machines.‬
‭2. Virtualization Software:‬
‭‬
● ‭Examples include VMware, VirtualBox, Hyper-V, and others.‬
‭●‬ ‭Manages and orchestrates virtual machines on the host.‬
‭●‬ ‭Provides features such as snapshotting, cloning, and network configuration.‬
‭3. Guest Operating System (VM Guest):‬
‭‬
● ‭The operating system installed within the virtual machine.‬
‭●‬ ‭Configured to mimic a real-world environment, such as a specific version of‬
‭Windows or Linux.‬
‭●‬ ‭May have additional tools and software installed for analysis purposes.‬
‭4. Isolation and Snapshotting:‬
‭●‬ ‭Isolation: Ensures that the virtual machine operates independently of the host,‬
‭preventing malware from affecting the host system.‬
‭●‬ ‭Snapshotting: Captures the current state of the virtual machine, allowing analysts‬
‭to revert to a clean state for each analysis session.‬
‭5. Networking Configuration:‬
‭●‬ ‭Network Isolation: Limits or restricts the virtual machine's network access to‬
‭prevent malware from spreading beyond the virtual environment.‬

‭ ONG ANSWER QUESTIONS:‬

L
‭Unit-1‬
‭Assembly Language and Reverse Engineering in Malware Analysis‬
‭Assembly Language in Malware Analysis‬
‭Assembly‬ ‭language‬ ‭is‬ ‭a‬ ‭low-level‬ ‭programming‬ ‭language‬ ‭that‬ ‭provides‬ ‭a‬ ‭direct‬
‭mapping‬‭to‬‭a‬‭computer’s‬‭machine‬‭code.‬‭It‬‭is‬‭essential‬‭in‬‭malware‬‭analysis‬‭because‬
‭most‬‭malware‬‭is‬‭compiled‬‭into‬‭machine‬‭code,‬‭and‬‭analysts‬‭must‬‭examine‬‭it‬‭at‬‭this‬
‭low level to understand its behavior.‬
‭Why Assembly Language?‬

‭ alware‬ ‭authors‬ ‭often‬ ‭write‬ ‭programs‬ ‭in‬ ‭high-level‬ ‭languages‬ ‭(e.g.,‬ ‭C,‬ ‭C++,‬
M
‭Python) but compile them into machine code.‬
‭Disassemblers‬ ‭(e.g.,‬ ‭IDA‬ ‭Pro,‬ ‭Ghidra)‬ ‭translate‬ ‭machine‬ ‭code‬ ‭into‬ ‭assembly,‬
‭allowing analysts to study the malware’s logic.‬
‭Understanding‬ ‭assembly‬ ‭helps‬ ‭in‬ ‭identifying‬ ‭malicious‬ ‭functions,‬ ‭API‬ ‭calls,‬ ‭and‬
‭obfuscation techniques.‬
‭Common Assembly Instructions in Malware Analysis‬

‭ OV – Transfers data between registers and memory.‬

M
‭CALL – Invokes a function (often used to execute malicious payloads).‬
‭JMP – Jumps to another part of the code (used for control flow manipulation).‬
‭PUSH/POP – Stack operations for function calls and data storage.‬
‭CMP/JNZ/JZ‬ ‭–‬ ‭Comparison‬ ‭and‬ ‭conditional‬ ‭jumps,‬ ‭useful‬ ‭for‬ ‭detecting‬
‭anti-analysis techniques.‬
‭Reverse Engineering in Malware Analysis‬
‭Reverse‬ ‭engineering‬ ‭is‬ ‭the‬ ‭process‬ ‭of‬ ‭analyzing‬ ‭compiled‬ ‭malware‬ ‭binaries‬ ‭to‬
‭understand‬ ‭their‬ ‭functionality‬ ‭without‬ ‭having‬ ‭access‬ ‭to‬ ‭the‬ ‭source‬ ‭code.‬ ‭This‬ ‭is‬
‭crucial for detecting, neutralizing, and creating signatures for malware.‬

‭Key Techniques in Reverse Engineering Malware:‬

‭ tatic Analysis – Examining the binary without executing it.‬

S
‭Tools: IDA Pro, Ghidra, Radare2‬
‭Methods:‬ ‭Disassembling‬ ‭the‬ ‭code,‬ ‭identifying‬ ‭strings,‬ ‭analyzing‬ ‭imports‬ ‭and‬
‭exports.‬
‭Dynamic‬ ‭Analysis‬ ‭–‬‭Running‬‭the‬‭malware‬‭in‬‭a‬‭controlled‬‭environment‬‭to‬‭observe‬
‭behavior.‬
‭Tools: OllyDbg, x64dbg, Wireshark, Procmon‬
‭Methods:‬ ‭Debugging,‬ ‭monitoring‬ ‭network‬ ‭connections,‬ ‭tracking‬ ‭system‬
‭modifications.‬
‭Code‬ ‭Deobfuscation‬ ‭–‬ ‭Many‬ ‭malware‬ ‭authors‬ ‭use‬ ‭obfuscation‬ ‭techniques‬ ‭(e.g.,‬
‭packers, encryption) to hide malicious intent.‬
 ‭ echniques:‬ ‭Unpacking‬ ‭executables,‬ ‭decrypting‬ ‭strings,‬ ‭reconstructing‬ ‭control‬
T
‭flow.‬
‭Behavioral Analysis – Observing how the malware interacts with the system.‬
‭Indicators: File modifications, registry changes, network requests.‬
‭Common Malware Evasion Techniques‬

‭ nti-debugging (e.g., detecting debuggers using IsDebuggerPresent).‬

A
‭Code obfuscation (e.g., encryption, junk code insertion).‬
‭Environment detection (e.g., checking for virtual machines or sandboxes).‬

‭ nit-2‬
U
‭In‬ ‭malware‬ ‭analysis,‬ ‭understanding‬ ‭the‬ ‭x86‬ ‭architecture‬ ‭and‬ ‭the‬ ‭main‬ ‭memory‬
‭(RAM)‬ ‭is‬ ‭crucial‬ ‭for‬ ‭analyzing‬ ‭and‬ ‭reverse‬ ‭engineering‬ ‭malicious‬ ‭software.‬ ‭The‬
‭x86‬ ‭architecture‬ ‭is‬ ‭widely‬ ‭used‬ ‭in‬ ‭personal‬ ‭computers‬ ‭and‬ ‭servers,‬ ‭and‬ ‭malware‬
‭often‬ ‭targets‬ ‭systems‬ ‭based‬ ‭on‬‭this‬‭architecture.‬‭Main‬‭memory‬‭is‬‭a‬‭primary‬‭target‬
‭for‬ ‭malware‬‭because‬‭it‬‭allows‬‭them‬‭to‬‭inject‬‭code,‬‭manipulate‬‭data,‬‭and‬‭hide‬‭their‬
‭presence in the system.‬
‭Here‬ ‭are‬ ‭some‬ ‭key‬ ‭aspects‬ ‭of‬ ‭x86‬ ‭architecture‬ ‭and‬ ‭main‬ ‭memory‬ ‭relevant‬ ‭to‬
‭malware analysis:‬
‭1.‬ ‭Registers:‬
‭●‬ ‭Registers‬ ‭are‬ ‭small,‬ ‭fast‬ ‭storage‬ ‭locations‬ ‭within‬ ‭the‬ ‭CPU‬ ‭that‬‭are‬‭used‬‭for‬
‭temporary data storage and manipulation.‬
‭●‬ ‭EAX,‬‭EBX,‬‭ECX,‬‭and‬‭EDX‬‭are‬‭general-purpose‬‭registers‬‭often‬‭used‬‭in‬‭x86‬
‭assembly language.‬
‭●‬ ‭ESP‬ ‭(stack‬ ‭pointer)‬ ‭and‬ ‭EBP‬‭(base‬‭pointer)‬‭are‬‭important‬‭for‬‭managing‬‭the‬
‭stack.‬
‭2.‬ ‭Memory Segmentation:‬
‭●‬ ‭The‬ ‭x86‬ ‭architecture‬ ‭uses‬ ‭a‬ ‭segmented‬ ‭memory‬ ‭model,‬ ‭where‬ ‭memory‬ ‭is‬
‭divided‬ ‭into‬‭segments.‬‭Segmentation‬‭involves‬‭specifying‬‭a‬‭segment‬‭register‬
‭and an offset within that segment to access memory.‬
‭●‬ ‭Understanding‬ ‭segment‬ ‭registers‬‭(CS,‬‭DS,‬‭ES,‬‭FS,‬‭GS,‬‭SS)‬‭is‬‭important‬‭for‬
‭analyzing memory references in assembly code.‬
‭3.‬ ‭Memory Protection:‬
‭●‬ ‭x86‬ ‭architecture‬ ‭supports‬ ‭memory‬ ‭protection‬ ‭mechanisms,‬ ‭including‬ ‭read,‬
‭write,‬ ‭and‬ ‭execute‬ ‭permissions.‬ ‭Malware‬ ‭often‬ ‭tries‬ ‭to‬ ‭modify‬ ‭memory‬
‭permissions‬ ‭to‬ ‭execute‬ ‭code‬ ‭in‬ ‭data‬ ‭sections,‬ ‭which‬ ‭is‬ ‭a‬ ‭common‬ ‭evasion‬
‭technique.‬
 ‭●‬ ‭Analyzing‬ ‭memory‬ ‭protection‬ ‭flags‬ ‭helps‬ ‭identify‬ ‭suspicious‬ ‭behavior‬ ‭in‬
‭ emory.‬
m
‭4.‬ ‭Stack and Heap:‬
‭●‬ ‭The‬ ‭stack‬ ‭is‬ ‭used‬ ‭for‬ ‭storing‬ ‭local‬ ‭variables‬ ‭and‬ ‭function‬ ‭call‬ ‭information.‬
‭Malware‬ ‭often‬ ‭manipulates‬ ‭the‬ ‭stack‬ ‭to‬ ‭hide‬ ‭its‬ ‭activities‬ ‭or‬ ‭execute‬
‭shellcode.‬
‭●‬ ‭The‬ ‭heap‬ ‭is‬ ‭used‬ ‭for‬ ‭dynamic‬ ‭memory‬ ‭allocation.‬ ‭Understanding‬ ‭heap‬
‭structures and allocations is essential for detecting memory-related attacks.‬
‭5.‬ ‭Code Injection:‬
‭●‬ ‭Malware‬‭often‬‭injects‬‭its‬‭code‬‭into‬‭the‬‭address‬‭space‬‭of‬‭legitimate‬‭processes.‬
‭This‬ ‭can‬ ‭involve‬ ‭overwriting‬ ‭existing‬ ‭code‬ ‭or‬ ‭injecting‬ ‭new‬ ‭code‬ ‭into‬
‭specific memory regions.‬
‭●‬ ‭Analyzing‬ ‭code‬ ‭injection‬ ‭techniques‬ ‭and‬ ‭the‬ ‭modified‬ ‭memory‬ ‭regions‬ ‭is‬
‭crucial for understanding malware behavior.‬
‭6.‬ ‭API Hooking:‬
‭●‬ ‭Malware‬ ‭may‬ ‭use‬ ‭techniques‬ ‭like‬ ‭API‬ ‭hooking‬ ‭to‬‭intercept‬‭and‬‭manipulate‬
‭calls‬ ‭to‬ ‭system‬ ‭functions.‬ ‭This‬ ‭involves‬ ‭modifying‬ ‭memory‬ ‭to‬ ‭redirect‬
‭program flow.‬
‭●‬ ‭Identifying‬ ‭changes‬ ‭to‬ ‭function‬ ‭pointers‬ ‭in‬ ‭memory‬ ‭is‬ ‭important‬ ‭for‬
‭detecting API hooking.‬
‭7.‬ ‭Anti-Analysis Techniques:‬
‭●‬ ‭Malware‬ ‭may‬ ‭employ‬ ‭anti-analysis‬ ‭techniques,‬ ‭such‬ ‭as‬ ‭encryption,‬
‭obfuscation, and self-modifying code, to make analysis more challenging.‬
‭●‬ ‭Understanding‬ ‭how‬ ‭malware‬ ‭uses‬ ‭main‬ ‭memory‬ ‭for‬ ‭these‬ ‭techniques‬ ‭is‬
‭crucial for effective analysis.‬
‭In‬ ‭malware‬ ‭analysis,‬ ‭tools‬ ‭like‬ ‭debuggers,‬ ‭disassemblers,‬ ‭and‬ ‭memory‬ ‭analysis‬
‭tools‬ ‭are‬ ‭commonly‬ ‭used‬ ‭to‬ ‭examine‬ ‭the‬ ‭behavior‬ ‭of‬ ‭malicious‬ ‭code‬ ‭in‬ ‭main‬
‭memory.‬ ‭Analyzing‬ ‭memory‬ ‭dumps,‬ ‭identifying‬ ‭patterns,‬‭and‬‭understanding‬‭code‬
‭execution‬ ‭flow‬ ‭are‬ ‭key‬ ‭components‬ ‭of‬ ‭effective‬ ‭malware‬ ‭analysis‬ ‭on‬ ‭x86‬
‭architectures.‬
‭Instructions,‬ ‭Opcodes‬ ‭and‬ ‭Endianness,‬ ‭Operands,‬ ‭Registers,‬ ‭Simple‬ ‭Instructions,‬
‭The Stack, Conditionals, Branching, Rep Instructions, C Main Method and Offsets‬

‭1.‬ ‭Instructions, Opcodes, and Endianness:‬

‭●‬ ‭Instruction:‬ ‭In‬‭x86‬‭assembly‬‭language,‬‭instructions‬‭are‬‭low-level‬‭operations‬
‭that‬‭the‬‭CPU‬‭can‬‭execute.‬‭Each‬‭instruction‬‭typically‬‭corresponds‬‭to‬‭a‬‭single‬
‭machine language opcode.‬
‭●‬ ‭Opcode:‬ ‭Opcodes‬ ‭are‬ ‭numeric‬ ‭codes‬ ‭that‬ ‭represent‬ ‭specific‬ ‭operations‬ ‭or‬
‭instructions.‬‭For‬‭example,‬‭the‬‭opcode‬‭for‬‭"add"‬‭operation‬‭might‬‭be‬‭different‬
‭from the opcode for "subtract."‬
 ‭●‬ ‭Endianness:‬ ‭x86‬ ‭architecture‬ ‭is‬ ‭little-endian,‬ ‭meaning‬ ‭that‬ ‭the‬ ‭least‬
s‭ ignificant byte of a multi-byte value is stored at the lowest memory address.‬
‭2.‬ ‭Operands:‬
‭●‬ ‭Operands:‬ ‭Operands‬ ‭are‬ ‭the‬ ‭data‬ ‭or‬ ‭variables‬ ‭upon‬ ‭which‬ ‭an‬ ‭instruction‬
‭operates.‬ ‭They‬ ‭can‬ ‭be‬ ‭immediate‬ ‭values‬ ‭(constants),‬ ‭registers,‬ ‭or‬ ‭memory‬
‭locations.‬
‭●‬ ‭Registers:‬ ‭x86‬ ‭architecture‬ ‭has‬ ‭a‬ ‭set‬ ‭of‬ ‭general-purpose‬ ‭registers‬ ‭(EAX,‬
‭EBX,‬ ‭ECX,‬ ‭EDX,‬ ‭etc.)‬ ‭that‬ ‭instructions‬ ‭can‬ ‭use‬ ‭for‬ ‭operations.‬ ‭There‬ ‭are‬
‭also‬ ‭special-purpose‬ ‭registers‬ ‭like‬ ‭ESP‬ ‭(stack‬ ‭pointer)‬ ‭and‬ ‭EIP‬ ‭(instruction‬
‭pointer).‬

‭ nit-3‬
U
‭Analysing‬ ‭traces‬ ‭of‬ ‭malware‬ ‭across‬ ‭various‬ ‭aspects‬‭like‬‭system‬‭calls,‬‭API‬‭calls,‬
‭registry‬‭modifications,‬‭and‬‭network‬‭activities‬‭in‬‭dead‬‭malware‬‭analysis‬‭provides‬‭a‬
‭comprehensive‬ ‭understanding‬ ‭of‬ ‭its‬ ‭behaviour‬ ‭without‬ ‭executing‬ ‭it.‬ ‭Here's‬ ‭a‬
‭step-by-step guide to conducting such an analysis:‬
‭Collecting Malware Sample:‬
‭Obtain‬ ‭the‬ ‭malware‬ ‭sample‬ ‭from‬ ‭a‬ ‭reliable‬ ‭source‬ ‭and‬ ‭ensure‬ ‭proper‬ ‭handling‬‭to‬
‭avoid accidental execution or contamination.‬
‭Static Analysis:‬
‭Conduct‬‭initial‬‭static‬‭analysis‬‭to‬‭gather‬‭basic‬‭information‬‭about‬‭the‬‭malware,‬‭such‬
‭as file properties, size, and metadata.‬
‭Calculate‬ ‭cryptographic‬ ‭hashes‬ ‭(MD5,‬ ‭SHA1,‬ ‭SHA256)‬ ‭for‬ ‭identification‬ ‭and‬
‭sharing purposes.‬
‭System Call Analysis:‬
‭Use‬‭system‬‭call‬‭tracing‬‭tools‬‭(e.g.,‬‭strace‬‭for‬‭Linux,‬‭truss‬‭for‬‭Unix-like‬‭systems,‬‭or‬
‭API monitoring tools for Windows) to analyse system call activity.‬
‭Capture‬‭system‬‭call‬‭traces‬‭while‬‭emulating‬‭the‬‭malware's‬‭execution‬‭in‬‭a‬‭controlled‬
‭environment.‬
‭Identify‬ ‭system‬ ‭calls‬ ‭related‬ ‭to‬ ‭file‬ ‭manipulation,‬ ‭process‬ ‭creation,‬ ‭memory‬
‭operations, and privilege escalation attempts.‬
‭API Call Analysis:‬
‭Analyse‬‭dynamic-link‬‭library‬‭(DLL)‬‭imports‬‭and‬‭exports‬‭to‬‭identify‬‭APIs‬‭invoked‬
‭by the malware.‬
‭Cross-reference‬‭API‬‭calls‬‭with‬‭system‬‭call‬‭traces‬‭to‬‭correlate‬‭high-level‬‭operations‬
‭with low-level system interactions.‬
‭Identify‬ ‭API‬ ‭calls‬ ‭related‬ ‭to‬ ‭file‬ ‭operations,‬ ‭network‬ ‭communication,‬ ‭process‬
‭management, and registry manipulation.‬
‭Registry Analysis:‬
‭ xamine‬ ‭registry‬ ‭modifications‬ ‭made‬ ‭by‬ ‭the‬ ‭malware‬ ‭to‬ ‭persist‬ ‭across‬ ‭system‬
E
‭reboots or alter system configurations.‬
‭Use‬ ‭registry‬ ‭analysis‬ ‭tools‬ ‭(e.g.,‬ ‭Registry‬ ‭Editor‬ ‭on‬ ‭Windows,‬ ‭RegShot)‬ ‭to‬
‭compare system snapshots before and after malware execution.‬
‭Identify‬ ‭registry‬ ‭keys‬ ‭and‬ ‭values‬ ‭created,‬ ‭modified,‬ ‭or‬ ‭deleted‬ ‭by‬ ‭the‬ ‭malware,‬
‭particularly those related to autostart mechanisms or malware persistence.‬

‭ etwork Activity Analysis:‬

N
‭Analyse‬‭network‬‭traffic‬‭generated‬‭by‬‭the‬‭malware‬‭to‬‭understand‬‭its‬‭communication‬
‭patterns and potential command-and-control (C2) infrastructure.‬
‭Capture‬‭network‬‭packets‬‭using‬‭tools‬‭like‬‭Wireshark‬‭or‬‭tcpdump‬‭while‬‭the‬‭malware‬
‭is executed in a controlled environment.‬
‭Identify‬ ‭communication‬ ‭protocols,‬ ‭destination‬ ‭IP‬ ‭addresses,‬ ‭domain‬ ‭names,‬ ‭and‬
‭data payloads exchanged between the malware and external servers.‬
‭Behavioural Analysis:‬
‭Documentation and Reporting:‬