Next Article in Journal
Zero Trust in Practice: A Mixed-Methods Study Under the TOE Framework
Next Article in Special Issue
Statistical and Multivariate Analysis of the IoT-23 Dataset: A Comprehensive Approach to Network Traffic Pattern Discovery
Previous Article in Journal
Identifying and Modeling Barriers to Compliance with the NIS2 Directive: A DEMATEL Approach
Previous Article in Special Issue
Simulating Collaboration in Small Modular Nuclear Reactor Cybersecurity with Agent-Based Models
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
JCP
Volume 5
Issue 4
10.3390/jcp5040098
jcp-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives

by
Maria-Mădălina Andronache
1,
Alexandru Vulpe
2 and
Corneliu Burileanu
3,*
1
Research Institute “CAMPUS”, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
2
Telecommunications Department, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
3
The Electronic Devices, Circuits and Architectures Department, National University of Science and Technology POLITEHNICA Bucharest, RO-060042 Bucharest, Romania
*
Author to whom correspondence should be addressed.
J. Cybersecur. Priv. 2025, 5(4), 98; https://doi.org/10.3390/jcp5040098
Submission received: 27 September 2025 / Revised: 2 November 2025 / Accepted: 7 November 2025 / Published: 10 November 2025
(This article belongs to the Special Issue Intrusion/Malware Detection and Prevention in Networks—2nd Edition)
Browse Figures
Review Reports Versions Notes

Abstract

Malware remains one of the most persistent and evolving threats to cybersecurity, necessitating robust analysis techniques to understand and mitigate its impact. This study presents a comprehensive analysis of selected malware samples using both static and dynamic analysis techniques. In the static phase, file structure, embedded strings, and code signatures were examined, while in the dynamic analysis phase, the malware was executed in a virtual sandbox environment to observe process creation, network communication, and file system changes. By combining these two approaches, various types of malware files could be characterized and have their key elements revealed. This improved the understanding of the code capabilities and evasive behaviors of malicious files. The goal of these analyses was to create a database of malware profiling tools and tools that can be utilized to identify and analyze malware. The results demonstrate that integrating static and dynamic methodologies improves the accuracy of malware profiling and supports more effective threat detection and incident response strategies.

1. Introduction

Cybersecurity has become a critical research focus due to the increasing sophistication of modern cyber threats. From companies to individual users, everyone is as interested in this field, both because of the need to protect their own resources and because of the various news or various problems encountered with attacks in key areas that occupy the cyber environment. As highlighted by [1], the evolution of IT security since the 1980s—from internal incident reporting to the formation of cross-organizational response teams—has played a central role in shaping current approaches to threat detection and cybersecurity management. In addition, according to [2], despite advances in cybersecurity research, significant gaps remain in understanding an organization’s cybersecurity culture, particularly in terms of how it manifests itself in individuals’ daily behaviors and how these behaviors influence risk perceptions and drive cultural change. Given the growing global frequency of security breaches, the probability of system compromise has significantly increased across all user categories. Technological developments in information technology, along with the shift toward cloud-based infrastructures, have significantly increased the complexity of networks and, in turn, amplified the vulnerability of sensitive data for both independent users and organizations. On the other hand, attackers take advantage of this exposure and develop various types of attacks and various practices, both in the cloud and in the on-prem area. The advantages for them is precisely given by lightweight test environments that can simulate real resources (even in the cloud) and the proliferation of advanced training using publicly available data from negligent users, together with the capacity to investigate security breaches or vulnerabilities via online resources, even those intended for legitimate purposes, that have contributed to greater information exposure. According to several studies that can be found in [3], traditional cyber situational awareness systems typically provide perception and understanding of cyber environments (by identifying, collecting, analyzing, and evaluating cybersecurity data from a given system). However, visualization and interaction technologies that interact with a given system constrain user understanding, especially when dealing with complex cybersecurity data, which can lead to data occlusion and a superficial understanding of concepts.
With this technological advance, security developers are no longer focusing on traditional methods (firewall, antivirus), developing the cloud part considerably more, due to the novelty, ease, and paradigm shifts that it brings. However, this aspect tends to become a great danger for ordinary users or for companies that adopt on-prem solutions because technological advances in this area tend to stagnate. At the same time, taking into account the advance of threats and their extended area of applicability, it is highly probable that attackers will continue to perfect their skills in the cloud area and to test them in the on-prem area. As observed in [4], modern malware frequently employs environment-aware techniques, known as context-aware or sandbox-evasive behavior, to assess whether a system is suitable for attack. This allows it to circumvent sandbox-based analysis and focus on high-value targets, such as systems containing sensitive information or critical services. Therefore, it is extremely important and urgent to have cybersecurity solutions that are best adapted for a wide range of devices and capable of identifying malware or various network anomalies in the shortest possible time (ideally, in real time).
The current research focuses on identifying the effect that malware applications or various malicious software have on legitimate end devices. The subject addressed includes both applications from the area of companies or institutions and also from the perspective of an ordinary user. The impact of different types of malicious files on systems is systematically monitored to identify their key characteristics. As is mentioned in [5], despite monitoring efforts, both our dataset and other real-world datasets contain an unknown number of undetected attacks, whether by automated systems or human analysts. These missed attacks can occur either as complete oversights or as instances where detection was delayed. These challenges are particularly concerning, as detection and documentation of one attack do not preclude the presence of other malicious files, which may be intentionally left by the attacker for leverage in future operations.
While numerous studies focus on either static or dynamic malware analysis, few explore an integrated, hybrid perspective that captures discriminative features across malware families. Furthermore, even fewer studies address these issues on real malware samples rather than pre-labeled databases. These gaps limit the development of unified detection frameworks capable of learning from both behavioral and structural indicators of real malware. This study aims to identify discriminative static and dynamic features that can inform the development of robust automatic anomaly detection systems in future work, while also providing a foundation for comparative analysis of malware behaviors across different families and operating systems. Specifically, it addresses the following research questions:
  • Which hybrid features (entropy, API calls, execution traces) most effectively differentiate malware types?
  • How do static and dynamic indicators correlate across categories?
  • How consistent are the static and dynamic characteristics across multiple samples within the same malware category?
This study addresses these gaps by systematically identifying key static and dynamic features of malware, conducting comparative analyses across malware families and operating systems, and evaluating these features in realistic environments. The findings provide actionable insights for designing robust automated detection systems that are better equipped to detect sophisticated, evasive malware, thereby advancing both the methodological and practical dimensions of cybersecurity research.
The remainder of this paper is organized as follows. Section 2 presents the related work conducted by various researchers. Section 3 outlines the methodology adopted in this study, with a detailed description of the dataset and the tools employed. Section 4 discusses the results and provides an in-depth analysis, while Section 5 offers a discussion of the findings. Finally, Section 6 concludes the paper and outlines directions for future work.

2. Related Work

Since malware detection and classification is a relevant and current field, several researchers have carried out previous work and contributions. In addition, for this purpose, various datasets and various tools have been utilized, through which the analysis is as relevant as possible. While most prior research emphasizes automated detection, the present study focuses on a comparative analysis of malware characteristics to enhance interpretability. Regardless of the dataset characteristics or the analytical methodology adopted, each approach entails specific benefits and constraints. The subsequent discussion elaborates on these factors in detail.

2.1. Theoretical Foundations/Conceptual Frameworks

The study presented in [6] emphasizes the progression of particular malware features and their evolving characteristics. Thus, it is particularly useful for observing how, as technologies evolve, malicious programs also develop their capabilities. At the same pace or, often, even faster, malware detection programs must also evolve, especially those that implement machine learning techniques. From the analysis studied in the article, the importance of hybrid, static, and dynamic analysis systems in the detection and understanding of this malicious software is highlighted. Practically, through the current work, a framework for evaluating various strategies favorable to the detection and prevention of infection of various targeted systems can be created. In the approach of this paper, the study in [6] has a theoretical characteristic, putting into context the various trends in cybersecurity. However, this paper focuses more on actual experiments, in order to observe the real impact that malicious software has on a system.
In the current context, the paper [7] also constituted a solid theoretical basis because it addresses one of the important challenges of malware: obfuscation. This method is implemented to avoid detection and to increase the success rate of attacks. Among the methods mentioned throughout the paper, hybrid analysis is furthermore addressed, which performs detection through API calls, PE file analysis, code analysis, etc. There are other methods analyzed, including AI, but static analysis comprises 27% of the methodology and dynamic analysis 23%. In addition, most of the results, 51%, were extracted from the analysis of the malware impact on Windows systems. From this data, although the area of static and dynamic analysis of malicious files can be considered already outdated, it is still an important pawn in malware analysis. This paper addresses both analysis techniques, and the emphasis is on Windows operating systems, therefore the analysis in article [7] is an important point to consider.

2.2. Static and Dynamic Analysis

Considering the study in [8], clear differences between static and dynamic analysis approaches are evident. These types of analysis have both advantages and disadvantages, and each of them is highlighted throughout the paper. The analysis is applicable to the mobile domain, being carried out in Android; however, it is worth mentioning because it includes several interesting aspects, which can also be applied in workstations or classic end devices (laptops). The applicability of the paper is in the area of software development, considering the two types of analysis as object-oriented metrics.
In the current paper, static and dynamic analysis are used to highlight the most easily identifiable characteristics of malicious files. Thus, in this case, the two types of analysis are also used as metrics to define the malicious nature of the files.
Taking into account the aspects mentioned in [9], it is observed that malware analysis includes both hashcode-based signature methods and various types of API sequences. These sequences are the main feature for defining the characteristics considered in this work. Thus, during the execution of any malicious software, through the API sequences, a characterization of its behavior can be achieved. However, it is necessary to consider the malware-specific APIs and not the general ones utilized by most software. The easiest way to classify these functions is given by machine learning algorithms because they can classify, based on specific inputs, the most frequently implemented malware APIs. The authors also exploit a public database to more easily characterize malware characteristics, called MAL-API-2019 [10], and the results obtained improve the research activity.
In this work as well, APIs are used to outline malware analysis, although they are not the defining feature. However, these functions are included in both types of analysis, both static and dynamic, and have an important influence on the malicious characterization of files.
In [11], malware analysis is performed using several types of attacks. These are relevant to understanding the dimensions and diversity of attacks that can be carried out in the current security environment. Thus, the need to carry out forensic and digital crime actions is imperatively revealed. However, in the work, the legal aspect of the investigations is non-specific and unique. The study identifies multiple objectives and areas of applicability while also taking into account the legal jurisdictions that may influence the investigation.
Although the analysis carried out during the cited work does not include a large amount of technical data, it was found that, in the present work, the legislative aspects were not taken into account. This aspect can be considered a disadvantage of the study and will be considered in future work.
The paper [12] proposes a technical approach, using the Ghidra tool for malicious code identification. It automatically decompiles malware samples to extract various types of features such as functions or strings. In addition, through the paper, tools such as VirusTotal or PEview are utilized to evaluate file structures and their known signatures. The proposed architecture includes, as a last step, the classification of malicious files, and the analysis also takes into account structure inspection, allowing the detection of polymorphic and obfuscated malware.
During this work, Ghidra was excluded from the set of tools under consideration; however, alternatives, including IDA Pro, were evaluated.
The related work encompassed both theoretical contributions from prior studies and experimental methodologies from research with comparable objectives, providing a basis for situating the present study within the existing body of knowledge.

2.3. Emerging Threats and Challenges

Modern malware uses contextual techniques that verify the operating environment before execution, allowing them to evade sandbox-based or automated detection systems. The heterogeneity of these environments complicates the extraction and monitoring of the characteristics of a malicious file, making traditional static or dynamic analysis sometimes ineffective. In addition, malware families increasingly employ obfuscation, polymorphism, and multi-stage attacks, which complicate identification and tracking across systems. However, it is necessary to know the most important aspects of the history of the emergence of malware. They appeared around the 1970s with the “Creeper” virus [13], which was initially developed as an experiment, not as a threat. Later, the Morris Worm [14] was used, which infected about 10% of connected devices at that time. About 11 years later, Melissa [15] appeared, which was the first virus spread via email. After 2000, malware became considerably more complex, with Zeus [16] and Stuxnet [17] appearing in 2007 and 2010, respectively. They targeted two extremely complex domains, banking (Zeus led to the theft of banking credentials) and industrial (Stuxnet was used to sabotage industrial systems, including Iran’s nuclear program). The next key malware on the historical axis is WannaCry [18], developed in 2017, which was a ransomware that affected approximately 150 countries and hundreds of thousands of devices, and SolarWinds [19], in 2020, which affected United States government software.
Modern threats are increasingly stealthy, multi-stage, and AI-assisted, requiring hybrid detection strategies, comprehensive monitoring, and rapid response capabilities. The most common types of malware in today’s security landscape are
  • Ransomware [20,21,22]—which have invasive methods of rapid propagation and sophisticated attack evasion techniques.
  • Phishing and social engineering [23,24]—which, if highly targeted, evade conventional spam filters.
  • Advanced persistent threats (APTs) [25,26]—which are difficult to detect and can remain latent for months or years.
  • Cloud security threats [27,28]—where visibility and control over cloud workloads is identified as limited for a large number of organizations.
  • AI-based attacks [29,30]—where automated defenses may struggle to distinguish legitimate from malicious AI behaviors.
  • Zero-day exploits [31,32]—which are extremely difficult to identify, and their detection relies on abnormal behavior and rapid implementation of adjustments.

2.4. Monitoring, Logging, and System-Level Data

According to [33], one of the most important aspects in the area of cybersecurity is system logs. By extracting them and subsequently performing an analysis, various adjustments for system vulnerabilities can be constructed. In the case of Linux systems, as the cited study aims at this, monitoring includes numerous types of events, from executed processes to various errors or failed authentication attempts. Thus, multiple threats can be detected by processing them in real time and various aspects can also be remedied through proactive measures, rather than reactive ones. If these measures are concentrated in automation and machine learning measures, systems become robust in information correlations and, thus, quickly detect and prevent abnormal traffic. Of course, the less discussed aspects of the paper also include false positive values of the analysis, which cannot be ignored.
In this work, compared to the cited one, more malware samples are used, and system logs, especially from the Linux operating system area, are utilized to measure changes within processes before and after the attack.
In [34], another interesting branch of cybersecurity is addressed, based on the combination of data engineering methods and artificial intelligence. This research highlights various data manipulation techniques, which are subsequently analyzed using multiple artificial intelligence algorithms. The purpose of this analysis is to identify a method of automatic response to risks within some systems. However, the paper does not address the technical area too much, focusing more on the differences in malware detection between human nature and AI algorithms. The conclusion, following the data analysis, would be that operations are greatly streamlined and the response time to incidents is reduced.
This paper does not explore malware analysis through AI, but based on the analysis performed, the essential characteristics of various malicious software can be extracted, which can subsequently form a solid basis for automatic intrusion detection.

2.5. Artificial Intelligence and Machine Learning

Recent studies have explored hybrid approaches to analyzing complex systems and improving resilience against faults or attacks. For example, [35] performs an initial analysis of the process of propagation of network node failures following an attack on the traffic network and introduces a risk-based approach to network fault propagation, proposing the Susceptible, Infectious, Recovered, Dead-Risk (SIRD-R) model to capture the dynamics of fault spread.
The resilience of the traffic network is forecasted using LSTM networks (Node Protection Based on Forecasting and Node Recovery Based on Forecasting), and based on it, a method is proposed to achieve proactive optimization of this parameter, in advance. The artificial neural networks algorithms used, in particular, in deep learning that are considered in this paper are CNN, RNN, and LSTM algorithms.
The goal of this project is to perform an efficient response method to security situations, which leads to the continuous operation of the network and a reduction in losses.
While the cited paper focuses on traffic networks and incorporates AI and machine learning techniques—which were not included in the present study, it provides a valuable conceptual foundation for future extensions. In particular, it highlights the potential of combining predictive modeling with system monitoring to enhance vulnerability assessment and automated response, an idea that could inform future enhancements to our hybrid malware analysis framework.
To contextualize the current study within the broader landscape of cybersecurity research, this subsection summarizes recent advances in threat detection, malware analysis, system monitoring, AI-driven cybersecurity, and network resilience. The selected studies highlight diverse approaches, including dynamic and static analysis of zero-day vulnerabilities, cloud-based malware detection, Linux system log monitoring, AI-assisted threat detection, and resilience modeling for complex networks. Table 1 provides a comparative overview of these works, detailing their objectives, methodologies, key contributions, and relevance to the present study, illustrating the range of tools, techniques, and frameworks that inform both practical and theoretical aspects of modern cybersecurity research.

3. Methodology

Analyzing files to detect network intrusions is an important aspect of cybersecurity. In the current cybersecurity landscape, there are a multitude of solutions that can quickly and efficiently identify malicious behaviors. This research adopts a hybrid malware analysis framework that integrates both static and dynamic examination techniques to comprehensively characterize malware behavior.
The overall objective of the experimental design is to identify discriminative features that can contribute to the development of more robust automated anomaly detection systems. Secondary objectives include analyzing behavioral differences across malware categories and comparing behaviors across Windows and Linux operating systems.
The experimental design was structured to ensure both validity and reproducibility across multiple test iterations. The selection of malware samples followed a clear rationale: five representative samples from each major malware category (adware, backdoor, Trojan, malware, keylogger, spyware, RAT, and ransomware) were chosen from reputable open repositories, such as MalwareBazaar, to capture behavioral diversity within each class. This approach avoids bias toward a single malware family and ensures a broader, category-level understanding.
The analysis environment was implemented using Windows 10 Pro and Ubuntu 22.04 virtual machines, both running on VMWare with allocated hardware resources of 8 GB RAM cores per instance. Networking was configured through an isolated virtual switch to simulate real-world communication without exposing the host system, and tools such as PEStudio, RegShot, Wireshark, Process Monitor, and FakeNet were employed for feature extraction and behavioral observation.
These design choices collectively provide a controlled yet realistic testbed that supports reproducibility and enables consistent comparison across experiments.

3.1. Workflow Diagram

The experimental design was informed by the need to ensure reproducibility, transparency, and cross-platform applicability in malware research. The workflow encompasses malware sample acquisition, static feature extraction, dynamic behavior observation, and benchmarking.
By combining these complementary approaches, the study aims to bridge the analytical gap between static indicators and execution behaviors, providing a more complete understanding of how malware interacts with different operating environments.
To enable safe and systematic examination, a sandbox environment was established for analyzing the malicious files. Within this, several commercial and open-source tools were installed, and several analysis scenarios were tested. In this way, the most important aspects of malicious files were identified. The primary objective of the experimental environment was to identify effective methodologies for the comparative analysis of malicious files, with the ultimate goal of integrating the resulting features into an efficient database for future automated detection systems.
To ensure comprehensive testing and cross-platform validation, multiple virtual machines running different operating systems (Linux and Windows) were deployed on a dedicated server. This setup allowed for the execution of a wide range of experiments and the analysis of diverse categories of malware samples.
Consequently, the methodological approach adopted in this research integrates the major operational components outlined in Figure 1, which together define the workflow of the study. Each phase of the investigation, from the initial data preparation to the final evaluation, was carried out in accordance with the steps shown in the figure. This workflow was critical in maintaining a structured approach and ensuring that the analysis was conducted systematically and consistently across all stages.

3.2. Dataset

The first stage of the methodological workflow involved the identification of relevant malware samples suitable for comparative evaluation. This step was carried out using the MalwareBazaar database [36], which provides a curated collection of authentic malware binaries.
A subset of samples was selected and downloaded for analysis, representing diverse malware categories. Table 2 presents these samples along with their abbreviated identifiers, which are utilized throughout the paper for consistency, and their respective classification according to type.
A total of 40 malicious files were selected based on diversity within families—such as ransomware, Trojans, and backdoors—and operational compatibility with the target analysis environments (Windows and Linux). The selection criteria emphasized representativeness of the prevailing threat types and variation in obfuscation levels. All samples were obtained in accordance with ethical and legal research standards and were handled exclusively in a controlled and isolated environment to eliminate any risk of unintended propagation or system compromise. This approach guarantees both analytical rigor and responsible data management throughout the research process.
After downloading the malicious files, taking into account that they can infect the system files they are part of, the need to secure them was identified. Thus, although their download is performed through a password-protected archive, in some cases, they are identified by the system antiviruses and are immediately deleted from the operating system. Therefore, it was necessary to identify methods to download and keep these files safe.
The selected operational approach involved temporarily disabling the antivirus protection during the download process and subsequently re-archiving the obtained files with password protection to ensure controlled handling and integrity of the samples.

3.3. Malware Analysis Tools

In the experiments presented in this paper, the following solutions were analyzed both through feature integration and comparative assessment, providing a broader perspective on the behavior and key characteristics of the malicious files under study. In recalling the main functionalities of the solutions to be tested in the experiments, the following tools were considered:
  • Virustotal [37]: Solution that provides a detailed report on the file, using a global, online database for analysis.
  • File [38]: Provides a description of the file type, based on its signature.
  • Strings [39]: Allows the extraction of text strings from binary files.
  • Binary Ninja v5.0 [40]: Provides advanced tools for disassembly.
  • PEStudio v9.61 [41]: Allows the examination of PE (Portable Executable) files and their internal structures, such as sections and headers.
  • YARA v1.0.0 [42]: Allows the creation and manipulation of rules based on signatures to identify common malware behaviors and structures.
  • wxHexEditor v0.24 [43]: Allows the viewing and editing of files at the binary/hexadecimal level.
  • Censys or Shodan [44,45]: Online solutions for activity in the network area.
  • Process Monitor v4.01 [46]: A solution that allows real-time monitoring of system activities (open files, created processes, and modified registries) and, in experiments, has often been applied in the detection of viruses, Trojans, spyware or adware.
  • System Monitor v15.15 [47]: A tool that provides detailed information about system and network events, assisting in uncovering malicious activities and, in experiments, has often been used in worm detection.
  • Wireshark v4.4.4 [48]: A way to capture network packets, which facilitates the observation of network traffic generated by malware, including communication with command-and-control servers and, in experiments, has been utilized in the detection of most types of malware.
  • RegShot v2.1.0.17 [49]: A solution that offers the possibility of taking a snapshot of the registry before and after the malware runs, in order to observe any significant changes and, in the experiments, was utilized in the behavioral analysis of spyware or adware files.
  • Fakenet-NG 3.5 [50]: A tool for emulating a connection to an external environment, which allows the malware to act similarly to a real case where there is a connection to internet resources and, in the experiments, was often used to analyze the activity of ransomware.
In summary, these elements define the methodological basis upon which the experimental analysis was performed.
Having outlined the key tools, the analysis proceeded by evaluating the malware samples through both static and dynamic approaches. This parallel examination allowed for a comparative assessment of the methods, highlighting the unique strengths and complementary insights each provides. By integrating findings from both techniques, the study aimed to achieve a more comprehensive understanding of malware behavior and to identify discriminative features that could inform future automated detection systems.

3.4. Static Analysis

Static analysis focused on extracting intrinsic characteristics of files without executing the malware. Each malicious sample underwent preliminary analysis to identify the file type, architecture, and embedded metadata. Further analysis included entropy measurements to detect potential obfuscation or packaging, PE header inspection (for Windows executables), and API import extraction to infer possible malicious capabilities. In addition, string sequence analysis was used to identify readable commands and patterns indicative of known malware behaviors.
It was essential that the testing environment be capable of identifying which system resources were affected, which files are modified, and which network was used for communication with external servers. In order to achieve that, some steps were taken into account:
  • Analysis of the interactions of the malicious file with the file system and internal registries—During execution, it was important to observe which files are accessed or modified, which registry was utilized to store data and whether files were created or modified.
  • Network traffic analysis—Another key element was given by the way in which the file tries to establish connections to external servers (C2—Command & Control), with the aim of downloading commands or exfiltrating data. The general principle of this technique was to capture and evaluate the traffic generated, to identify unusual patterns, such as connections to unknown IP addresses, the deployment of unusual protocols or ports, or suspicious exchanges of encrypted data.
  • Memory analysis—Another key aspect in identifying malicious files was given by the modifications and manipulations of the system memory. The purpose of these operations was to hide malicious behavior and to implement evasion techniques.
    This method involved examining the contents of the RAM of an infected system while the malware was active. This approach allows access to running processes, data structures used, hidden or unshown areas in the system, and instructions executed in real time.
Considering all the aspects mentioned, in order to perform a comprehensive analysis, it was necessary to obtain some basic information about the file that may contain malware, such as the size, type, and source of the file. A key concept in this case is the magic number of a file. This is a special sequence of bytes, located at the beginning of a file, that clearly indicates the type or format of that file. This sequence was designed to assist operating systems and applications quickly and reliably recognize the nature of the content, without depending on the file extension, which can sometimes be changed. The magic number serves as a proxy for analyzing the full contents of a file to determine its format, thereby improving performance and reducing the risk of misinterpreting the data.
The next step was to extract important strings of the files in order to identify possible malicious signatures (e.g., IPs, URLs, commands, or encryption keys). One of the most important solutions for identifying malware features was through the YARA solution. This solution was utilized to create rules that can identify specific signatures or behaviors in the analyzed files, being implemented in the rapid detection of already known malware variants. Another critical aspect of the analysis concerned the communication mechanisms employed by the malicious files to interact with command-and-control (C2) servers and retrieve additional instructions. Therefore, it was crucial to identify these communication methods as promptly as possible to ensure effective isolation.
A large number of malware files that were downloaded were protected or “compressed” using special encryption techniques to prevent their analysis. Some of these types of encryption are achieved through simple methods (a logical operation), through symmetric (DES—Data Encryption Standard, AES—Advanced Encryption Standard) or asymmetric (RSA—Rivest–Shamir–Adleman cryptosystem) encryption algorithms, through compression combined with base64 encoding, through methods of hiding malicious code in seemingly legitimate files (photos, document files, etc.), or through password-protected archives.
To gain a more comprehensive understanding of the analyzed files, it was necessary to execute them within an isolated environment that closely simulated real system conditions. Accordingly, the execution of each malicious sample was monitored in detail to observe its functional behavior. Although such actions could have severe consequences in a production environment, all experiments conducted in this study were performed within a fully isolated setup equipped with simulated internet resources.

3.5. Dynamic Analysis

Conducting dynamic analysis on files with embedded intrusions was essential to observe and comprehend their operational behavior under controlled execution conditions. This analysis facilitated the identification of concealed activities, including communication with command-and-control servers, unauthorized modifications to files or registries, and the execution of hidden malicious processes. The steps required to perform this type of analysis were:
  • Configuring the test environment—The first step for dynamic analysis was to create a secure and isolated environment (completely independent of the functional infrastructure), where the execution of the malicious file can be carried out, without compromising other related systems.
    This test environment can be achieved both by effectively implementing a sandbox environment (automated platform for malware analysis), and by creating it in a virtual environment isolated from the remainder of the network infrastructure.
  • Monitoring the execution—The next essential step consisted of the actual execution of the malicious file, allowing for close monitoring of its behavior. It was crucial that the test environment be capable of providing relevant information regarding which system resources are affected, which files are modified, and which network characteristics were utilized for communication with external servers.
Analysis of computing resources—Another key aspect in identifying malicious files was given by the modifications and manipulations of the system’s memory and processes. The goal of these operations was to hide malicious behavior and utilize evasion techniques. This method involved examining the contents of the RAM of an infected system while the malware was still active. This methodology provides real-time access to active processes, the data structures in use, hidden or unexposed parts of the system, and the instructions being carried out.
To perform this type of analysis, it was necessary to establish a concrete way of working, which can lead to relevant results. To establish a reference point for analysis, RegShot was used to record an initial snapshot of both the file system and the registry before any malicious files were downloaded, ensuring that subsequent changes could be accurately monitored. Subsequently, the malicious files were downloaded, and the antivirus response was observed to determine whether the files were flagged as suspicious or allowed to execute undetected.
Another critical step involves executing the malicious file while monitoring tools such as FakeNet, Wireshark, Process Monitor, and System Monitor are active, capturing and recording its behavior in real time.
In order to prevent disruption of the test environment, the dynamic analysis performed was stopped after an interval of 5–10 min with a new snapshot of the data, registries, and memory resources after the infection, using RegShot, and by examining all modifications caused by the malicious file.

3.6. Experimental Setup and System Configuration

The test environment in which the analysis was conducted possesses the following characteristics:
  • Device Name: DESKTOP;
  • Processor: Intel(R) Core (TM) i5-8265U CPU—Central Processing Unit @ 1.60GHz 1.80 GHz;
  • RAM Memory: 16.0 GB (15.9 GB usable);
  • System Type: 64-bit operating system, x64-based processor;
  • Operating System: Windows.
The experimental setup involved configuring a virtual machine using Hyper-V, the built-in virtualization environment in Windows. The key characteristics of this virtual machine are:
  • Device Name: Tests
  • Processor: Intel(R) Core (TM) i5-8265U CPU—Central Processing Unit @ 1.60GHz 1.80 GHz
  • RAM Memory: 8.0 GB (7.9 GB usable)
  • System Type: 64-bit operating system, x64-based processor
  • Operating System: Windows and Ubuntu 22.04
Given that dynamic analysis entails running malicious files, a virtual machine configured with the specified characteristics was employed. Following the execution of each sample, the environment was reverted to a preconfigured secure snapshot, guaranteeing that each experiment was performed independently and that results were not influenced by prior analyses.

3.7. Experimental Metrics and Measurements

In the context of static and dynamic malware analysis, “Experimental Metrics and Measurements” can include any quantifiable indicators that facilitate the evaluation of malware behavior, system impact, or effectiveness of your analysis techniques.
  • Static Analysis Metrics
    • File characteristics: size, hashes (SHA256), file type, magic number.
    • Entropy values: measure of randomness in the file (can indicate packed or encrypted content).
    • Extracted features: imported/exported functions, API calls, strings, sections, headers.
    • Malware classification features: category, family, or known signatures.
  • Dynamic Analysis Metrics
    • Process behavior: new processes created.
    • File system activity: files created, deleted, or modified.
      • KA—Keys Added—A value indicating the number of new registry keys added and their detail, established between the two snapshots.
      • KD—Keys Deleted—A value indicating the number of deleted registry keys and their detail, established between the two snapshots.
      • VM—Values Modified—A value indicating the number of values present in the registries, which have been modified.
      • VA—Values Added—A value indicating the number of new values introduced into a registry or registry key.
      • VD—Values Deleted—A value indicating the number of values present in the registries, which have been deleted.
    • Registry modifications: keys added, modified, or deleted.
    • Network activity: C2 communications, open ports, DNS queries, IP connections.
    • System calls and API usage: invoked functions, sequence of operations.
    • Execution timing: duration of activity, intervals between actions.

4. Implementation and Results

This section describes the implementation of the experimental setup and presents the results obtained from the analysis of the selected malware samples. The implementation details cover the configuration of the virtual environment, monitoring tools, and procedures utilized for both static and dynamic analyses.
The results are organized to highlight the key characteristics and behaviors observed during the experiments. Static analysis reveals intrinsic file properties, such as file structure, entropy, and extracted features, while dynamic analysis captures runtime behavior, including system modifications, process activity, and network communications.
A comparative evaluation across both approaches provides a comprehensive understanding of the malware samples and supports insights for automated detection and classification.

4.1. Static Analysis

Examining the S1 file (Figure 2) reveals that, upon unzipping, it masquerades as a regular PDF document. This method allows the actual file to obscure its true nature, thereby deceiving the user and prompting them to execute it. If the file appeared only as a regular file and kept its SHA256 as its name, the user could become suspicious and could easily characterize it as unusual and potentially malicious.
However, using the wxHexEditor solution (Figure 3), it is observed that the file has a magic number specific to the executable file area (4D 5A → EXE (Windows PE)). For the file to have been, indeed, a PDF, its magic number had to be of the form: 25 50 44 46. In this way, it is concluded that the examined file does not conform to the PDF format and is executable, an aspect that already raises suspicions.
Another important tool employed was PEStudio, and the corresponding results are summarized in Figure 4. The first parameter analyzed by this tool is the cryptographic hash of the file. This string of seemingly random characters is a unique identifier for the malicious file, which enables its identification in various malware databases. Based on this hash, through some commands, several similar files can be correlated, and malware families can be created.
The analysis performed using this solution identifies an entropy value of 7.86, which may suggest malicious content.
The entropy values of a file are as follows:
  • Low entropy ∈ [0–4) → which characterizes a text file or a file containing repetitive data.
  • Medium entropy ∈ [4–6.5) → which characterizes a regular executable file.
  • High entropy ∈ [6.5–8) → which characterizes an encrypted or compressed file.
In the analyzed example, the entropy of the PDF file should have a value in the range [4–7) because it can contain both text values and compressed image values. However, the value of 7.86 induces suspicions because it is almost equivalent to the maximum possible value, which clearly indicates encrypted content or hidden payload.
An additional important attribute provided at the solution level concerns the classification of the file type. Through this parameter, even if a file claims to have another format (in our case, the file appears to be of PDF type), its real characteristic becomes visible. It is mentioned that this parameter is one of the most implemented ones in automatic classification methods.
The Description field is particularly susceptible to falsification, since it defines how the file appears to the user and can be crafted to prompt the user into executing the malicious program.
The last parameter, Original-File-Name, denotes the true name assigned to the file. When the Description field indicates one file type while the Original-File-Name corresponds to a different type, this discrepancy serves as a clear indicator of potentially malicious behavior. The complete analysis, within this stage, for all files considered in Table 2, can be found in Table 3.
Another important step is to extract key information from the file. These include details about various IPs, URLs, or other types of known strings. One of the most important solutions that can be used for this purpose is VirusTotal. Preliminary conclusions can be drawn from static analysis experiments based on the information provided by this tool.
The first important aspect is the fact that VirusTotal indicates whether the searched file (based on SHA256, most of the time) has been analyzed previously and whether, following these analyses, it was declared malicious or not. This fact leads to a huge saving of time and resources, because the tool is online, free, and accessible from most devices connected to the internet. In the case of the analyzed example, from Figure 5, the file is considered malicious by 54 security solution providers out of 72 possible. However, this information is not the only one provided by VirusTotal.
Another important category is information on digital signatures and different types of library imports or exports that the file (declared to be malicious or not) may have. The area of exports or imports is important because it can lead to conclusions about the functioning of the malicious file. Therefore, in this way, various additional functions or even hidden functionalities (such as file placement) can be identified. In addition, extremely important at this stage is the analysis of the network area, which can indicate key aspects of the file. Through it, it can be identified whether a malicious file is trying to communicate with the external environment and exfiltrate data or upload various commands, through external command and control servers. This representation can be easily identified through VirusTotal, an aspect also indicated in Figure 5.
Other essential solutions in the experiments carried out in this work were the Censys and Shodan search engines. Through them, the characteristics of the file in the network area were analyzed in order to identify key aspects given by its links, which were also corroborated with the information provided by VirusTotal. The analysis from VirusTotal is extended using Censys and Shodan to include additional key information, such as services, open ports, and digital certificates.
Considering the aspects visualized in Figure 5, the presence of a domain and several different IPs with which the malicious file tries to communicate is observed. In order to identify whether this file is indeed malicious, it is imperative to identify some details regarding these connections. Thus, from Censys it is identified that the first IP analyzed indicates the presence of an HTTP service whose page is not available and a location in the state of Washington.
Using the same testing methods, a similar analysis was performed on the myrayban.ddns.net domain and on the IP, identified by VirusTotal as potentially malicious, 45.66.230.90. However, this time, the results provided by the two search engines were incomplete, considering that the information sought did not exist. Consequently, reliance only on Censys and Shodan would lead to the conclusion that the file is legitimate, underscoring the limitations of those sources in isolation.
Nevertheless, uncertainties persisted concerning the third IP address, prompting a renewed investigation through VirusTotal and Censys. Accordingly, the investigation of this IP address was conducted using the platform that had initially flagged it as malicious. The results demonstrate that only two out of ninety-four security providers classified it as malware. In such cases, where detection rates are minimal, these alerts are expected to represent false positives generated by certain security engines.
The next step was to search for this IP on the ping.eu website. Following this search, the IP considered suspicious was identified as belonging to the class of IPs assigned to DE-CENTHOST (Figure 6). Following a search in the public resources area, it was identified that centHost is an online Web hosting service provider that offers domains or IPs on a temporary lease basis. Therefore, with a high degree of certainty, the services declared malicious were performed using, for a limited period, one of the datacenter IPs of this provider, after which the service was closed.
Another important aspect to mention in the static analysis would be the fact that, considering various signatures, the analyzed file can be classified into various malware families. This aspect cannot be indicated only through VirusTotal.
However, if other analyses of the file are included (with related solutions, as presented in the example in this section), useful conclusions can be drawn on its malicious nature or even code fragments similar to other files, an imperative aspect necessary for the implementation of analysis methods that include aspects from the machine learning range.
In the example considered, the essential steps of a static analysis at the network level were followed, in order to identify as comprehensive a range of details and aspects related to the initial information as possible. Thus, a search of the VirusTotal database of the file hash was performed. The information found led to network aspects that required additional clarification.
After analyzing several IPs, it was found that one of them, which was considered malicious by the VirusTotal database, is an IP from the public datacenter area associated with an online service provider. Given that this provider offers temporary rental services of public IPs, it was found that the potential attacker used these resources to create various attacks and even the basis for the malicious PDF file, from which the investigation had commenced.
The analysis performed on all other files was carried out in a similar way, in order to have clearer conclusions on the files and the influences they may have within a communications system. The results of it can be found in Table 4.
Another important feature that should be analyzed consists of imported libraries. This aspect provides clues about the general functionality of a malicious file. Examples of imported libraries, within the chosen example, include wsock32.dll, URLMON.DLL, netapi32.dll, WS2_32.DLL, and SHFolder.dll. These indicate various network level connections, communications with command-and-control servers, or file placement and information exfiltration.
Therefore, the expectations based on the analysis are that files that have network activity should indicate functions such as connect or send, those that request access to files or want data exfiltration should include functions such as CreateFile, those that open various additional connections should include functions such as ShellExecute, and those that need to work with RAM memory (for code injections) should include functions such as VirtualAlloc. The data from this analysis can be found also in Table 4.

4.2. Preliminary Insights of Static Analysis Data

Taking into account the data from Table 2 and Table 3, if the first category of files, adware files, is considered, it can be concluded that, although they have different operating characteristics, they also have common aspects. In the analyzed examples, four out of five files exhibited suspicious code sections and evidence of file and memory manipulation, along with the creation or modification of system processes. This behavior is somewhat unexpected, given that the primary function of adware is typically to display advertisements. However, beyond its apparent simplicity, adware interacts with the file system to maintain persistence and perform updates, requiring memory access for executing additional code injections. A less common part of the behavior of these files is the fact that the activity in the network area, which would involve collecting user data and transmitting system information, is present in only one of the cases. This aspect is encountered especially if the execution is carried out locally, without the need for internet access, or to avoid detection by antivirus software.
For files classified under the backdoor category, the observed activity provides minimal data of analytical value or usefulness for comparative assessment. This aspect is given by the fact that backdoor files are usually encrypted shells that are activated only by execution. Within the backdoor category, the recorded file activity reveals only minimal information relevant to analytical assessment or cross-sample comparison.
Other categories that do not denote the overall effectiveness of static analysis are keyloggers and RAT (Remote Access Trojan) because they implement encryption techniques and functions that seem legitimate in order to hide their true malicious intentions. Therefore, during the static analysis, these files failed to indicate much information through which their underlying characteristics can be recognized and classified, even at the level of antivirus programs, as legitimate files.
For files containing malware, the static analysis performed on files M1-M5 indicates information about suspicious sections or interacting with system memory, but, most of the time, their real character is also hidden because they do not employ explicit functions to define their behavior; instead, they rely on legitimate functions or sets of legitimate functions (which have the same result). Similarly, as with the backdoor category, they may have inactive functions, which reveal their true behavior only during execution.
For the ransomware part, the static analysis performed is relevant in determining the real behavior of the malicious sample because all the analyzed files involve the creation of additional processes in system memory. In addition, most of the samples utilized in the analysis expressed behaviors related to file or memory resource modifications and the presence of APIs for encrypting accumulated information. Based on this information, the true nature of a file of this type can be determined because the main function of a ransomware malware is to encrypt the identified information with its own key. To enable their later decryption, the attacker provides an email address and the need to provide a sum of money by the victim.
The analyzed spyware files have common behaviors related to suspicious sections, working with files, creating processes, and modifying the registry. The reasons behind these characteristics lie in the fact that this type of software wants to remain undetected and to avoid writing information to memory, which ensures undetected exfiltration of information. Thus, after execution, the file communicates directly with an external command and control server, to which it provides key information, without being detected by antivirus programs.
From the last category, Trojan-type files often create new processes and affect the work with files. They also have high entropies in sections or unusual behaviors related to them. In fact, these are the most typical operations performed by this type of file. An important characteristic of this type of file is that, for instance, when selected in this category, the antivirus identified all samples as malicious files.
Although static analysis was able to provide certain key characteristics on the malicious nature of the analyzed files, for a clearer conclusion on their real behavior, it is furthermore necessary to involve dynamic analysis, which will outline the possibility of evaluating these types of files as accurately as possible.

4.3. Dynamic Analysis

This section presents the results of the dynamic analysis performed on the dataset. Contrary to static analysis, which examines files without execution, dynamic analysis involves monitoring and evaluating the behavior of files in a controlled runtime environment.
This approach allows for the observation of real-time interactions, system modifications, and potential malicious activity that may not be detectable through static methods. The following subsections provide a detailed breakdown of the findings, highlighting key behaviors, anomalies, and any potential security threats identified during execution.
During the dynamic analysis phase, a comprehensive suite of tools was employed to facilitate a thorough characterization of the malware’s behavior and interactions within the system (Figure 7).
Regshot was utilized to capture and compare registry changes before and after the execution of the sample, enabling the identification of any persistent alterations or suspicious modifications to the system registry.
Procmon and Sysmon were deployed to monitor real-time processes and system activity, providing insights into file operations, registry access, and network communications initiated by the malware.
Task Manager was leveraged to observe resource utilization and process behavior, allowing for the detection of any anomalous or malicious processes running in the background.
Additionally, FakeNet was used to simulate a network environment, allowing the monitoring of potential outbound connections or command-and-control traffic, while Wireshark facilitated the capture and analysis of network packets, enabling the identification of malicious data transmissions.
Collectively, these tools provided a multi-faceted view of the malware’s behavior, allowing for a comprehensive analysis of its impact on both the operating system and network infrastructure.
Taking into account a similar analysis, similar to Section 4.1, in this case, dynamic analysis involves executing a malware sample in a controlled environment to observe its behavior, system interactions, and network activity in real time. For this, the first step is to create an isolated environment and to install the aforementioned tools. Before running the malware, capturing a baseline snapshot of the system, including file structures, registry settings, and network configurations, is necessary.
The next step includes executing the malware sample, observing its behavior as it interacts with the OS, files, and network. For this step, the K5 sample was used and its execution can be found in Figure 8. As observed, the system’s antivirus initially detects and blocks the malicious file. To gain a deeper understanding of the file’s true behavior, the antivirus program was disabled.
The malware was then executed again, and system changes were carefully monitored, focusing on new processes, file creations, registry modifications, and other potential indicators of compromise. Tools such as Procmon and Regshot were employed for this purpose. Additionally, the execution of processes and their resource usage (CPU and memory) were tracked using Task Manager and Procmon, while Wireshark and FakeNet were utilized to monitor any network traffic or communication with external servers.
Following the execution, the post-execution state—including files, registry entries, and network activity—was compared to the baseline to identify any modifications or anomalies. This methodology was consistently applied across all the malicious samples analyzed, ensuring a uniform approach to monitoring and characterizing their behavior. All the data related to the analyzed malware samples is presented in Table 5.

4.4. Preliminary Insights of Dynamic Analysis Data

From dynamic analysis, several assessments can be conducted regarding the malicious behavior of the analyzed files. Thus, with each execution of the files, all system parameters are modified, with every sample inducing changes—whether substantial or minor—in the operating system during each of our experiments.
Taking into account all the data presented in Table 5, it can be concluded that the activity at the network resource level is quite low in most of the cases studied. This aspect contradicts expectations, particularly in the case of adware or spyware, where the primary activity is typically user monitoring and the exfiltration of specific data. For the other categories, they can also function in an ‘offline’ mode, often employing methods to store data locally or, in some cases, utilizing alternative approaches to transmit the encrypted data to the legitimate user (as seen in ransomware).
The values provided by Regshot (changes at the registry level) have a significant impact on the analysis of malware behavior, particularly in identifying changes carried out to the system registry.
These values provide valuable insights into how a malicious file interacts with the system. Thus, one crucial piece of information is about persistence mechanisms used by different types of malware. Trojans, spyware, or ransomware modify registry keys to ensure they persist across system reboots. Another important form of information given by these values is configuration changes (certain malware modify settings or configurations in order to mask their real behaviors—disable security features or bypass settings). Additionally, certain malware may modify firewall configurations or attempt to conceal its presence; however, changes in the registry can often reveal evidence of its execution, even if the file is no longer active.
The area represented by the changes at the system level directly impacts the processing or memory resources within the test system. This aspect translates into sudden increases in the value of the processing capacity or memory resources. This phenomenon can occur both during the execution of the file and while it is running, particularly in the case of Trojan-type malware. In the samples examined, most do not cause a significant increase in system resource usage, with the exception of ransomware files, whose impact is primarily attributed to the need to encrypt data.
A final aspect, which is extremely important in the case of a dynamic analysis, is given by the detection, at the antivirus level, of the malicious file. Therefore, this feature is imperatively necessary, especially in cases where the user of a system does not have all the technical information regarding the respective working environment. An efficient detection of an antivirus involves several problems solved early. In the current case, in which the testing was carried out with simulated network environments, the antivirus system was required to operate with the latest updates in a Windows and Ubuntu 22.04 virtual machine but in an offline environment. It proved effective in most cases, less for the categories of adware, keylogger, rat, spyware, and even Trojan. This is due to the encryption method of the code, unknown signatures or, in the case of ransomware files, too late detection.
Although these experiments primarily focused on the Windows operating system, an analysis was similarly conducted within the Ubuntu 22.04 operating system.

5. Evaluation and Discussion

The analysis of the selected malware samples, through both static and dynamic techniques, revealed several key findings. Static analysis provided insight into file characteristics such as entropy, imported functions, magic numbers, and file headers, allowing identification of suspicious patterns across malware categories. Dynamic analysis complemented this by exposing runtime behaviors, including system modifications, process creation, memory manipulation, and communication with command-and-control servers.
Five samples were selected from each malware category, rather than a single sample, to ensure that the analysis captures a broader and more representative spectrum of behaviors. These samples are not all from the same malware family, which allows the study to account for intra-category variability and reduces the risk of drawing conclusions based on the characteristics of a single instance. By including multiple, diverse samples, the results better reflect general patterns and trends within each category, strengthening the reliability and validity of both static and dynamic analyses. This approach ensures that the observed features do not pertain to a specific sample, but instead are indicative of the category in general.

5.1. Comparative Analysis of Malware Characteristics

Among the examined files, backdoor samples exhibited minimal observable activity, highlighting their stealth capabilities, whereas adware unexpectedly engaged in file system and memory modifications beyond mere advertisement display. Although static analysis was able to provide certain key characteristics on the malicious nature of the analyzed files, for a clearer conclusion on their real behavior, it was similarly necessary to involve dynamic analysis, which outlined the possibility of evaluating these types of files as accurately as possible.
In the analyzed examples, adware files were identified as malicious through their file type and headers, moderate entropy, and creation or modification of registry keys in order to keep their persistence. What is important and unexpected was the activity in network area that was presented in just one sample.
For backdoor files, static analysis revealed the presence of obfuscated code or packing techniques implemented to evade detection, while dynamic analysis indicated activities such as the creation or modification of processes to maintain persistence, along with alterations to the registry and file system.
Files such as keyloggers and Remote Access Trojans (RATs) were not effectively analyzed through static methods as a result of their employment of encryption techniques. However, dynamic analysis proved more informative, revealing network-related processes and the establishment of persistence via registry keys or startup entries.
Files containing malware exhibited high entropy and suspicious strings that indicate their true behavior. During dynamic analysis, these files were identified by observing modifications to the file system and registry, as well as changes to system configurations.
Ransomware files were identified through static analysis by their creation of memory processes and the presence of APIs utilized for data encryption. During dynamic analysis, these files caused significant damage to the test environment by encrypting all information.
Spyware files contained strings indicative of data collection activities, such as harvesting passwords and browsing history, and employed obfuscation techniques to evade static detection. During dynamic analysis, these files attempted to transmit the collected data over the network and modified files and registry keys to maintain stealth.
Trojan files were identified in static analysis by their disguise as legitimate software and the presence of API imports related to file operations. During dynamic analysis, they were recognized by their modifications to the file system and registry to ensure persistence.

5.2. Key Indicators for Malware Identification

In order to evaluate the effectiveness of malware identification, we focused on a set of key indicators that combine theoretical expectations with practical observations. Static features, such as file entropy and file type consistency, provide insight into whether a sample exhibits characteristics typical of its malware category.
Dynamic behaviors, including antivirus detection, registry modifications, process creation, and network activity, reveal whether the malware executes as expected in a controlled environment. By analyzing these indicators across samples, we can determine which files were correctly identified as malicious and highlight patterns that contribute to reliable detection within each category.
Overall, the comparative analysis between the expected and observed characteristics of the analyzed malware samples highlights both consistencies and deviations from theoretical behavior patterns. While certain categories, such as ransomware and spyware, generally aligned with expectations—showing distinct file manipulations, registry changes, and detectable network activity—others, like adware and RATs, exhibited partial or inconsistent behaviors. These discrepancies may be attributed to evasion techniques, sample obfuscation, or antivirus limitations in dynamic environments.
The results, presented in Table 6, reinforce the necessity of combining static and dynamic indicators, as neither approach alone provides a complete understanding of malware behavior. This multi-perspective evaluation thus contributes to improving the accuracy and reliability of malware classification and detection strategies.
The analysis revealed notable variations in both static and dynamic characteristics among samples belonging to the same malware category. While certain attributes—such as file type, registry modifications, and process creation—were consistently present across all samples, parameters like entropy values, antivirus detection rates, and network activity exhibited measurable differences. These inconsistencies highlight that even within the same category, malware variants often employ distinct evasion techniques or payload delivery mechanisms.

5.3. Independent Indicators: Entropy and Antivirus Detection

To enhance the interpretability of the results and enable clearer pattern recognition across malware categories, graphical representations were incorporated alongside tabular data.
In this study, entropy was selected as a key parameter because it provides a robust static measure of randomness or disorder within a file, which can indicate potential malicious content. Complementarily, antivirus detection outcomes were included as a dynamic parameter, reflecting how security solutions respond to the actual execution of malware in a controlled environment.
Other observed indicators, such as specific process creations, registry modifications, or network communications, were recorded in a binary format (YES/NO) for each sample. These features often vary significantly between individual files within the same malware category, making direct comparative analysis challenging. Including them in a table allows us to capture important behavioral patterns without misrepresenting their variability, while the entropy and antivirus parameters provide consistent quantitative metrics suitable for cross-sample comparison.
The diagram in Figure 9 provides insights into the entropy values of various files, which typically indicate the degree of randomness or complexity within those files.
From these values, it can be concluded that:
  • The files labeled A1, A3, A5, B2, B4, K1, K3, and K5 display relatively high entropy levels, suggesting that these files may be obfuscated or packed. This is typical for malware attempting to evade detection by security tools. The malicious files corresponding to these labels are categorized as adware, backdoor, and keylogger.
    The files with B2, B4, K1, K3, and K5 demonstrate high entropy values because keyloggers and backdoor files often utilize obfuscation or packing to avoid detection, aligning with the typical behavior of packed or encrypted files.
    The high entropy values observed in the adware files in the diagram are unusual. This could indicate that some of the adware samples in this dataset may have implemented more sophisticated packing or encryption techniques to avoid detection.
  • Files such as M2, M4, Rt1, Rt2, Rt4, and S1 indicate moderate entropy values, which might indicate that while they are somewhat complex, they do not exhibit the same level of obfuscation or encryption as the previous category. The malicious files corresponding to these labels are categorized as malware and spyware.
    This aligns with the general behavior of these categories of malware that attempt to avoid detection, either by using obfuscation or packing techniques.
  • Files such as T2, T4, and S5 appear to have lower entropy, suggesting they may be simpler or less obfuscated, which could point to less sophisticated malware. The malicious files corresponding to these labels are categorized as Trojan and spyware.
    Conversely, files in the spyware and Trojan categories tend to have lower entropy, potentially indicating less obfuscation. The moderate entropy levels of ransomware files indicate the presence of some form of obfuscation, but not necessarily encryption across all samples. Trojans exhibit lower entropy values compared to other malware categories because they are less obfuscated or packed to rely on their “legitimate” appearance to deceive users or antivirus software.
The diagram in Figure 10 demonstrates Antivirus detection results for malicious files. From these values, it can be concluded that
  • Almost all files were detected by the antivirus effectively.
  • The antivirus detected the analyzed files regardless of their type.
  • The non-detected files are spread across various malware categories (adware, keyloggers, ransomware, Trojans). This indicates that the antivirus has some limitations in detecting certain malware types, and there may be specific characteristics of these files that allow them to evade detection.
The fact that multiple malware types have not been detected suggests that these samples might be using advanced evasion techniques such as obfuscation, encryption, or other methods designed to bypass antivirus detection. It could also suggest that the antivirus may not be up to date or may have specific weaknesses when dealing with certain malware families. Considering that the experiments were performed into an offline environment, the antivirus could not access some online databases to quickly update its own database.
All this information can have a significant implication for dynamic analysis:
  • Since dynamic analysis typically observes runtime activities (such as file system changes, registry modifications, and network communications), undetected malware may continue to operate without being flagged by security tools.
  • Because certain malware samples evade detection, additional monitoring during dynamic analysis may be necessary.
The visualizations from Figure 9 and Figure 10 complement the numerical tables by offering a clearer overview of trends and behavioral distinctions, while basic statistical analysis—such as mean and variance comparisons—was applied to validate the observed patterns. This combined presentation significantly improves the analytical depth of the study and strengthens the robustness of the reported findings.
All these findings demonstrate the value of combining static and dynamic approaches to achieve comprehensive malware characterization and inform future automated detection strategies.

5.4. Response to Research Questions

To strengthen the interpretive value of the findings, this section revisits the research questions initially formulated in Section 1. Each question is addressed in light of the experimental results obtained through the combined static and dynamic analysis. The goal is to assess the extent to which the study objectives have been achieved and to clarify the main insights derived from the observed malware behaviors.
  • Which hybrid features (entropy, API calls, execution traces) most effectively differentiate malware types?
    The analysis revealed that a combination of entropy values (from static analysis) and behavioral indicators, such as API calls and antivirus detection or the way registries and processes were modified (from dynamic analysis), provided the most effective differentiation between malware types. High entropy values were particularly indicative of obfuscated or compressed files (commonly seen in ransomware and Remote Access Trojans), while distinctive API call patterns—such as registry modification, process injection, or network communication—were characteristic of spyware, RATs, and backdoors. When these hybrid features were analyzed together, they provided a clearer distinction between categories than when considered independently.
  • How do static and dynamic indicators correlate across categories?
    The results showed a moderate to strong correlation between certain static and dynamic metrics. For example, samples with high entropy typically exhibited complex execution behavior, including active network connections or process creation (there were exceptions, of course, but this was the general trend). In contrast, files with low entropy and minimal static anomalies tended to exhibit limited or no activity in dynamic execution.
  • How consistent are the static and dynamic characteristics across multiple samples within the same malware category?
    The consistency of features within each malware category varied by family and level of obfuscation. Categories such as ransomware and adware exhibited greater internal consistency (with similar entropy ranges, file types, and dynamic patterns), while RATs and backdoors exhibited greater variability due to their modular structures and attack evasion techniques. Despite these differences, key behavioral traits, such as registry changes and network communication, were observed in nearly all samples within each category, suggesting that certain operational characteristics remain stable identifiers, regardless of implementation differences.

5.5. Validation and Reproducibility

To assess the consistency and reliability of malware detection, VirusTotal was employed as an external validation tool. Each sample included in this study was submitted to VirusTotal to verify detection results across multiple antivirus engines.
The analysis revealed that certain samples were classified differently compared to our categorization: for instance, the adware sample A1 was labeled as a Trojan or backdoor in VirusTotal. Such discrepancies can arise due to several factors, including differences in detection heuristics, signature databases, and the focus areas of individual antivirus engines.
Variations in the operational environment, the presence of polymorphic or obfuscated code, and updates in antivirus definitions over time can also contribute to inconsistent labeling. These findings highlight the importance of cross-validation and careful interpretation when relying on antivirus tools, underscoring the need for reproducible methodologies and the combination of both static and dynamic analysis to achieve robust malware characterization.
It is important to note that malware samples can exhibit diverse behaviors and may be created using different development tools, frameworks, or obfuscation techniques, leading to variations in how they manifest across different environments. These differences can result in inconsistent detection by antivirus engines and divergent classifications in external databases. In this study, the classification of each sample was guided primarily by the MalwareBazaar indexing system, which provides a standardized reference for categorizing malware families. By relying on MalwareBazaar, we ensure a consistent baseline for analysis, while acknowledging that behavioral differences and environment-specific execution may influence dynamic observations and external detection results.
In the results tables, certain behavioral indicators were represented using simple “Yes/No” values. This choice was made because the malware samples exhibited highly variable interactions with the system, and for some features, no consistent or representative value could be identified across all samples within a given category. For example, in dynamic analysis process, RegShot was utilized to capture registry snapshots before and after malware execution, thereby identifying the specific keys and values that were added, modified, or deleted. After running a malware sample, RegShot’s different output might report dozens of new keys, changes in existing values, or deletion of entries—data that can be structured into a comparison table across different malware samples (e.g., “Keys Added/Keys Modified/Keys Deleted”). Because registry behavior can vary significantly across samples—even those of the same family—such a table aids in quickly visualizing patterns of system modifications, enabling cross-sample comparison in a standardized manner.
By using a binary approach, it highlighted the presence or absence of specific behaviors without over-interpreting inconsistent or non-comparable data, ensuring clarity while preserving the practical insights derived from both static and dynamic analyses.

5.6. Comparison with Existing Literature

To gain a more comprehensive understanding of the field and the experimental results obtained, it is essential to conduct a comparative analysis with the existing literature.
Considering [51], it is found that the malware analysis process is similar to the one utilized in this work, including several tools and solutions such as Wireshark, Process Explorer, or IDA Pro. Thus, through them, malware characteristics are extracted and a comparison of the effectiveness of each is performed in order to determine the best method for analyzing malicious files. The files used in the cited work include the Agent Tesla malware family, and the common characteristics are highlighted through a table, which includes the analysis methods and the most important strings and actions performed by the malicious file at the file, process, registry, and network section level of the victim machine.
However, throughout the paper [51], the aim is to visualize the most efficient analysis method, compared to the present paper where static and dynamic analysis are combined for a more robust and comprehensive analysis.
In [52], the emphasis is placed on the sandbox area and dynamic analysis of a malicious file. Thus, the advantages of using a sandbox environment are highlighted, through constant monitoring, at the level of an integrated platform, of aspects such as Process Monitoring, System Monitoring, Disk or Memory Usage, Network Monitoring, etc. Therefore, the focus of the paper is not on the actual analysis of malicious files, but on the presentation of the integrated platform, which includes the monitoring of various processes. In contrast to the present paper, this study directs attention to a more in-depth examination of various characteristics, including antivirus detection, file relocation, and the alterations made by malicious files at the level of system registry keys and values.
More comprehensive experiments are presented in [53], which includes a dynamic analysis based on a similar approach to the present work, including several solutions such as Regshot, Wireshark, Fakenet, etc. The analysis in the cited work is based on crypto-bot files and includes three different files, which are analyzed both statically and dynamically. The conclusions of the work include a comparison between samples from the same family which, as expected, include common features. In addition, the work highlights several prevention and protection measures against similar attacks. However, in contrast to the present work, it is observed that the analyzed attacks in this study were significantly more diverse, encompassing a large number of different file types, including those from various malware families. Such an approach is more comprehensive and can lead to a considerably more efficient and a more user-friendly database, even within the framework of machine learning methods.
Another important piece of work, which needs to be compared with the results obtained in this work, is [54]. This paper presents several different solutions, through which a static and dynamic analysis of malicious files is performed, similar to the aspects presented in this work. These aspects are integrated through a software code, which includes several characteristics given by the analyzed malware file (njRAT). However, at the level of this research, the specific behaviors of the malware are not recorded, but only the presence or absence of integrated characteristics of the malicious file are tested (if it reveals activity at the network level and if the file performs various functions such as calls to various types of resources). In this work, on the other hand, several executions of RAT-type files are performed, which are analyzed comparatively, in order to identify various common characteristics, an aspect that also integrates the analysis found in the cited work, expanding on it in a more advanced form.
Similarly to our approach, in [4], 40 malware samples are also considered. However, the identified study is limited to the top 10 malware threats between August 2019 and January 2020. In both cases, the sample can be considered small, but it can be considered sufficient for exploring attack documentation and analysis strategies. Other common technologies of the two studies include simulated network access, studying attack patterns and trends. What is different in this work is the advanced way in which these malware samples are analyzed, both through static analysis and through dynamic analysis. Also, the malware samples used in this study are much more up to date, including samples from 2024 and 2025.
In the work [55], the performance evaluation of some machine learning algorithms for the detection of malicious files is included. In this work, this aspect is not yet addressed, outlining the extraction of key features for each category of malware and their common aspects. What is interesting is that this work includes the fact that the malware analysis is also based on MalwareBazaar files, and the feature extraction is also based on the features used in this work such as file type, entropy, API calls, and sections in the PE file. Therefore, in this work, the feature work methods that this present work will also follow are determined.
In [56], static and dynamic analysis methods are integrated to perform the analysis of a dataset with 5000 samples, which include categories comparable to those used in this present work. These are introduced in a sandbox environment, which includes tools similar to those used in this present work. The problem with this work is given, firstly, by the language barrier and, secondly, by the fact that the experimental data are not specified. The results from the tables in the work include the evaluation of a machine learning model for various machine learning algorithms. Thus, the area of static and dynamic analysis is not conclusively highlighted.
Similarly to [57], this paper utilizes files from MalwareBazaar, which are analyzed dynamically. The dataset used in the cited work is larger than the one used in the current work, but their evaluation is based on machine learning algorithms. However, the labeling of the files is based on VirusTotal, one of the existing tools in this work. The malware file analysis method includes a predefined sandbox, and, in addition, the static analysis of the files is not taken into account. Thus, in the current work, there is the advantage of the complete analysis of the malicious files (hybrid analysis), which is performed in a test environment that simulates real resources (a virtual machine, not a sandbox). However, the part of the analysis with machine learning methods remains a disadvantage for this paper and that will be covered in the feature works.
Compared to previous studies that focused primarily on either static or dynamic analysis, this work introduces a more integrated and comparative approach by combining both perspectives within a unified experimental framework. Unlike prior research that often relied on homogeneous or family-specific malware datasets, this study employed a diverse collection of samples across multiple categories—ransomware, Trojans, adware, spyware, and backdoors—allowing for a more comprehensive understanding of behavioral variations and detection patterns. The integration of hybrid features, including entropy metrics and runtime process monitoring, demonstrates the added value of correlating static and dynamic indicators to improve threat characterization.
In order to fully cover the important aspects of the paper, it should be highlighted that hybrid features combining static and dynamic analysis provide a robust approach to malware differentiation. In this way, a combination of the value of the entropy and API calls is the most discriminative, allowing malware files to be separated based on both code structure and runtime behavior.
While static analysis offers valuable preliminary indicators, dynamic analysis is essential for capturing runtime behaviors that cannot be predicted through static inspection alone. This distinction is evident in two key examples: Trojan malware with suspicious imports typically results in observable actions during dynamic analysis, such as file modifications, whereas backdoor files often exhibit runtime communication and stealth behaviors that remain undetected through static features. Thus, hybrid analysis provides a complementary approach, ensuring more comprehensive coverage.
Observed behaviors and feature extraction are highly dependent on the analysis environment. Therefore, hybrid analyses must account for sandbox fidelity to prevent false negatives or incomplete capture of malicious behavior. In this study, rather than using a pre-existing sandbox, a controlled environment using virtual machines and various monitoring tools to conduct our analysis was developed.
Hybrid analysis must consider operating system-specific artifacts, as features that are discriminative in Windows may be irrelevant in Linux, and vice versa. Comparative studies emphasize the importance of OS-aware feature extraction to ensure accurate analysis. This aspect will be addressed in greater detail in future work.
Finally, the results directly address the research questions by identifying discriminative features for malware classification, revealing gaps in existing detection methods, and proposing pathways for improving both analytical approaches and cybersecurity practices. Specifically, this study highlights the principal static and dynamic features of malware that can inform the design of more robust automated anomaly detection systems, conduct a comparative analysis of malware behaviors across different families and operating systems, and assess the effectiveness of feature-based detection in realistic testing environments. This evaluation highlights both practical challenges and opportunities for enhancing security monitoring.

5.7. Countermeasures

To mitigate the threats posed by the malware types analyzed, several countermeasures can be recommended. At the system level, implementing up-to-date antivirus and endpoint protection solutions, along with regular signature- and behavior-based updates, can help detect and block known and emerging threats. In parallel, network-level defenses, including firewalls, intrusion detection systems, and traffic monitoring, are essential for identifying suspicious communications, especially from backdoors and RATs.
In addition, enforcing strict access controls, timely patching of software vulnerabilities, and using sandbox environments for suspicious files can reduce the risk of successful infections.
From an operational perspective, user training, especially regarding phishing and social engineering tactics, remains a vital preventative measure. This paper did not include the methods by which malicious files were introduced into the victim hosts, but phishing can be considered one of them.
Finally, the integration of static and dynamic analysis techniques for continuous monitoring and automatic feature extraction can improve early detection and the overall resilience of IT infrastructures against evolving malware threats. Moreover, if the network is more complex, the existence of systems such as Intrusion Detection System, Intrusion Prevention System, or Security Information and Event Management System is also recommended.
All these measures can lead to avoiding infection with malicious files and to a more efficient security environment.

6. Conclusions

In this work, a comparative study was conducted on the characteristics of some malicious files, using various software solutions and test environments, which led to several significant findings.
First is that malicious files can adapt to the operating environment, often having, even from the initial code, characteristics specific to each operating system in order to ensure their persistence within the system while employing various methods to conceal their presence and their real characteristics.
Second is that, although some malicious files are easily detectable by the antivirus system, within each operating system, in some cases, their detection is ineffective or is performed too late (in the case of ransomware), thus creating the possibility of information exfiltration.
Third is that, although each type of analysis has its advantages, for a correct and coherent conclusion on a malicious file, it is necessary to perform both types of experiments, the characteristics complementing each other.
This study presented a comparative framework for analyzing malware using both static and dynamic methodologies, focusing on the identification of discriminative features that can enhance automated detection systems. By examining multiple samples from distinct malware categories—such as adware, backdoor, Trojan, spyware, RAT, and ransomware—the research highlighted that no single analytical technique can provide complete insight into malicious behavior.
Static analysis is much faster and eliminates the risk of contamination of the working environment. At the same time, static analysis is often able to reveal indicators of compromise that remain invisible during execution, especially when the malicious file is activated only under certain conditions or after a period. Therefore, this approach is extremely valuable in the preliminary sorting and classification phases.
Dynamic analysis brings a practical and contextualized perspective on the behavior of a malicious file in its execution environment. The main advantage lies in the possibility of observing the real actions of the code: network connections, registry changes, newly created processes, etc.
The results indicate that hybrid features—particularly entropy, API calls, and execution traces—are the most effective indicators for distinguishing between malware types. Furthermore, the study demonstrated that environmental realism plays a critical role in the reliability of behavioral observation, as malware may adapt or evade poorly configured sandboxes. By analyzing five distinct samples per category, the research captured intra-category diversity, providing a more accurate representation of how malware behaves in real-world conditions.
The paper contributions can be summarized as follows:
  • Several discriminative static and dynamic features of malware were identified, which can inform the development of more robust automated anomaly detection systems.
  • A comparative analysis of malware behaviors across different families and operating systems was conducted.
  • The effectiveness of feature-driven detection was examined in controlled yet realistic environments, revealing practical constraints and directions for strengthening security surveillance mechanisms
The findings from this study suggest that future work should focus on improving the accuracy and coverage of malware detection systems, including developing more effective feature extraction techniques, refining dynamic analysis methodologies, and incorporating real-time monitoring to capture and analyze complex malware behaviors. Additionally, enhancing the ability to detect malware across different operating systems and environments will be crucial for ensuring a comprehensive defense against the ever-evolving landscape of cyber threats.
Future work will also focus on transforming the findings of this study into practical and automated detection systems. Specifically, the static and dynamic features extracted during the experiments—such as entropy values, API call sequences, registry modifications, and network communication patterns—will be systematically integrated into machine learning models for malware classification and anomaly detection. This approach will allow the evaluation of various algorithms to determine which provides the best balance between detection accuracy and computational efficiency.
Ultimately, the findings contribute to the ongoing advancement of malware forensics and provide a foundation for building more robust, adaptive, and automated cybersecurity defense mechanisms.

Author Contributions

Conceptualization, M.-M.A., A.V. and C.B.; methodology, M.-M.A., A.V. and C.B.; software, M.-M.A.; validation, M.-M.A.; formal analysis, M.-M.A.; investigation, M.-M.A.; resources, M.-M.A., A.V. and C.B.; data curation, M.-M.A.; writing—original draft preparation, M.-M.A.; writing—review and editing, A.V. and C.B.; visualization, M.-M.A., A.V. and C.B.; supervision, C.B.; project administration, M.-M.A., A.V. and C.B. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Data Availability Statement

Data are available upon request.

Conflicts of Interest

The authors declare no conflicts of interest.

Abbreviations

The following abbreviations are used in this manuscript:
AIArtificial Intelligence
APTAdvanced Persistent Treats
CPUCentral Processing Unit
EXEExecutable file
HTTPHypertext Transfer Protocol
IPInternet Protocol
OSOperating System
PDFPortable Document Format
RAMRandom-Access Memory
SHASecure Hash Algorithm
URLUniform Resource Locator

References

  1. Ebert, N.; Schaltegger, T.; Ambuehl, B.; Geppert, T.; Trammell, A.; Knieps, M.; Zimmermann, V. Learning from safety science: Designing incident reporting systems in cybersecurity. J. Cybersecur. 2025, 11, tyaf019. [Google Scholar] [CrossRef]
  2. Osburn, L.D. Telling stories about vendors: Narrative practices to negotiate risk and establish an organizational cybersecurity culture. J. Cybersecur. 2025, 11, tyae030. [Google Scholar] [CrossRef]
  3. Kazi, M.A. Detecting Malware C&C Communication Traffic Using Artificial Intelligence Techniques. J. Cybersecur. Priv. 2025, 5, 4. [Google Scholar] [CrossRef]
  4. Mills, A.; Legg, P. Investigating Anti-Evasion Malware Triggers Using Automated Sandbox Reconfiguration Techniques. J. Cybersecur. Priv. 2021, 1, 19–39. [Google Scholar] [CrossRef]
  5. Bakdash, J.Z.; Hutchinson, S.; Zaroukian, E.G.; Marusich, L.R.; Thirumuruganathan, S.; Sample, C.; Hoffman, B.; Das, G. Malware in the future? Forecasting of analyst detection of cyber events. J. Cybersecur. 2018, 4, tyy007. [Google Scholar] [CrossRef]
  6. Almarri, S.; Bodokhi, A.; Frikha, M. A Review of the Recent Trends in Mobile Malware Evolution, Detection, and Analysis. IEEE Access 2025, 13, 108415–108445. [Google Scholar] [CrossRef]
  7. Chandran, S.; Syam, S.R.; Sankaran, S.; Pandey, T.; Achuthan, K. From Static to AI-Driven Detection: A Comprehensive Review of Obfuscated Malware Techniques. IEEE Access 2025, 13, 74335–74358. [Google Scholar] [CrossRef]
  8. Malik, B.; Khalid, J.; Arif, H.; Sadiqa, A.; Tanveer, A.; Mumtaz, A.; Afzal, Z.; Azhar, S. Comparing Hybrid Tool for Static and Dynamic Object-Oriented Metrics. Int. J. Adv. Comput. Sci. Appl. (IJACSA) 2019, 10, 68. [Google Scholar] [CrossRef]
  9. Panda, B.; Bisoyi, S.; Panigrahy, S. Behavioural Analysis of Malware by Selecting Influential API Through TF-IDF API Embeddings. Int. J. Adv. Comput. Sci. Appl. 2025, 16, 75. [Google Scholar] [CrossRef]
  10. Çatak, F.O. Mal-API-2019. Mendeley Data V2; Elsevier: Amsterdam, The Netherlands, 2019. [Google Scholar] [CrossRef]
  11. Pandian, A.P.; Anakath, A.S.; Kannadasan, R.; Ravikumar, K.; Abdul Kareem, D. Forensic Investigation of Malicious Activities in Digital Environments. In Proceedings of the 2024 4th International Conference on Data Engineering and Communication Systems (ICDECS), Bangalore, India, 22–23 March 2024; pp. 1–5. [Google Scholar] [CrossRef]
  12. Siva Surya, R.; Varuneshan, R.; Heltin Genitha, C. Designing a Static Malware Analysis Framework for Detecting Malicious Malware Code with Ghidra. In Proceedings of the 2025 3rd International Conference on Self Sustainable Artificial Intelligence Systems (ICSSAS), Erode, India, 11–13 June 2025; pp. 1696–1701. [Google Scholar] [CrossRef]
  13. Parkinson, S.; Khan, S.; Bray, J.; Shreef, D. Creeper: A tool for detecting permission creep in file system access controls. Cybersecurity 2019, 2, 14. [Google Scholar] [CrossRef]
  14. Orman, H. The Morris worm: A fifteen-year perspective. IEEE Secur. Priv. 2003, 1, 35–43. [Google Scholar] [CrossRef]
  15. Garber, L. Melissa Virus Creates a New Type of Threat. Computer 1999, 32, 16–19. [Google Scholar] [CrossRef]
  16. Mohaisen, A.; Alrawi, O. Unveiling Zeus: Automated classification of malware samples. In Proceedings of the 22nd International Conference on World Wide Web (WWW ‘13 Companion), Rio de Janeiro, Brazil, 13–17 May 2013; Association for Computing Machinery: New York, NY, USA, 2013; pp. 829–832. [Google Scholar] [CrossRef]
  17. Denning, D.E. Stuxnet: What Has Changed? Future Internet 2012, 4, 672–687. [Google Scholar] [CrossRef]
  18. Adams, C. Learning the lessons of WannaCry. Comput. Fraud. Secur. 2018, 2018, 6–9. [Google Scholar] [CrossRef]
  19. Alkhadra, R.; Abuzaid, J.; AlShammari, M.; Mohammad, N. Solar Winds Hack: In-Depth Analysis and Countermeasures. In Proceedings of the 2021 12th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kharagpur, India, 6–8 July 2021; pp. 1–7. [Google Scholar] [CrossRef]
  20. Axon, L.; Erola, A.; Agrafiotis, I.; Uuganbayar, G.; Goldsmith, M.; Creese, S. Ransomware as a Predator: Modelling the Systemic Risk to Prey. Digit. Threat. 2023, 4, 55. [Google Scholar] [CrossRef]
  21. Jaffe, J.; Floridi, L. Ransomware: Why it’s growing and how to curb its growth. Appl. Cybersecur. Internet Gov. 2024, 3, 38–64. [Google Scholar] [CrossRef]
  22. Hansel, M.; Silomon, J. Ransomware as a threat to peace and security: Understanding and avoiding political worst-case scenarios. J. Cyber Policy 2024, 9, 159–178. [Google Scholar] [CrossRef]
  23. Gomes, V.; Reis, J.; Alturas, B. Social Engineering and the Dangers of Phishing. In Proceedings of the 2020 15th Iberian Conference on Information Systems and Technologies (CISTI), Seville, Spain, 24–27 June 2020; pp. 1–7. [Google Scholar] [CrossRef]
  24. Gallagher, S.; Gelman, B.; Taoufiq, S.; Vörös, T.; Lee, Y.; Kyadige, A.; Bergeron, S. Phishing and Social Engineering in the Age of LLMs. In Large Language Models in Cybersecurity; Springer: Cham, Switzerland, 2024. [Google Scholar] [CrossRef]
  25. Barcan, A.; Badoi, M.; Nedianu, G.; Ciochiu, D.; Traistaru, C.; Enescu, N. Advanced Persistent Threats. In Proceedings of the 2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet), Bucharest, Romania, 19–20 September 2024; pp. 1–6. [Google Scholar] [CrossRef]
  26. Buchta, R.; Gkoktsis, G.; Heine, F.; Kleiner, C. Advanced Persistent Threat Attack Detection Systems: A Review of Approaches, Challenges, and Trends. Digit. Threat. 2024, 5, 39. [Google Scholar] [CrossRef]
  27. Butt, U.A.; Amin, R.; Mehmood, M.; Aldabbas, H.; Alharbi, M.T.; Albaqami, N. Cloud Security Threats and Solutions: A Survey. Wirel. Pers. Commun. 2022, 128, 387–413. [Google Scholar] [CrossRef]
  28. Pitkar, H. Cloud Security Automation Through Symmetry: Threat Detection and Response. Symmetry 2025, 17, 859. [Google Scholar] [CrossRef]
  29. Pallakonda, A.; Kaliyannan, K.; Sumathi, R.L.; Raj, R.D.A.; Yanamala, R.M.R.; Napoli, C.; Randieri, C. AI-Driven Attack Detection and Cryptographic Privacy Protection for Cyber-Resilient Industrial Control Systems. IoT 2025, 6, 56. [Google Scholar] [CrossRef]
  30. Brohi, S.; Mastoi, Q.-U.-A. AI Under Attack: Metric-Driven Analysis of Cybersecurity Threats in Deep Learning Models for Healthcare Applications. Algorithms 2025, 18, 157. [Google Scholar] [CrossRef]
  31. Mohamed Mohideen, M.A.; Nadeem, M.S.; Hardy, J.; Ali, H.; Tariq, U.U.; Sabrina, F.; Waqar, M.; Ahmed, S. Behind the Code: Identifying Zero-Day Exploits in WordPress. Future Internet 2024, 16, 256. [Google Scholar] [CrossRef]
  32. Berrios Vasquez, S.I.; Hermosilla Monckton, P.A.; Leiva Muñoz, D.I.; Allende, H. Zero-Day Threat Mitigation via Deep Learning in Cloud Environments. Appl. Sci. 2025, 15, 7885. [Google Scholar] [CrossRef]
  33. Shastry, A.S.; Shreyas, M.P.; Karthik, R.; Chinmaya, B.N.; Chethana, H.T.; Sarkar, S. A Comprehensive Linux Log Dataset with Root Cause and Remediation for Security Analysis. In Proceedings of the 2025 5th International Conference on Pervasive Computing and Social Networking (ICPCSN), Salem, India, 14–16 May 2025; pp. 654–659. [Google Scholar] [CrossRef]
  34. Jeyaram, A.; Muthukumaravel, A. Detect, Analyze, Act: Advancing Cybersecurity Investigations with Data Engineering and AI. In Proceedings of the 2024 Asian Conference on Intelligent Technologies (ACOIT), Kolar, India, 6–7 September 2024; pp. 1–6. [Google Scholar] [CrossRef]
  35. Hong, S.; Yue, T.; You, Y.; Lv, Z.; Tang, X.; Hu, J.; Yin, H. A Resilience Recovery Method for Complex Traffic Network Security Based on Trend Forecasting. Int. J. Intell. Syst. 2025, 2025, 3715086. [Google Scholar] [CrossRef]
  36. abuse.ch. MalwareBazaar. Available online: https://bazaar.abuse.ch/ (accessed on 24 August 2025).
  37. VirusTotal. VirusTotal—Free Online Virus, Malware and URL Scanner. Available online: https://www.virustotal.com/ (accessed on 15 August 2025).
  38. GNU File. File—Determine File Type. Available online: https://www.darwinsys.com/file/ (accessed on 15 August 2025).
  39. GNU Binutils Strings. Strings—Print the Strings of Printable Characters in Files. Available online: https://sourceware.org/binutils/docs/binutils/strings.html (accessed on 15 August 2025).
  40. Vector 35. Binary Ninja—Reverse Engineering Platform. Available online: https://binary.ninja/ (accessed on 15 August 2025).
  41. Winitor. Pestudio—Malware Analysis Tool. Available online: https://www.winitor.com/ (accessed on 15 August 2025).
  42. YARA. YARA—The Pattern Matching Swiss Knife for Malware Researchers. Available online: https://virustotal.github.io/yara/ (accessed on 15 August 2025).
  43. wxHexEditor. wxHexEditor—Free Hex Editor. Available online: https://sourceforge.net/projects/wxhexeditor/ (accessed on 15 August 2025).
  44. Censys. Censys—Search Engine for Internet-Connected Devices. Available online: https://censys.io/ (accessed on 15 August 2025).
  45. Shodan. Shodan—The Search Engine for the Internet of Things. Available online: https://www.shodan.io/ (accessed on 15 August 2025).
  46. Microsoft Sysinternals. Process Monitor (Procmon). Available online: https://learn.microsoft.com/en-us/sysinternals/downloads/procmon (accessed on 15 August 2025).
  47. Microsoft Sysinternals. Sysmon—System Monitor. Available online: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon (accessed on 15 August 2025).
  48. Wireshark Foundation. Wireshark—Network Protocol Analyzer. Available online: https://www.wireshark.org/ (accessed on 15 August 2025).
  49. Regshot. Regshot—Registry Compare Utility. Available online: https://sourceforge.net/projects/regshot/ (accessed on 15 August 2025).
  50. Mandiant. FakeNet-NG—Dynamic Network Analysis Tool. Available online: https://github.com/mandiant/flare-fakenet-ng (accessed on 15 August 2025).
  51. Widiyasono, N.; Selamat, S.R.; Rizal, R.; Fidayan, A.; Mulyani, S.R.; Risnanto, S. Advanced Malware Analysis Methods: Behaviour-Based Detection and Reverse Engineering. In Proceedings of the 2024 18th International Conference on Telecommunication Systems, Services, and Applications (TSSA), Bali, Indonesia, 17–18 October 2024; pp. 1–5. [Google Scholar] [CrossRef]
  52. Choudhary, V.; Singh, S.; Atrey, S.; Kumar, A.; Kalita, S. A Custom Sandbox for Malware Threat Analysis to Safeguard Infrastructure. In Proceedings of the 2025 3rd International Conference on Disruptive Technologies (ICDT), Greater Noida, India, 7–8 March 2025; pp. 471–475. [Google Scholar] [CrossRef]
  53. Rahman, R.U.; Acharya, A.; Deb, S.; Panchal, P. Dynamic Forensic Analysis of CryptBot Malware. In Proceedings of the 2025 IEEE 14th International Conference on Communication Systems and Network Technologies (CSNT), Bhopal, India, 7–9 March 2025; pp. 376–383. [Google Scholar] [CrossRef]
  54. Sinha, A.K.; Sai, S. Integrated Malware Analysis Sandbox for Static and Dynamic Analysis. In Proceedings of the 2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT), Delhi, India, 6–8 July 2023; pp. 1–5. [Google Scholar] [CrossRef]
  55. Kamdan; Pratama, Y.; Munzi, R.S.; Mustafa, A.B.; Kharisma, I.L. Static Malware Detection and Classification Using Machine Learning: A Random Forest Approach. Eng. Proc. 2025, 107, 76. [Google Scholar] [CrossRef]
  56. Khalda, K.; Wibowo, D.K. Analisis Perilaku Malware Menggunakan Pendekatan Analisis Statis dan Dinamis. J. Sains Nalar Dan Apl. Teknol. Inf. 2025, 4, 1–8. [Google Scholar] [CrossRef]
  57. Syeda, D.Z.; Asghar, M.N. Dynamic Malware Classification and API Categorisation of Windows Portable Executable Files Using Machine Learning. Appl. Sci. 2024, 14, 1015. [Google Scholar] [CrossRef]
Jcp 05 00098 g001
Figure 1. Work scheme.
Figure 1. Work scheme.
Jcp 05 00098 g001
Jcp 05 00098 g002
Figure 2. Visual representation of the S1 malware file.
Figure 2. Visual representation of the S1 malware file.
Jcp 05 00098 g002
Jcp 05 00098 g003
Figure 3. File analysis in wxHexEditor.
Figure 3. File analysis in wxHexEditor.
Jcp 05 00098 g003
Jcp 05 00098 g004
Figure 4. Static analysis of the malicious file, via PEStudio.
Figure 4. Static analysis of the malicious file, via PEStudio.
Jcp 05 00098 g004
Jcp 05 00098 g005
Figure 5. Representation of the domains and IPs that the S1 file is trying to access, from VirusTotal.
Figure 5. Representation of the domains and IPs that the S1 file is trying to access, from VirusTotal.
Jcp 05 00098 g005
Jcp 05 00098 g006
Figure 6. Analysis of the malicious IP, using the ping.eu solution.
Figure 6. Analysis of the malicious IP, using the ping.eu solution.
Jcp 05 00098 g006
Jcp 05 00098 g007
Figure 7. How to perform dynamic analysis, along with the tools and samples utilized.
Figure 7. How to perform dynamic analysis, along with the tools and samples utilized.
Jcp 05 00098 g007
Jcp 05 00098 g008
Figure 8. Running the keylogger K5.
Figure 8. Running the keylogger K5.
Jcp 05 00098 g008
Jcp 05 00098 g009
Figure 9. File entropy distribution.
Figure 9. File entropy distribution.
Jcp 05 00098 g009
Jcp 05 00098 g010
Figure 10. Antivirus detection results for malicious files.
Figure 10. Antivirus detection results for malicious files.
Jcp 05 00098 g010
Table 1. Summary of key contributions in cybersecurity research.
Table 1. Summary of key contributions in cybersecurity research.
ReferenceFocus/ObjectiveMethodology/ToolsKey ContributionRelevance to Current Study
[6]Evolution of malware features and detection trendsTheoretical review of emerging malware behaviors and ML-based detection methodsHighlights how malware evolves alongside technologiesServes as theoretical grounding for understanding malware evolution and the need for adaptive detection systems
[7]Obfuscation techniques and hybrid analysisHybrid detection combining API calls, PE file inspection, and code analysisIdentifies obfuscation as a major detection challengeSupports inclusion of hybrid analysis and feature-based detection approaches
[8]Comparison of static vs. dynamic analysis (Android domain)Empirical comparison using mobile malware datasetsDemonstrates advantages and limitations of both approachesProvides insight applicable to workstation malware analysis
[9]Behavior-based malware characterizationAPI sequence analysis; ML-based classificationProposes API sequence analysis for behavioral profilingAligns with current study’s focus on feature extraction and API-level behavior differentiation
[11]Forensic investigation and attack diversityCase-based malware investigation; legal considerationsHighlights diversity of attacks and jurisdictional challengesReinforces the need for standardized forensic and analytical frameworks
[12]Automated feature extraction and classificationGhidra, VirusTotal, PEview; decompilation and structure inspectionEnables polymorphic/obfuscated malware detection through structural analysisTechnically complements the static analysis phase of the current work
[20]Systemic risk modeling of ransomware propagationCompartment-based predator-prey modeling; simulations of risk controlsDemonstrates effectiveness of different mitigation strategies and systemic risk factors; explores future extensions for attacker behaviors, victim characteristics, and organizational responsesProvides a high-level perspective on ransomware propagation and mitigation; complements the current work by suggesting future research directions in dynamic threat assessment and mitigation planning
[21]Multi-disciplinary review of ransomware growthLiterature review across academic and industry sourcesIdentifies economic incentives driving ransomware, low skill/high volume attacker profile, and governance gaps; suggests financial disincentives and cyber governance as mitigationOffers a contextual, socio-economic perspective on ransomware.
[22]Ransomware and public security/geopolitical impactScenario building and risk analysis of causal chains linking ransomware to societal disruptionExplores ransomware’s impact on public services, peace and security, geopolitical escalation, and multilateral governance; proposes institutional remedies and metrics for systemic risk assessmentExtends the contextual relevance of malware studies beyond technical aspects, highlighting societal, political, and governance implications that can inform comprehensive risk management strategies
[23]Social engineering and phishing attacksExploratory qualitative interviews with cybersecurity professionals; quantitative online questionnaireAnalyzes prevention methods for phishing, identifies vulnerable populations, and evaluates response strategies; tools used include MxToolbox, Browserling, VirusTotal, Reverse ITAdds a behavior-focused perspective; informs feature analysis and risk assessment related to social engineering, complementing malware-focused investigations
[24]Large Language Models in cybercrimeCase studies of AI-assisted phishing and social engineering; analysis of LLM-generated contentDemonstrates how LLMs increase the effectiveness and scale of phishing attacks, including multimodal attacks with text, images, and audio; highlights the human factor as a key vulnerabilityProvides a forward-looking perspective on emerging AI-enabled threats, underlining the importance of awareness and potential automated defenses
[25]Advanced Persistent Threats (APTs) taxonomyLiterature review; hypothetical scenario illustrationProvides a detailed taxonomy of APT attack steps, discusses recent detection technologies, and outlines potential defense strategies; emphasizes standardization and systematic classification of threatsOffers a structured framework for understanding and analyzing complex cyberattacks, supporting more precise threat assessment and response planning
[26]APT attack detection systemsStructured literature search of 70 papers, forward/backward citation analysis; systematization along threat model, detection methodology, and data typeIdentifies obstacles in detection, proposes a reference architecture for comparability, evaluates datasets, and emphasizes the potential of DL/GNN anomaly detection.Strengthens understanding of real-world challenges in detecting sophisticated, long-lived, distributed APTs; complements current work by emphasizing the need for robust evaluation frameworks and systematized feature extraction
[27]Cloud computing securityLiterature review and survey analysisProvides a comprehensive survey of cloud computing security threats, challenges, strategies, and solutions; addresses deficiencies in prior surveys and highlights practical security considerations for cloud adoptionAdds broader cybersecurity context, complementing malware-focused research; emphasizes the importance of securing infrastructure and services where malware and cyber-attacks may propagate
[28]Cloud security automationAnalysis of market trends and technologies; real-world use casesExplores SIEM, XDR, and SOAR platforms; AI/ML integration for automated threat detection and response; introduces scalable and extensible cloud security architectureDemonstrates advanced approaches to automated threat detection and response in cloud environments; complement the study by showing practical solutions for large-scale infrastructures
[29]Industrial Control Systems (ICS) cybersecurityMachine learning anomaly detection (XGBoost, Decision Tree, LSTM autoencoder) + AES/RSA cryptography; ICS-Flow dataset; hardware implementation on PYNQ-Zynq boardCombines AI-driven anomaly detection with strong cryptography to protect ICS networks; demonstrates high accuracy, real-time feasibility, and resilience to brute-force/tampering attacksAdds an applied, industrial-focused perspective; highlights integration of ML and cryptography in real-time ICS security, complementing malware detection and automated response discussions
[30]AI in healthcare cybersecurityAnalysis of attack vectors on DL models for healthcare; Healthcare AI Vulnerability Assessment Algorithm (HAVA); Post-Attack Vulnerability Index (PAVI)Provides a unified framework to simulate adversarial, evasion, and data poisoning attacks on DL models; quantifies impacts on model accuracy and false positivesOffers insights into vulnerabilities of AI systems in critical domains; complements malware-focused work by demonstrating how attack simulation and feature-based analysis can inform robust system design
[31]Zero-day vulnerabilities in WordPress pluginsDynamic application security testing (DAST); controlled testing on 23 WordPress plugins; keylogger-based attack simulationIdentified three previously unknown zero-day vulnerabilities (CVE-2023-5119, CVE-2023-5228, CVE-2023-5955); analyzed exploitation mechanisms, potential impacts, and admin-side attack risksHighlights practical dynamic testing for unknown vulnerabilities; informs methodology for malware detection, dynamic behavior analysis, and risk assessment
[32]Zero-day malware detection in cloud computingDeep learning model (Mixed Vision Transformer, MVT); binary files converted to images; trained on MaLeX dataset in simulated Docker environmentOutperformed traditional models in detecting malware; highlights challenge in classifying benign files, high computational cost, and lack of explainabilityDemonstrates advanced AI-based approach for zero-day detection in cloud environments; complements feature-based and dynamic malware analysis by providing an adaptive and scalable detection methodology
[33]Linux security monitoring using system logsDataset of 12,685 Ubuntu VM logs; pre-processing, root cause analysis, threat classification (0–4 levels); structured log analysis; manual verificationProvides structured dataset and methodology for automated log-based anomaly detection, predictive maintenance, and threat intelligence; improves system reliability, incident response, and security postureOffers benchmark for static/dynamic feature extraction in Linux environments; shows integration of operational logs into automated monitoring and detection frameworks, which can complement malware behavior analysis
[34]AI and data engineering for cybersecurity operationsIntegration of supervised and unsupervised learning, natural language processing (NLP), reinforcement learning, and orchestration systems; automated risk assessment and incident responseShows how AI and data engineering enhance real-time threat detection, automated response, adaptive access control, and proactive cybersecurity measures; emphasizes continuous innovation to address evolving cyber threatsHighlights the benefits of AI-driven analytics and automation for improving malware detection, threat analysis, and operational efficiency in cybersecurity investigations; informs the potential integration of AI-assisted methods into malware behavior studies
[35]Traffic network resilience and fault recoverySIRD-R fault propagation model; LSTM networks for resilience trend forecasting; experimental analysis on complex traffic networksIntroduced risk-aware fault propagation modeling; constructed real-time and overall network resilience models; proposed proactive resilience recovery strategies; demonstrated effectiveness and scalability across diverse networksProvides an example of system-level resilience modeling and predictive recovery; informs the design of proactive mitigation strategies in complex, multi-node environments, analogous to large-scale cybersecurity incident planning
Table 2. Malicious files analyzed in this paper.
Table 2. Malicious files analyzed in this paper.
Malicious File Name in SHA256 HashAbbreviated Name of the Malicious FileMalicious File Category
04789bb1e63b81997e53786d1f19a6dde477b29b54ad5bcb12aeb9bce3d0f72bA1Adware
e384df976f21e80cda75ebfd070f3ddf564b21d313c198bec6b3d8c1c84c36d5A2
285abeabc3e22a06cc5476d185a53a0030acc1abb893eb06617dcbee9564f81aA3
c5aa0ec8d3e2dcf0fcdea0ea8e72f7edbd673cfc2f4fb127ceaf6b890f3f8babA4
f1824916eb20afd2c9d86c3b2408bb54eef6b45c893e75f996523728d72ce328A5
3ad8da15913635c104c9b56288f5975e6155d87fbfe49384841940e1a353a421B1Backdoor
7fe19185d338c2ea659f8e908b06c2e8e96942553bcddd4bd09db295aac6429dB2
33d9630eef362ad300b8a8c000e4172d18330bfbde8c0053e0ba8d37b9537220B3
c775e6d87a3bcc5e94cd055fee859bdb6350af033114fe8588d2d4d4f6d2a3aeB4
fc850fa23df3b43918e3f154e08bc8917ab2beaa67c28fd818e41aeb9921e3eaB5
3afb4b16d7a9aac77226467a1fcd4eaf035c19dce39d926c975aff0e551d29ffK1Keylogger
3bd81e69dd4d484dd8d83d7c89b144793c257a338341e324d11c8601214bda3eK2
707add74e2e080ebea3b2e64c7a17fb360f81b99a339f6c05334fc4822a2fbccK3
1252570986e55437d081f64bdced5002dfcd9d77f6986cc3c08fb62ee5d4fce6K4
c304972e9e68f67318eb2a082bfe958d5e77fdd8a7b2b38867938803ab6d87f6K5
ef93353c2ecc677d4db0854d9eac80717a496af273ee0f2f5a21fda5682e248eM1Malware
0636c501c89341ec7f893d7e221ff932db330d7f90e9b0bd53b47012f446a31aM2
b3ffbb213580aac6f9dc8d7ea321bd61be3e5cd41647e29aabeaedee2bfc4b83M3
415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020M4
e5627c7b3e95c75c95e4532b3204209ed8c6786a159804702e0a3d03cdce7bedM5
739e1ab9e63ec4da436b2861c3c23111a823676896b6f2f40cf0051bf5c0e951Rw1Ransomware
171c9a82171f9092fbc4b9d80af92448c9d2b6ebe00e14ceef0e5259b92578c7Rw2
5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693dRw3
58bfb9fa8889550d13f42473956dc2a7ec4f3abb18fd3faeaa38089d513c171fRw4
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739Rw5
2e1d4437ef481128a02c50ef7a9a9e366bff5809c74548191e7e70452ccdf42eRt1RAT
23fdf4ce71e2ed2087503b62c5e3777fd2bd6a2cf1f7b831cbc01b07aef15e2cRt2
122f13fcffd3a8747c05829fa21c72dbda254412d88e43625906915f1b9ef4cbRt3
023a41305bae352e2bab9686ab8efdde111585a6e357b6245b59bb3459142b38Rt4
e346a199826939f2970cdd5337010e08cd761c0dfa35965afb404a04489ec0edRt5
0c9eb52fe6e5af51ac94913ce307b2f8b45d22b882d4652cd9cb188d7b72369dS1Spyware
4e87a0794bf73d06ac1ce4a37e33eb832ff4c89fb9e4266490c7cef9229d27a7S2
a2f9f5a099a6b1c2ba6789effefa150aec52c5587e85df9a6963fd03b55d4d57S3
e245603d93bc6a65e4ffe1a4ce8f9c0a9d500fa2fc0ceea85de8216a0b4b140dS4
46e43f0806085da66f4d9bcb7391a618977f5f9a0c6b612e2e02ba6b8e9d1011S5
1250f46de80d890552513cf6bfad436d8d0d03ed2bc9f6a9d566bb2f358186f2T1Trojan
e5f29860519ad4fcbc1fd230550c2e802098398ce1b3e432c65abf18bfa6aff5T2
72aa2202801981e347c4a02eae4b64835363f0c07f6edb2173a3e5d827171a43T3
aa146cb25bc47f33af75bb032930339223447657e316fa8ec81ab628a8dd5ce0T4
11f77eac9c1f97d5950f9c6436de6b5d65bb7c9cdbba54dadef76e5c925428edT5
Table 3. Initial information collection.
Table 3. Initial information collection.
Short File NameFile TypeFile DescriptionFile EntropyFile Size (bytes)
A1.exeRemote Service Application6.61674,304
A2.exeWeb Companion Installer7.66555,248
A3.exeArtificius Installer8.0088,984,016
A4.exePresident-Presence Setup7.521,898,944
A5.exe-7.641,085,360
B1.batWorkMultiOpen4.1835
B2.exe-3.542048
B3.exeChef Life a Restaurant Simulator Turkce Yama Installer7.9870,682,006
B4.exe-6.234,038,656
B5.exeEPhoneRIO Setup7.996,886,526
K1.exeFotFin7.40442,368
K2.tarPI-52-20257.991,083,392
K3.rar-7.99534,798
K4.exePersonnelTracking7.84710,144
K5.tar/.zip-7.99536,235
M1.bin-6.57888
M2.ps1-4.065206
M3.exe-1.737168
M4.exe-7.9012,796,421
M5.exe-7.0015,209,472
Rw1.exe-5.30397,824
Rw2.exeBobuxManRemastered7.6293,696
Rw3.exeCodemeter5.4893,184
Rw4.exe-5.4984,480
Rw5.exe-6.88230,912
Rt1.exeDate Calculator v2.0 (PDF)7.741,071,104
Rt2.js-5.72794,251
Rt3.dllThinPrint Print Processor7.9925,702,400
Rt4.exeApproximation6.14119,136
Rt5.exeSpixel7.68840,192
S1.exeAdobe Acrobat Reader DC7.861,066,496
S2.exeSAMSUnG5.43786,432
S3.exe-8.008,112,022
S4.exe-7.871,237,089
S5.exe-6.3014,688
T1.exeReer7.00292,864
T2.exeAdobe Flash Player 11.3 r3006.928,595,538
T3.exeApacheBench Command Line Utility6.3131,861,392
T4.zipElectrum-DOGE Installer8.0089,418
T5.exeAlbuquerqium5.65209,408
Table 4. Collecting information from malicious files using various analysis solutions.
Table 4. Collecting information from malicious files using various analysis solutions.
Short File NameDetected by VT as MaliciousImportsExportsNetwork ActivityKnown Signature
A1yesyesNoyesno
A2yesyesNoyesyes
A3yesyesNoyesyes
A4yesyesNoyesyes
A5yesyesNonoyes
B1nonoNoyesno
B2yesyesNoyesno
B3yesyesNonoyes
B4yesyesNoyesno
B5yesyesNoyesno
K1yesyesNoyesno
K2yesnoNonono
K3yesnoNoyesno
K4yesyesNoyesno
K5yesnoNoyesno
M1yesnoNonono
M2yesnoNoyesno
M3yesyesNoyesno
M4yesyesNoyesno
M5yesyesNoyesno
Rw1yesyesNoyesno
Rw2yesyesNoyesno
Rw3yesyesNoyesno
Rw4yesyesNoyesno
Rw5yesyesNoyesno
Rt1yesyesNoyesno
Rt2yesnoNoyesno
Rt3yesyesNoyesno
Rt4yesyesNoyesno
Rt5yesyesNoyesno
S1yesnoNoyesno
S2yesyesNoyesno
S3yesyesNoyesno
S4yesyesNoyesno
S5yesyesNoyesno
T1yesyesNoyesno
T2noyesNoyesno
T3yesyesNoyesno
T4noyesNoyesno
T5yesnoNonono
Table 5. Gathering information from strings and indicators of compromise.
Table 5. Gathering information from strings and indicators of compromise.
Short File NameMalicious Activity at the Network LevelChanges at the Registry LevelChanges to System ResourcesDetected by AV (Offline)
KAKDVMVAVD
A1noyesyesyesyesyesnoyes
A2yesyesyesyesyesyesnono
A3yesyesyesyesyesyesnono
A4noyesyesyesyesyesyesno
A5noyesyesyesyesyesnono
B1noyesyesyesyesyesnono
B2noyesyesyesyesyesnoyes
B3noyesyesyesyesyesnoyes
B4noyesyesyesyesyesnoyes
B5yesyesyesyesyesyesnoyes
K1yesyesyesyesyesyesyesyes
K2noyesyesyesyesyesnono
K3noyesyesyesyesyesnono
K4yesyesyesyesyesyesnoyes
K5noyesyesyesyesyesnono
M1noyesyesyesyesyesnono
M2noyesyesyesyesyesyesno
M3yesyesyesyesyesyesnoyes
M4noyesyesyesyesyesyesyes
M5noyesyesyesyesyesnoyes
Rw1noyesyesyesyesyesyesyes
Rw2noyesyesyesyesyesyesyes
Rw3yesyesyesyesyesyesyesno
Rw4noyesyesyesyesyesyesyes
Rw5noyesyesyesyesyesyesno
Rt1noyesyesyesyesyesnoyes
Rt2yesyesyesyesyesyesnono
Rt3noyesyesyesyesyesnono
Rt4yesyesyesyesyesyesyesyes
Rt5noyesyesyesyesyesnoyes
S1noyesyesyesyesyesnoyes
S2noyesyesyesyesyesnoyes
S3yesyesyesyesyesyesnono
S4noyesyesyesyesyesnono
S5yesyesyesyesyesyesnoyes
T1noyesyesyesyesyesnono
T2noyesyesyesyesyesyesno
T3noyesyesyesyesyesnoyes
T4noyesyesyesyesyesyesno
T5noyesyesyesyesyesnoyes
Table 6. Observed versus expected indicators of malicious activity across malware types.
Table 6. Observed versus expected indicators of malicious activity across malware types.
Malware CategoryKey Features (Literature)Real Results
AdwareModerate entropy
executable type, network activity, registry entries		For this malware category, entropy values were consistently high across all samples, indicating obfuscation or packing. Antivirus detection was limited, with only one out of five samples being flagged.
The file type was EXE in all cases, and all samples exhibited registry modifications and process creation, confirming active system-level behaviors. Additionally, network activity was observed in four out of five samples, highlighting the malware’s capability to communicate externally.
BackdoorHigh entropy, antivirus low detection, file type consistent (exe), registry changes and network activityBased on the analysis of the backdoor samples, it was observed that only two out of five files exhibited high entropy values, while antivirus detection occurred in four of the five cases. The samples were predominantly of types .exe and .bat, with network activity recorded in four out of five instances and registry modifications detected consistently across all five samples.
KeyloggerModerate entropy, executable, registry changes, keylogging processFor the keylogger samples, all files exhibited high entropy values and were primarily of types .exe and .tar. Registry modifications were consistently observed across the samples, while network activity was detected in four out of five cases during static analysis and in two out of five cases during dynamic analysis.
MalwareModerate to high entropy, variable antivirus detection, consistent file type, variable network activityFor the malware samples, several files exhibited very high entropy values, while one showed a notably low entropy of 1.73. The analyzed files included .bin, .ps1, and .exe types. Network activity was present in all five samples, with antivirus detection failing in one case. Additionally, network connections were observed in four out of five samples during static analysis and in one out of five during dynamic analysis.
RansomwareHigh entropy, executable file type, antivirus detection, file encryption behaviorFor the ransomware samples, two out of five files were not detected by the antivirus. Network activity was identified in all samples during static analysis but only in one sample during dynamic execution. Additionally, all five ransomware samples exhibited low entropy values, suggesting limited packing or obfuscation.
RATHigh entropy, variable antivirus detection, registry changes, frequent process creation and network activityFor the RAT (Remote Access Trojan) samples, two out of five files were not detected by the antivirus. Network activity was observed in all samples during static analysis but only in two during dynamic execution. Two samples exhibited low entropy values, while all showed evidence of registry modifications, indicating persistence and system configuration changes typical of RAT behavior.
SpywareLow entropy, moderate antivirus detection, file type consistent, registry changes and network activityFor the Spyware samples, two out of five files were not detected by the antivirus. Network activity was recorded in all samples during static analysis, while only two exhibited such behavior dynamically. Two samples showed low entropy values, whereas three presented very high entropy values (around 8.00), suggesting potential obfuscation or packing. Additionally, all samples demonstrated registry modifications, consistent with typical Trojan persistence techniques.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Andronache, M.-M.; Vulpe, A.; Burileanu, C. Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives. J. Cybersecur. Priv. 2025, 5, 98. https://doi.org/10.3390/jcp5040098

AMA Style

Andronache M-M, Vulpe A, Burileanu C. Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives. Journal of Cybersecurity and Privacy. 2025; 5(4):98. https://doi.org/10.3390/jcp5040098

Chicago/Turabian Style

Andronache, Maria-Mădălina, Alexandru Vulpe, and Corneliu Burileanu. 2025. "Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives" Journal of Cybersecurity and Privacy 5, no. 4: 98. https://doi.org/10.3390/jcp5040098

APA Style

Andronache, M.-M., Vulpe, A., & Burileanu, C. (2025). Integrated Analysis of Malicious Software: Insights from Static and Dynamic Perspectives. Journal of Cybersecurity and Privacy, 5(4), 98. https://doi.org/10.3390/jcp5040098

Article Metrics

Back to TopTop