The analysis of malware using static and dynamic/behavioral methods is critical for understanding the malware’s inner workings. Information obtained from such analyses can be used for malware detection and mitigation, for the development of countermeasures, and as a means of triage for determining whether further analysis is necessary.
In terms of static analysis, MAEC can be used to capture the particular details that are extracted from a malware instance. Details can range from the static attributes of a malware instance binary, such as information on the packers that the instance was packed with, to interesting code snippets obtained from the manual reverse engineering of the instance binary code.
With respect to dynamic analysis, MAEC can be used to capture details of the particular actions exhibited by executing the malicious binary or code. This can be done at multiple levels of abstraction, starting with the lowest level (which is most commonly captured as some form of native system API call) and extending to higher levels describing a particular unit of malicious functionality, such as keylogging or vulnerability exploitation.
For both static and dynamic analysis, MAEC can capture analysis results as separate items, including the particular findings of the analysis, information on any tools that were used, and other associated data such as the details of the analysis environment. As such, MAEC permits all of the analyses for a malware instance to be described in a standard fashion and captured in a single document, the MAEC Package. An overview of using MAEC to capture static and dynamic malware analysis is shown in the figure.