Component of Malware

Hi Everyone,

I would like to share knowledge about the basic malware component. As we know that malware application is just like another normal application developed by following the best practice of the software development.

Common malware is built from some component that has purpose during the malware attack.


The payload is where the core of the code that does the objective of the malware infection in the host. Most of the malware developer put their efforts on developing this code section since the success of the attack depends on this quality of code.


Packer is like eggshells that encapsulate the payload. Why payload need to be encapsulated? the answer is to hide the malicious code from the detection of anti malware application. Packer will actually compress and obfuscate the payload so that anti malware application will fail to detect the malware with static and signature based analyses. The real payload will be unpacked by the malware with defined algorithm made by the developer. There are many algorithm in the wild that can be used to pack the payload


The malware that has infected the host will always to try to persist their presence in the host even after the machine rebooted or user logoff. There are many ways that malware will tamper in order to persist such as using the registry autorun

Path to start up folder

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\

Registry Path for start up

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Registry RUN



Malware that infect the host will usually build connection back to the malware creator (C2, CnC, C2C) this connection is intended for many things one of them is to exfiltrate the data from the machine back to the malware creator or to retrieve new command to do next action. Usually they will use encrypted channel such as SSH, SSL, TOR to hide their communication from the network detection


Beside infecting one host and get the highest privilege in the host, The malware would also intents to spread to some other machine in order to gather more foothold in the network. It could use vulnerability that is found in the system or network and exploit it to copy itself to the other host.


The malware creator will try to defend its code from the detection of antimalware software such as antivirus, EDR, Sanbox and many other product. Usually when the malware is run in a machine and it find that there are antimalware present in its environment then it will exhibit a benign activities to avoid detection. It also would detect the present of malware analysis tools such as debuger, IDA, Procmon, Process Hacker and many other tools.


The malware will need to hide its presence in the host or infected machine to avoid from the detection of plain sight or event anti malware software. Stealth mechanisms can range
from simple techniques like altering file properties that make it hidden to more complex
techniques like infecting other clean programs on the system, code injection, process
hollowing, and rootkits

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s