Introductory Malware Analysis with Radar: A Beginner’s Guide

 

Reverse engineering can be particularly challenging for beginners, especially since many high-quality training materials are paid and not everyone can afford access to them. In addition, free resources are often scattered, outdated, or assume prior knowledge, which makes the learning process even more difficult for newcomers.

Because of this gap, I decided to write this foundational blog to provide an accessible and practical introduction to malware analysis using Radar. The goal of this article is to guide readers through the basic concepts and techniques involved in introductory malware analysis, focusing on a hands-on approach rather than heavy theory.

This blog is designed for beginners who are curious about malware analysis and reverse engineering but don’t know where to start. By using Radar, we can simplify the analysis process and build a solid foundation that readers can later expand upon as they move toward more advanced reverse engineering skills.

So, what is Radar?

Radar is a free and open-source reverse engineering tool that can be used to analyze software and malware. It helps analysts gain a high-level understanding of what a sample is doing, particularly during runtime and while it is loaded in memory. By using Radar, you can inspect program behavior, identify suspicious functionality, and explore how the code operates internally.

Reverse engineering itself is the process of understanding the inner workings of software how it was designed, how it behaves, and how it was implemented by the developer or malware author. In the context of malware analysis, reverse engineering allows us to uncover hidden functionality, malicious intent, and execution logic that may not be visible through surface-level inspection alone.

You can download Radar from the following link:
https://github.com/radareorg/radare2/releases/tag/6.0.7

The tool is available for multiple operating systems, and the installation process is straightforward. Once installed, Radar provides a powerful environment for inspecting binaries, exploring memory, and performing basic to advanced reverse engineering tasks.

n this article, I will work with a WannaCry sample and begin by performing basic static analysis. This includes gathering general information about the binary to gain a broad understanding of the sample we are dealing with.

To retrieve basic information about the binary, you can use the i or iI commands, which provide details such as file type, architecture, entry point, and other important metadata.

To obtain information about the section list of our Portable Executable (PE) target, you can use the iS instruction. This command displays details about each section, such as the section name, size, permissions, and memory layout, which are useful for identifying suspicious or unusual sections during static analysis.

To obtain information about the imported (and potentially abused) libraries within the Portable Executable (PE) file, you can use the il instruction. This command lists the dynamic libraries (DLLs) that the binary relies on, which can help identify suspicious dependencies or APIs commonly abused by malware.

 For a normal string search, you can use the iz instruction, which extracts standard strings from the binary. For deeper and more exhaustive string searches, you can use the izz instruction, which performs a more thorough scan and can reveal hidden or obfuscated strings that may not appear in a basic search.

To obtain information about the Import Address Table (IAT), you can use the ii instruction. This command lists imported functions and helps identify APIs that the malware may rely on during execution.

To view the export table, you can use the iE instruction. This is primarily useful when analyzing DLL files, as executable files typically do not export functions.

Enjoy .