BIPI
BIPI

Analysing Dropper Malware: Static, Dynamic, and Behavioural Techniques

Cybersecurity

Droppers are the delivery mechanism that most defences fail to catch. A practical analysis workflow covering static unpacking, sandbox detonation, and behavioural fingerprinting for common dropper families.

By Arjun Raghavan, Security & Systems Lead, BIPI · June 10, 2025 · 12 min read

#malware-analysis#dropper#reverse-engineering#threat-intelligence#edr

A dropper's only job is to land a next-stage payload without triggering defences. Modern droppers are polymorphic, use process hollowing or injection, abuse legitimate signed binaries, and stage from cloud services like OneDrive, Discord CDN, and GitHub raw URLs. Understanding the dropper anatomy is the prerequisite for writing detection rules that work before the payload runs.

Triage and Hash Analysis

Start with passive triage: SHA256 hash lookup in VirusTotal, MalwareBazaar, and Hybrid Analysis. Check PE header metadata with pestudio or DIE (Detect It Easy). Look for: high entropy sections (packed or encrypted payload), invalid or missing debug timestamps, anomalous section names (.text with high entropy), and imported functions that suggest process injection (VirtualAllocEx, WriteProcessMemory, CreateRemoteThread).

Unpacking Packed Samples

Most droppers are packed. UPX is the simplest case: upx -d sample.exe. For custom packers, run the sample in x64dbg and set a breakpoint on VirtualProtect with execute permissions — this is where packed stubs unpack to memory before jumping to the original entry point (OEP). Dump memory at OEP with pe-sieve or Scylla. Rebuild imports with Scylla's IAT search.

Sandbox Detonation

Automated sandboxes provide the fastest behavioural baseline. Submit to Any.run (interactive), Tria.ge (multi-family detection), and Joe Sandbox simultaneously. Compare network indicators, registry modifications, and child process trees across all three. Discrepancies suggest sandbox evasion — the sample behaves differently in each environment and you need the intersection of all three to get the full picture.

  • Any.run: interactive Windows sandbox, good for clicking through lures.
  • Tria.ge: fast multi-AV scan with CAPE integration.
  • Joe Sandbox: deep behavioural analysis with hypervisor-level monitoring.
  • Cuckoo/CAPE: self-hosted, good for custom network environments and unpacking.
  • Speakeasy: Intel PIN-based emulation, sandbox-evasion-resistant.

Process Injection Analysis

The most common injection pattern is process hollowing: create a suspended instance of a legitimate process (svchost.exe, explorer.exe), unmap its memory, write the payload, and resume execution. Detect this with: NtUnmapViewOfSection calls followed by WriteProcessMemory into the same process, then ResumeThread. In Sysmon, Event ID 10 (process access) with GrantedAccess 0x1fffff from an unexpected parent is a reliable indicator.

The dropper you fail to reverse engineer today is the YARA rule you fail to write tomorrow. Every analysis session should end with at least one detection artefact.

C2 Extraction

Encrypted C2 configuration is typically stored as a blob in a resource section or as a hardcoded XOR-encrypted string. Use FLOSS (FireEye Labs Obfuscated String Solver) to decode obfuscated strings automatically. For HTTPS C2, intercept with Fakenet-NG or INetSim. Extract the C2 IP and port — pivot to VirusTotal graph and Shodan to find related infrastructure.

67%
of dropper samples in 2024 abused legitimate cloud storage for payload staging
8 min
average time from initial execution to C2 beacon in commodity droppers
3.2x
higher detection rate for behavioural rules vs signature rules on first-seen samples

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.