Assembly language

Why is Assembly relevant in malware analysis?

Although malware samples may take various forms such as word docs, pdfs, or python scripts, the only way to see what the malware is actually doing is to understand how the machine is executing the code. As such, Assembly is the closest human readable language of the machine code.

The malware sample may be coded in C, Go, or python, but these high level code can hide the complex operations happening at the processor. Reading the Assembly code allows the analyst to see the play-by-play moves of the malware. Not only does it enable us to see the malware's main function (encryption for ransomware, C2 communications, data destruction, etc.), it may also bring to light hidden features such as detection evasion and persistence.

Malware developers tend to do their best to obfuscate the objectives of their malware. For instance, BabbleLoader is a malware which purpose is to gain a system foothold before downloading and executing more damaging payloads. One of its features is the inclusion of a lot of junk code to overwhelm disassemblers and prevent identification. Additionally, malware tends to be compressed for obfuscation, and only a memory dump after unpacking for execution can reveal its payload.

Fileless malware is becoming more prevalent (at least now in 2025), and their defining characteristic is to exist only in memory (RAM) and not write to the hard disk. This means there is no high level code to analyze, and we can only examine the shellcode through assembly language.

There are multiple syntaxes for Assembly such as Intel for Windows machines, AT&T for Linux/macOS, and ARM for ARM processors (aka usually mobile devices, embedded systems, growing in servers and laptops). But we'll just be looking at the Intel syntax as Windows malware is the dominant version and also because I'm tired. All righty, let's look into Assembly.