Operation Codes and Operands

We'll start with the basics of Assembly which are operation codes or Opcodes and Operands.

Opcodes are the verbs and operands are the nouns. For those (like me) who zoned out during grammar school, verb = action, noun = object. All instructions in Assembly needs these two parts.

Opcodes

We can tell what the malware is trying to do by reading its opcodes. Some common examples are:

Opcode	Action	Explanation and key questions
MOV	Move	malware is copying data from one location to another. we should think about what data is being copied, where is it being copied to?
PUSH/POP	Push/Pop	malware is saving/retrieving data from the stack. the malware is likely preparing to call a function. what values is it pushing? these are probably the arguments for the function it's about to call, like a filename to open or a process to kill.
CALL	Call	malware is executing a function or a subroutine. is it calling an API function like CreateFileA or InternetOpenUrlA, or an internal function like decryption/obfuscation?
JMP	Jump	malware is changing the execution flow by jumping to another part of the code. why is it jumping? is this a loop or anti-analysis measure?
CMP	Compare	malware is comparing two values which usually follows a conditional jump. is it checking if it's running in a VM? Is it comparing a string to system32?
XOR	Exclusive OR	malware is performing a bitwise XOR operation. XOR is usually used for simple/fast encryption/decryption.

Operands

We can tell what location/data the malware is trying to effect with its opcodes. Three main types are:

Type	Example	Explanation and key questions
Immediate value	mov rax 0x41414141	hardcoded constant value. what purpose does this number serve?
Register	add rax rbx	storage location in the CPU. what values are in the RAX and RBX?
Memory address	mov rax [rbp-0x20]	location in RAM, denoted by [] what was previously stored at this location?

For more opcode and instruction references: http://ref.x86asm.net/index.html