Malware Basic Static Analysis

In previous blog (https://medium.com/@jain.sm/malware-dynamic-analysis-338efc68a654) ,we looked at some very basic dynamic Malware analysis techniques. In this blog we start to understand a very basic static malware analysis. This writeup will cover some of the prerequisites for starting on static analysis.

Static Analysis Involves analysis of the malware without actually executing it and contrary to what we read in the previous blog (https://medium.com/@jain.sm/malware-dynamic-analysis-338efc68a654). This involves using tools like disassemblers like IDA, Radare . Can involve using strings tool to check if what strings are used in the malware. Checking the entropy of the binary to get an idea how dense the packing is.

Tools which can be handy to do static analysis

1. Use services like virus total (https://www.virustotal.com/#/home/upload). Primarily works on signature checks.

2. Basic check of strings used in the program. Usage of APIs like loading dll on runtime and allocating memory using virtualallocex can be signs of some malicious activity.

To make malware detection tough the authors generally obfuscate and pack the malware. This means with the strings program we will not get much relevant information if it’s a packed malware. The actual malware code is compressed and obfuscated and thereby not readable via the Strings utility. Malware authors will have a small piece of code which unpacks and then decompresses the actual malware code and executes it…