Open in app

Sign in

Write

Sign in

Static Analysis

SAI CHARAN REDDY P
8 min readApr 7, 2020

--

Continuing from Malware Analysis- Introduction, now let us focus on the Static Analysis stage on executable files to determine what malware does and what is the risk to your organization.

Focusing Your Analysis:

  1. What type of file you are dealing with? File Identification Techniques.
  2. Is any information already known about it? Did anyone analyze it already? Cryptographic Hashing Techniques.
  3. What do embedded strings tell about it? Strings Analysis Techniques.
  4. Is there anything unusual in PE Header? PE header Analysis Techniques.
  5. Is it packed? If so, what is the packer to unpack the program?

Our Malware scenario:

Bob is an Incident Responder in a company X and his typical day would be monitoring IDS logs, hunting for attackers and analyzing malware. Rob is a CEO in the same company X, one day Rob calls Bob and tells his computer was acting weird and thinks it might be a hack. Rob jumped on the computer to see what he could find, and unfortunately, Bob found a suspicious file on his computer and need for analysis. This is the file we are going to analyze now.

Download Malware Sample: Malware-Sample

[DONOT RUN THIS FILE IN HOST MACHINE: Check resources online for lab setup and your network adapter for VM be in Host-only]

Step 1:

The first thing we should do during analyzing is File Identification to determine the type of file you are examining.

One of the common ways the attackers try to disguise files is with

  1. double extensions, just like it sounds the attacker double extension that looks legitimate like .doc before its real extension. This attempts to trick the users that the file is not executable but a pdf file.
  2. Packaging the malware with self-extraction Archives or password-protected archives, this can bypass signature-based detections.

File Signatures:

Many files such as executables, documents, etc. start and ends with specific bytes known as magic bytes. File identification tools use these signatures in other to classify the file they are examining.

File Signatures You Should Know:

  1. Windows Executables — “MZ” in bytes 0–1
  2. PDF — “%PDF-” followed by number within first 1024 bytes [min version]
  3. Office DOCs- “0xD0CF11E0”(“DOCFILE”)
  4. Zip Archive- “PK” ib bytes 0–1

Tools: exeinfo PE, HxD

So, with this information, we can start analyzing the malware-sample file.

HxD [Hex Editor]:

  1. Launch HxD and drop the malicious file into the grey space inside the application.
  2. Now lets us check for file identification signatures in decoded text row:
  3. You can see file starts with magic bytes “MZ”.
  4. Second indicator: “!This program cannot be run in DOS mode”.
  5. Third indicator: Offset values of 50 and 45 is “PE”.

With these signatures we can tell the file is a Windows executable.

Now let’s examine with Exeinfo PE [This tool is great at detecting packers and gives hints on how to unpack.]

Exeinfo PE:

  1. Launch Exeinfo PE and drop the malware file in the grey area beside the file icon.
  2. Results after examination:

Image is a win32 executable: Compiler — GCC: GNU 4.x.2 ( 83 exe/dll).

Lamer Info- Not Packed

Now just for the use-case, let’s assume the file is a packed by a packer and results will be showing as below:

We can see that file is 32 bit executable and packed with UPX packer. Lamer Info gives us hints to de-pack/unpack the file, to do that you have to download upx [http://upx.sf.net] and run the command “upx -d new_name path_to_malicious_file” [-d flag is to unpack the file].

Step 2:

Now that we have identified the type of file, let’s check if any information about this malware file is available online or check if anyone has analyzed it already.

Cryptographic hashes are the safest way to share malware inside your network. We pick a piece of data and run it through a hashing algorithm. Some of the popular hashing algorithms used are MD5, SHA-1, SHA-256.

Tools: Hashcal, Hashmyfiles

Methods: VirusTotal, Your favorite search engine.

HashCalc and HashMyFiles:

  1. Launch the applications and drop the malware files for hash calculation.

2. Now you can share the malware with the hash value from your favorite hashing algorithms to others or search in your favorite search engines.

3. For example, I took MD5 hash value, searched it online and in VirusTotal.

Step 3:

Now that we have identified the file type and researched more on file using the hash, let’s start analyzing strings that are embedded in the file.

In Embedded string analysis, we extract and examine a group of readable characters from the file. We look for words and phrases such as file name, registry keys or URLs, etc. These strings tell us how the malware is going to behave like what files it can drop or what domains it can contact.

Tools: Strings, HxD, PEStudio

Strings:

  1. Launch Strings tool [CLI command: strings –o malware_file > new_file_to_save_results] and pass malware file to –o flag.
  2. Search for Indicators: [you can see the strings have been obfuscated]

You can see a lot of garbage values in between strings, observe closely and remove garbage values that will lead to actual strings.

  1. The file does perform registry changes, modifies file directory and also connects to a network.
  2. Whenever you find ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ in the strings, probably it is doing base64 encoding.
  3. You can also observe that the file has anti-analysis capabilities [The Wireshark Network Analyzer, autoruns.exe, SbieDll.dll. These are the tool which malware analyst use while performing Dynamic malware analysis.]
  4. Work for you: Find out the possible string from the hint above and do post your comments with unusual strings you have identifies. This file has capabilities of dropping a file to file system, modify the registry to maintain persistence, contact domains and anti-analysis capability.

Step 4:
Now that we have seen embedded strings, lets dive-in to PE Header analysis.

PE Header is used by the operating system for two reasons:

  1. It contains all information needed for the Operating System to execute the program. It tells the OS, what DLL's to load? What portion is an executable code? What instructions to start at? Tells whether it is a GUI program or console program.
  2. PE Header also tells the OS where the piece of executable goes into memory.

Focus Your Analysis:

In PE Header we will be focusing on that provide key pieces of information:

  1. File-Header: Time-Date Stamp, Subsystem [Tells what kind of interface the program needs? Console, driver, GUI, XBox]
  2. Section of the executable
  3. Import Address Table
  4. Resources

PE Sections:

  1. .code : Executable code.
  2. .text: Executable code.
  3. .data: Program Data.
  4. .rdata: Program Data.
  5. .idata: Import Table.
  6. .edata: Export Table.
  7. .rsrc: Resources.

Section Characteristics:

Permissions: Read, Write and Execute[.code,.text].

  1. Using sections names, we can also identify if the file is packed or not. If we see section names Random, Binary, Missing or known section name.
  2. Look for Odd Permissions: Only sections which are marked as executables can contain code and these sections must have read-only permission but not writable.

Import Address Table

It contains a list of DLLs and APIs loaded by the program at runtime. By looking at IAT we can come to know the functionality of the malware.

Common API which you regularly see during you’re analysis:

  1. Memory Operations: VirtualAlloc, VirtualProtect, VirtualFree.
  2. File Operations: CreateFile, DeleteFile, ReadFile, WriteFile.
  3. Registry Operations: RegCreateKey, RegDeleteKey, RegGetKey, RegSetValueEx, RegSetKeyValue.
  4. Network Operations: connect, send, accept, recv, listen.
  5. Misc: LoadLibrary, GetProcAddress, IsDebuggerPresent, WriteProcessMemory, CreateRemoteThread.

How to identify wheater the file is packed or not using IAT information? Check for imports and if you can see LoadLibrary, GetProcAddress, VirtualAlloc.

Resources:

These are the metadata attached to the program. We usually check for type of resource, size, signature, and language.

Tools: PE Studio

Now that we learned about PE Headers, let us start our analysis.

  1. Launch your PE Studio and load the malware file to it.
  2. Now let’s focus on File-Header, Sections, Import Address Table and Resources. You might have also noticed Strings from the left panel and yes, we can perform strings analysis with PE Studio. It also highlights us with blacklisted strings, DLLs and APIs, which makes our analysis easier.
  3. The first thing we are going to do is to look at the file-header and see timestamp. This shows the program is compiled on “Wed Oct 14 01:31:48 1998” and this can be manipulated by packers.
  4. Next, we will look into subsystems from Optional-Header, we can see the subsystem as a GUI.
  5. Now let’s move on to Sections, looking at permissions we see those look code. The section which contains .text is readable and executable.
  6. Moving on to libraries, it shows all the Dlls the program loaded from the Import Address Table. You can see PE Studio by default flags wininet.dll and ws2_32.dll as blacklisted which are related to networking. This shows that malware has the ability to communicate over the internet.
  7. Now let’s look at functionality, you can see PE Studio flags few functionalities under blacklisting. You can see some APIs related to registry, network, memory, file and you let us know the functionality of malware from those results.
  8. Let’s move on to Resources section now, you can see the number of resources and according to type, the signature appears to be icons.

Since PE Studio is specific for malware analysis, it has a lot more functionalities in it.

9. Indicators: It shows all the things it found with-in the malware, which makes it think that it is malicious.

10. Strings: You can look PE Studio has put a lot of string in blacklist which can help us for quick analysis.

By looking at the PE Header of malware, what did we find?

  1. Complied Timestamp
  2. It does not appear to be packed[normal looking sections, IAT normal size].
  3. Functionality: Modifies Registry, writes to the filesystem, communicates over the network and executes programs.
  4. Compiled from a “US-English” computer.

Now that we gained enough information about by malware, we will use this information as a guide when we execute the program in Dynamic Analysis.

Static Analysis
Malware
Malware Analysis
Pe Header

--

--

SAI CHARAN REDDY P

Written by SAI CHARAN REDDY P

40 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams