Basic Dynamic Analysis — PE

As mentioned in my prior post, malware analysis can be grouped into four categories:

• Basic Static
• Basic Dynamic — PE File (what this post will cover)
• Advanced Static
• Advanced Dynamic

As stated in my prior post, we perform basic static analysis first to understand the executable’s “potential” capabilities and structure. Some questions we aim to answer during basic static analysis:

What libraries does the PE file import, including functions / ordinals

• Why? This may indicate the file has the “capability” to log to a text file and read credit card track data from memory, indicating you’re dealing with some point of sale malware.

What unique strings stand out?

• Why? Some malware may contain the PDB file (debugger symbols) or original code file path, which can be used to find related malware or identify the malware itself.

What language was the PE file written in?

• Why? Depending on the language the executable was written in, you might be able to reassemble the source. Languages like AutoIT and Py2Exe for example have tools openly available to aid in these efforts, making analysis significantly easier.

Is the executable packed?

• One of the most commonly used packers, “UPX”, is normally easy to identify and unpack, while other packers and crypters can make both static…