Extracting Indicators of Compromise (IOCs) From Malware Using Basic Static Analysis

Image for post
Image for post
Photo by Agence Olloweb on Unsplash

Where is my Hash?

One of the easiest indicator to obtain is the hash; as long as you have the file, you can use many freely available tools to obtain the hash. I like to use nirsoft’s “HashMyFiles” as it is as easy to use as dropping a file inside and getting the hashes.

Image for post
Image for post
https://www.nirsoft.net/utils/hash_my_files.html

Can I Google That?

One of the first thing I do after obtaining the Hash, and before diving any deeper into my analysis especially in the case of an incident is, I try to find if the file that I will be analyzing is available online. What do I mean by that?

Image for post
Image for post
https://virustotal.com

Always remember, Google is the malware analyst’s best friend.

Note: In some cases of targeted attacks, the malware could be designed specifically to your corporate architecture and corporate network. The information found inside could well be considered “confidential”. So always think twice before uploading any files to the internet.

Wait, Is this an IP address?

When the malware infectes a machine, generally it tries to communicate to a C2 server or anything of the like to get his next list of commands. So obtaining these IP addresses or domains that the malware communicates to can really help slow down the process of infection and propagation of the malware.

Sysinternals Strings with a touch of regular expression (Regex)

Image for post
Image for post
https://docs.microsoft.com/en-us/sysinternals/downloads/strings
Strings.exe <malware_sample> | findstr /r <valid_ip_regex>

pev — the PE file analysis toolkit

Image for post
Image for post
http://pev.sourceforge.net
pestr --net <malware_sample>

This Looks Like A File Path

Often malware drop files to disk for persistence or to execute its next stage. Often we find these paths where the malware is going to drop its next stage hardcoded in the file itself. Using strings.exe in combination with a simple regex, we can find these paths that could be very helpful in our response to the threat. Here is an example.

Strings.exe <malware_sample> | findstr /r <regex_for_file_paths>

What’s Next ?

I hope you found this useful, i’ll be doing a second part where we’ll look for tricks and techniques to search for IOC’s using Basic Dynamic Analysis. So please look forward to it.

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app