Malware Analysis Techniques — Basic Static Analysis

Image for post
Image for post
Photo by mari lezhava on Unsplash

What Is Basic Static Analysis

Basic Static Analysis consists of analyzing a file without ever executing it. It works by extracting all the possible static information inside of the file such as the hash, strings, libraries, imported functions, resources…etc. To get a basic understanding of the functionalities and the behavior of the malware before its execution.

Fingerprinting the Malware

One of the easiest static information that we can extract is the hash value. Which can be used to identify the malware sample. We’ll look at how can we obtain this value using two different methods.

Using Powershell

If powershell is available on the machine, we can obtain the hash value by simply running the “Get-FileHash” command like this.

Get-FileHash <path_to_file> -Algorithm <hash_algorithm> | Format-List

Using Freely Available Tools

There exists multiple tools that can hash files for us, I’d like to use nirsoft’s “HashMyFiles”. You can download it here. Below is how the results should look like after executing it.

Image for post
Image for post
Nirsoft HashMyFiles

Searching for Interesting Strings

Any file that uses hard-coded data such as URL’s, file paths, and messages…etc. Contain strings inside of it. Those strings can provide very useful information about what the malware can do.

Strings.exe <path_to_the_file> | findstr /i <text_to_search_for>
Strings.exe <path_to_the_file> | findstr /r <regex_for_URL>

Inspecting the PE File Format

Most of the malware that targets windows machines comes in the form of PE files. The PE file format is a format used by windows for executables, DLL’s and code objects.

Image for post
Image for post
https://github.com/corkami/pics/tree/master/binary/pe101

Listing the DLL’s and Imported Functions

One of the most important if not the most important pieces of information besides strings that we can extract statically from our malware, are loaded libraries and imported functions. From these imported functions and libraries, we can guess the functionalities of the malware.

Image for post
Image for post
http://dependencywalker.com

To Pack or Not Pack

Often, malware writers pack and obfuscate their malware to make it harder to be detected and to analyzed statically. So detecting if a malware sample is packed or not, can provide great insight on the next step we should take in our analysis.

Image for post
Image for post
Exeinfo PE
Image for post
Image for post
https://www.winitor.com

Dig For Resources

As we’ve mentioned before, the PE file format contains headers and sections. One of the interesting sections to look at is the .rsrc section or the resource section. It’s a section where things like images, icons, and language strings are stored.

Image for post
Image for post
http://www.angusj.com/resourcehacker/

Let’s Recap

Basic Static Analysis Is one of the first techniques you’ll learn as malware analyst. Its easy to learn and perform and it doesn’t require any execution of the malware.

  • Strings.
  • DLL’s.
  • Imported Functions.
  • Signes of Packed Malware.
  • Resources.

Written by

#ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store