Malware Analysis Techniques — Basic Static Analysis
In the first article of the series “Malware Analysis Primer”, we talked briefly about the different malware analysis techniques. Today we’ll be detailing the first and easiest of them all “Basic Static Analysis” so let’s get started.
What Is Basic Static Analysis
Basic Static Analysis consists of analyzing a file without ever executing it. It works by extracting all the possible static information inside of the file such as the hash, strings, libraries, imported functions, resources…etc. To get a basic understanding of the functionalities and the behavior of the malware before its execution.
We’ll be looking at each of those static information. What they are. How can they be useful in our analysis and how can we extract them.
Fingerprinting the Malware
One of the easiest static information that we can extract is the hash value. Which can be used to identify the malware sample. We’ll look at how can we obtain this value using two different methods.
Using Powershell
If powershell is available on the machine, we can obtain the hash value by simply running the “Get-FileHash” command like this.
Get-FileHash <path_to_file> -Algorithm <hash_algorithm> | Format-ListThe Microsoft documentation is a great resource to learn more about this command you can check it here.
Fun fact you can add the possibility to hash files in your context menu on windows by simply adding specific keys and values to the registry. This can be done by using tools like Winaero Tweaker or using the script provided by Shawn Brink available here.
Using Freely Available Tools
There exists multiple tools that can hash files for us, I’d like to use nirsoft’s “HashMyFiles”. You can download it here. Below is how the results should look like after executing it.
Searching for Interesting Strings
Any file that uses hard-coded data such as URL’s, file paths, and messages…etc. Contain strings inside of it. Those strings can provide very useful information about what the malware can do.
For example, if we look through the strings of a file and find some kind of URL’s or IP’s. This could be a strong indicator that our malware is going to use some kind of network functionality that will make use of those URL’s or IP’s.
To extract these strings we’ll use yet another amazing tool called Strings. It’s part of the Microsoft Sysinternals Suite and can be downloaded from here. Below is an example on how to use it.
Strings.exe <path_to_the_file> | findstr /i <text_to_search_for>Sifting through all the output of strings can sometimes be tedious. What I like to do is using strings in tandem with regular expression specifically tailored for my need.
For example if I’m searching for IP’s or domain’s, I’ll pipe the result of the strings command to a regex to filter out the results.
Strings.exe <path_to_the_file> | findstr /r <regex_for_URL>Inspecting the PE File Format
Most of the malware that targets windows machines comes in the form of PE files. The PE file format is a format used by windows for executables, DLL’s and code objects.
We will not be discussing the PE format in this article, as it deserves an article on its own. In the meantime, that are many great resources online that you can check to start learning.
I recommend the Microsoft documentation starting with “PE Format” and “Peering Inside the PE” and also as a great visual representation of the PE format check corkami PE 101.
In short, the PE file format is composed of headers and sections each one contains useful information to our analysis.
We’ll take a look at some of that information.
Listing the DLL’s and Imported Functions
One of the most important if not the most important pieces of information besides strings that we can extract statically from our malware, are loaded libraries and imported functions. From these imported functions and libraries, we can guess the functionalities of the malware.
For example if the malware uses the “ws2_32.dll” that means that the malware will uses some kind of network functionality.
Another example if the malware uses the “kernel32.dll” and import the function “CreateProcessA”, this indicates that the file will create a process sometime during its execution.
We’ll be using a tool called “Dependency Walker” that will let us scan our file and show us the libraries and imported functions.
To use it just open it, drag, and drop the file. The results should look something like this.
What we need to be looking for is any libraries and imported functions that could be indicative of what the malware will do when executed. Such as “ShellExecute”, “LoadLibrary”, “CreateProcessA”, “WriteFile”…etc.
The MSDN Documentation is a great resource to get a better understanding of these functions and what they do. Especially when getting started in malware analysis.
To Pack or Not Pack
Often, malware writers pack and obfuscate their malware to make it harder to be detected and to analyzed statically. So detecting if a malware sample is packed or not, can provide great insight on the next step we should take in our analysis.
Using tools like PEiD or Exeinfo PE, can help us identify if the malware is packed with known packers or not (Check out this twitter thread for more on this topic).
Another technique is to look at the Imports Table and check the number of imports. A small number often indicates that the malware is packed.
Tools such as “PeStudio” can do this simply by dragging the file and looking at the imports section in the interface.
Dig For Resources
As we’ve mentioned before, the PE file format contains headers and sections. One of the interesting sections to look at is the .rsrc section or the resource section. It’s a section where things like images, icons, and language strings are stored.
This section is used sometimes by malware authors to hide executables that will be used by the malware main program at some point in time of its execution.
To view the resource section and start looking for any “suspicious” or “malicious” signes we can use Angus Johnson’s “Resource Hacker”.
Let’s Recap
Basic Static Analysis Is one of the first techniques you’ll learn as malware analyst. Its easy to learn and perform and it doesn’t require any execution of the malware.
It consists of extracting static information from inside of the malware. We’ve looked at how to extract the following information :
- The Hash.
- Strings.
- DLL’s.
- Imported Functions.
- Signes of Packed Malware.
- Resources.
We’ve also seen that all of this information can be extracted easily with the help of the many freely available tools online.
Speaking of tools, I’ve only covered a small set of the tools available out there. You can find a more extensive list I’ve created, containing tools and resources about malware analysis. Check it below.
Thanks for reading.
Questions? Comments? Contact me via twitter @nas_bench
