Chapter 1
Basic Static Analysis
Antivirus scanning
A good first step is to run the malware through multiple antivirus programs.
Malware authors can easily bypass antivirus databases by simply changing their code to change the malware signature to one the antivirus cannot detect.
A helpful site is VirusTotal.com. This site uses multiple antivirus engines to generate a report that provides the total number of engines that marked the file as malicious, malware name, and additional info on the malware if available.
Rare malware often goes undetected, simply because it is not in an antivirus database.
Hashing
Hashing is a common method used to uniquely identify malware.
The MD5 hash function is most commonly used, but SHA-1 is also popular.
If you go to winmd5.com, you can install a lightweight MD5 hash calculator that will instantly calculate the hash of a given file.
Here is the winMD5 program that I had calculate a hash for discord
- With this hash, you can use it as a label, share it with other analyst, or search for the hash online to see if it has already been identified as malicious.
Finding Strings
You can install the strings program, and this will allow you to search an executable for strings.
Strings are typically stored in ASCII or Unicode format. I found this site that has a chart that maps ASCII characters to their corresponding decimal, hex, and binary values.
Sometimes the strings program will not detect actual strings, but rather a random sequence of numbers and letters that is typically meaningless; it may just be a memory address or something of the like.
Some meaningful things that the strings program could pull are windows function names, a .DLL file type, an error message, or even IP addresses.
Analyzing these clues in strings is like solving a puzzle and is an important part of malware analysis.
Be aware that malware often uses legitimate libraries like DLLs to further its goals.
Packed and Obfuscated Malware
Obfuscated=Malware author is trying to hide the execution of the program.
Packed=Subset of obfuscated programs in which it is compressed and cannot be analyzed.
Legit programs usually have lots of strings, where as packed or obfuscated malware will contain very few strings. This is an easy sign that you may be dealing with malware.
If the program is packed or obfuscated, static analysis will not be enough.
You must unpack a program to perform static analysis!
You can detect packed files with a program called PEiD. This will detect the type of packer or compiler used on the file.
Dependency Walker and DLLs
Dependency walker is a program that list the dynamically linked functions in an executable.
This is useful because when we are able to see the functions used in a program, we can speculate what the program is doing.
A programs DLLs can tell you a lot about it's functionality.
Windows functions that contain the Ex suffix, like CreateWindowEx, just means that it is the updated version of the function, but windows still supports the old one.
Dependency walker will also show a list of all exported functions, which can be useful as well, but malware authors typically write confusing names for exported functions, and can be hard to understand what they do. On the bright side, exported functions are not very common.
The PE file header will include information on functions used by the program, giving us good insight into what the program does.
Examining PE files
- PEview is a tool that can browse information on a PE file header and sections. See example below.
- The time date stamp gives us information on when the program was compiled, which is helpful because if it is an old compile then antivirus programs may have signatures for it, but if the compile time is very recent, then there may not be signatures for it.
Virtual Size is the amount of space that is allocated for that section in memory.
Size of raw data shows how big the section is on the disk.
If the virtual size is much greater than size of raw data in the code section, then the program is likely packed.
Viewing the resource section
- Using a free tool called Resource Hacker, we can examine the .rsrc (resources) section of a file.
This tool gives a lot of useful information on the resources that a given program uses, which is very useful for static analysis.
The menu section for example, shows the names of all the menus used in the program as well as the text used in each. The menu names should give a good idea of their functionality.
As shown above, the dialogue section shows what the user would see, and opens a preview window of the actual program. If we knew nothing else about this program, we could infer what it does by simply viewing the dialogue section.
Another useful thing to know is that programs or drivers are often imbedded in the resource section in order to hide them.
This tool allows us to extract these imbedded programs/drivers for individual analysis.
PE Header Summary
- Here is a helpful chart from Practical Malware Analysis By Michael Sikorski and Andrew Honig that depicts helpful information that is revealed by the PE file header.
Miscellaneous notes
The function SetWindowsHookEx is commonly used in spyware and is the most popular way that keyloggers get keyboard inputs.
The registry key Software\Microsoft\Windows\CurrentVersion\Run is common in malware and it controls which programs are automatically run when windows starts up.
The PE file header contains helpful metadata on the file itself.
Static analysis is typically only the first step, and further analysis such as dynamic analysis is usually necessary.