Basic Static Analysis

Getting started

1. Antivirus Scanning

It is good idea to run suspected executable through multiple Anti-Virus vendors.

AV vendors have signature and heuristic based detection mechanism implemented to detect a malicious code.

VirusTotalVirusTotal

This website is great for this. But it is important to understand that AV is not very reliable as malware authors can update their code (changing signature) and implement various other techniques to evade detection.

2. Hashing: A fingerprint of malware

getting a hash malware is important as it identifies that malware uniquely which can be used later in multiple ways.

Use it as a label

Search of the hash on internet

Share it with other analyst to help them in identifying malware.

some common hashing algorithsm: MD5, SHA1, sha256 etc.

3. Finding Strings

A software always contains some human redable strings (assuming malware is not obfuscated) which can be dumped using tools like strings or floss.

This can give hints about functionality of a malware.

packing malware is technique of obsfucation which makes it diffuclt of analysis and detection. It's hard to find redable strings in packed malware.

In packed malware it is quite common to find functions like windows LoadLibrary and GetProcAddress function. Loadlibrary dynamically loads dlls. while GetProcAddress returns address of a function or variable for future calls.

when a packed malware is run, a wrapper runs which dynamically decompress actual executable and run it.

Basic static analysis tool can't reach that original executable.

How can you detect and analyze packed malware?LinkedInEditors

packed malware has high entropy, small size, encrypted text.

tools like detect it easy, PEiD are helpful in detection.

Tip: program packed with UPX can be unpacked easily by just downloading the UPX binary(https://github.com/upx/upx/releases) and running

upx -d packed_malware.extension