Basic Static Analysis

1. Hashing

. Collect sha256sum

. Collect md5sum of sample

2. Malware hash search

Submit hash on virustotal search to see if this sample is seen before in past

3. Extract Strings

extract strings that can be useful for getting better understanding. two utilities

1. strings

2. floss (better version of string, which can programatically try to decode deobfuscate strings and present that )

floss.exe -n 6 [malware_name.exe]

4. PEView

1. After opening file in peview check IMAGE_NT_HEADERS > IMAGE_FILE_HEADER for compilation time of executable. this time sometime can be fake too like some compiler set date to 1992. (delphi compiler)

2. IMAGE_SECTION_HEADER.txt can be used to check virtual size or raw size which can give away if ts packed malware

3. from section.rdata we can checkout import address table. Which can be used to identify which win32 api this binary calls. which tells what this malware capability is

Other good resource for windows api wused by malware: https://malapi.io/ sorted by TTPs

5. Packed or Unpacked

Packing of malware is done to obfuscate malware code so it looks different from original code. This can lead to difference in raw size and virtual size.

a packed malware won't have Import address table(IAT) like unpacked malware. In packed mwalware IAT will be very small. All win API calls won't be listed. Instead something like Getprocaddress and Loadlibrary api calls will be there only which loads other win api calls dynamically in memory at runtime.

Packing is done for size reduction, or AV evasion. UPX is one famous packer. In packed malware there is stub which unloads all packed code at run time.

"In a “stub-payload” architecture, new executable is created that contains two primary components: the compressed/encrypted contents of the original executable, and a short piece of code responsible for decompressing/decrypting that original executable to executing it. This short piece of code is often referred to as a stub. In essence, the original executable is compressed/encrypted, then wrapped in a new executable which contains code to bring it back to its original state." more here: https://www.linkedin.com/pulse/packed-malware-basics-halashankara-k/

6. PEStudio

PeStudio is great tool which can do most of basic static analysis for us. It highlights features and behvaiour that can be used maliciously as balcklist.

7. CAPA tool by mandiant

THis tool can also be used for basic static analysis.

capa detects capabilities in executable files.

Malware Behavioral Catalog (MBC)

The next output is the Malware Behavioral Catalog (MBC) Objectives and Behaviors. This is a similar classification system to MITRE ATT&CK but focuses on malware specifically.

The full MBC Matrix can be found here: https://github.com/MBCProject/mbc-markdown#malware-objective-descriptions

MITRE ATT& CK is also mapped alsong with capa's own rule based matching to detect malware capabilities.