Static analysis tools for malware analysis
Static Analysis is an important but often neglected and under-estimated part of malware analysis. With proper toolkit, one can easily understand functionality of malware, even without running it in a debugger or de-compiling and understanding its most expected source code. This blog will discuss all the static analysis tools, that might prove handy while performing malware analysis.
1) Determining the File Type : First and foremost step of malware analysis is understanding the file type. This can be achieved in many ways ranging from reading the magic bytes in hex-dump to using automated tools like CFF explorer.
1.a) Using the command :>
file <abc file>
- b) On Windows, CFF Explorer, part of Explorer Suite (http://www.ntcore.com/exsuite.php), can be used to determine the file type; it is not just limited to determining file type. It is also a great tool for inspecting executable files (both 32-bit and 64-bit) and allows you to examine the PE internal structure, modify fields, and extract resources.
1.c) Everyone loves python, thus we can easily make a simple python script to read magic bytes.
Using Python:
>>> import magic
>>> m = magic.open(magic.MAGIC_NONE)
>>> m.load()
>>> ftype = m.file(r’suspicious.exe’)
>>> print ftypePE32 executable (GUI) Intel 80386, for MS Windows
2. Fingerprinting the Malware : The cryptographic hashing algorithms such as MD5, SHA1 or SHA256 provide an easy source by which we can verify similarity of 2 files. Also, this extracted hash could be submitted to virus-total for checking if a similar file has been uploaded to their site and has been analyzed.
C:\>md5deep c:\WINDOWS\system32\sol.exe
373e7a863a1a345c60edb9e20ec32311 c:\WINDOWS\system32\sol.exe
%%%% HASHDEEP-1.0
%%%% size,md5,sha256,filename
## $ hashdeep coffer-overflow-2
##
8528,2f77e4517bbe2026c62192a89df7a142,4e5ee99d86452fb9ee69e392e3838946108f60108cce8dc4559a95186f5140fa,/home/bot1/Desktop/triial/first_pwn/coffer-overflow-2
3. String Extraction Using Tools :
Simply sunning the strings command could be useful in understanding some functionality or type of an malicious sample. But this is a very complicated and tedious task, thus more efficient tools like PEStudio or Floss can be used, which automatically finds suspicious strings and gives hint on what functionality can be linked with that string.
Simple strings command:
strings -a log.exe
The FireEye Labs Obfuscated String Solver (FLOSS) is an open source tool that automatically detects, extracts, and decodes obfuscated strings in Windows Portable Executable (PE) files.It can be used to quickly extract sensitive strings to identify indicators of compromise (IOCs).
Advanced Tools: FLOSS, PEstudio
4. Detecting File Obfuscation Using:
Malware authors use several cryptographic algorithms to obfuscate code,making static de-compiling and understanding more complicated. But in these scenarios, there must be some traces of cryptographic Microsoft API’s or some unpacking or decrypting stub. Using these left-overs, these tools detect type of cryptographic algorithms used.
Tools : Exeinfo PE , Detect it easy(DIE)
5. Examining PE Section Table And Sections:
PE(Portable Executable) section table helps us to determine the type and attributes of different sections in a PE. PE section table has the following fields:
.text or CODE : Contains executable code
.data or DATA : Contains read/write data and global variables
.rdata : Contains read-only data
.idata : If present, contains the import table. If not present, then the import information is stored in .rdata section.
.edata : If present, contains export information. If not present, then the export information is found in .rdata section.
.rscr : This section contains the resources used by the executable such as icons, dialogs, menus, strings, and so on.
TOOLS: PEbear ,PEstudio
Note: The Raw Size is exactly the size of the file section’s data in the file.
The Virtual Size is how big it will be when its loaded into memory.
Usually, the Virtual Size is SMALLER than the Raw Size.
Typically, raw-size and the virtual-size should be almost equal, but small differences are normal due to section alignment. But in extreme scenarios, like a case where raw-size is 0 but virtual section is far bigger than this value(usually seen with UPX Packer), indicates that this section will not take up space on the disk, but virtual-size specifies that, in memory, it takes up more space . This can be a strong indication of a packed binary. The reason for this discrepancy is that when a packed binary is executed, the decompression routine of the packer will copy decompressed data or instructions into the memory during runtime.
6. Examining the Compilation Timestamp
The PE header contains information that specifies when the binary was compiled; examining this field can give an idea of when the malware was first created. This information can be useful in building a timeline of the attack campaign. Though, this field can be easily forged and shouldn’t be considered as base of investigation.
The information can be found in the IMAGE_FILE_HEADER of the executable image.
TOOL: PEStudio, CFF Explorer
7. Examining PE Resources
The resources required by the executable file such as icons, menu, dialog, and strings are stored in the resource section (.rsrc) of an executable file. Often, attackers store information such as additional binary, and decoy documents, configuration data in the resource section, so examining the resource can reveal valuable information about a binary.
NOTE: This data could only be revealing when the executable is unpacked.
Resource Hacker (http://www.angusj.com/resourcehacker/)
This section can also be used to find the location of buttons, windows, or tabs that may will be there in program.
