Static

Analysis
 Static Analysis

Static analysis is the technique of analyzing the suspect file without

executing it.It is an initial analysis method that involves extracting
useful information from the suspect binary to make an informed
decision on how to classify or analyze it and where to focus your
subsequent analysis efforts.
 Determining the File Type

During your analysis, determining the file type of a suspect binary will help
you

identify the malware's target operating system (Windows, Linux, and so on)
and architecture (32-bit or 64-bit platforms).

For example, if the suspectbinary has a file type of Portable Executable

(PE), which is the file format for Windows executable files
(.exe, .dll, .sys, .drv, .com,

.ocx, and so on), then you can deduce that the file is designedto target
 Determining the File Type

Most Windows-based malware are executable files ending with extensions such
as

.exe, .dll, .sys, and so on. But relying on file extensions alone is not
recommended. File extension is not the sole indicator of file type. Attackers use
different tricks to hide their file by modifying the file extension and changing its
appearance to trick users into executing it. Instead of relying on file extension,
File signature can be used to determine the file type.
 Identifying File Type Using Manual
Method
The manual method of determining the file type is to look for the file signature
by
opening it in a hex editor.

A hex editor is a tool that allows an examiner to inspect each byte of the file;
most hex editors provide many functionalities that help in the analysis of a file.
The following screenshot shows the file signature of MZ in the first two bytes
when an executable file is opened with the HxD hex editor.
 Fingerprinting the
Malware
Fingerprinting involves generating the cryptographic hash values for the suspect binary
based

on its file content. The cryptographic hashing algorithms such as MD5, SHA1 or SHA256 are

considered the de facto standard for generating file hashes for the malware specimens. The

following list outlines the use of cryptographic hashes:

1. Identifying a malware specimen based on filename is ineffective because the same

malware sample can use different filenames, but the cryptographic hash that is calculated

based on the file content will remain the same. Hence, a cryptographic hash for your

suspect file serves as a unique identifier throughout the course of analysis.

 Fingerprinting the
Malware
2. During dynamic analysis, when malware is executed, it can copy itself to a different
location

or drop another piece of malware. Having the cryptographic hash of the sample can help in

identifying whether the newly dropped/copied sample is the same as the original sample or a

different one. This information can assist you in deciding whether the analysis needs to be

performed on a single sample or multiple samples.

3.File hash is frequently used as an indicator to share with other security researchers to help

them identify the sample.

4.File hash can be used to determine whether the sample has been previously detected by

searching online or searching the database of multi Anti-virus scanning service like
 VirusTotal
Scanning the Suspect Binary with
VirusTotal

VirusTotal (http:/ / www. virustotal. com) is a popular web-based malware scanning service.

It allows you to upload a file, which is then scanned with various anti-virus scanners, and the

scan results are presented in real time on the web page. In addition to uploading files

for scanning, the VirusTotal web interface provides you the ability to search their database using

hash, URL, domain, or IP address.

 Analyzing The PE
Header
The PE (Portable Executable) header is the first part of a Windows executable file that
contains important information about the file, including:

Signature: Indicates that the file is a PE file

COFF (Common Object File Format) header: Describes the file's format and architecture

Optional header: Contains information about the executable, including its size,
required subsystem, and the address of the entry point

Section headers: Describe the layout of the file's sections and their characteristics, such
as their size, permissions, and location in memory

You can inspect the PE header information of a Windows executable file using a tool such
as Microsoft's PEview or a hex editor.
 Analyzing The PE
Header
The PE header contains the information the OS requires to run the executable.

In static analysis, we are looking for information about the executable, that can give us a

glimpse of it’s functionality and origin.

What information are we interested in?

1. Compiler Stamp - When and where the malware was compiled.

2. Subsystem - What subsystem is being used?

3. Sections - Is the executable packed and are there any inconsistent permissions.

4. Libraries & Imports - What libraries and imports are being used, and what information do they

give us about the functionality of the malware.

PE Header
Structure
Sections (PE Sections)
 Analyzing The PE
Header
Malware interacts with the file, registry, network, and so on. To perform
such
interactions, malware frequently depends on the functions exposed by the
operating system. Windows exports most of its functions, called Application
Programming Interfaces (API), required for these interactions in Dynamic Link
Libary (DLL) files. Executables import and call these functions typically from
various DLLs that provide different functionality. The functions that an
executable imports from other files (mostly DLLs) are called imported functions
(or imports).
 Inspecting File Dependencies and
Imports
Malware interacts with the file, registry, network, and so on. To perform such
interactions,

malware frequently depends on the functions exposed by the operating system.

Windows exports most of its functions, called Application Programming Interfaces (API),

required for these interactions in Dynamic Link Libary (DLL) files.

Executables import and call these functions typically from various DLLs that provide different

functionality. The functions that an executable imports from other files (mostly DLLs) are called

imported functions (or imports).

 Inspecting File Dependencies and
Imports
For example

If a malware executable wants to create a file on disk, on Windows, it can use an API

CreateFile(), which is exported in kernel32.dll. To call the API, it first has to load kernel32.dll

into its memory and then call the CreateFile() function.

Inspecting the DLLs that a malware relies upon and the API functions that it imports

from the DLLs can give an idea about the functionality and capability of malware and

what to

anticipate during its execution. The file dependencies in Windows executables are stored

in the import table of the PE file structure.

 Inspecting File Dependencies and
Imports
Libraries button in pestudio displays all the DLL files the executable depends on and the
number of imported functions imported from each DLL. These are the DLL files that will be
loaded into the memory when the program is executed
 Inspecting File Dependencies and
Imports
Libraries button in pestudio displays all the DLL files the executable depends on and the
number of imported functions imported from each DLL. These are the DLL files that will be
loaded into the memory when the program is executed
Inspecting File Dependencies and
Imports
 Examining PE
Resources
The resources required by the executable file such as icons, menu, dialog, and strings
are
stored in the resource section (.rsrc) of an executable file.

Often, attackers store information such as additional binary, decoy documents, and

configuration data in the resource section, so examining the resource can reveal valuable

information about a binary.

The resource section also contains version information that can reveal information about the

origin, company name, program author details, and copyright information.

 Examining PE
Resources
Resource Hacker (http:/ / www. angusj. com/ resourcehacker/ ) is a great tool to examine,
view,

and extract the resource from a suspect binary. Let's take an example of binary that looks

like an Excel file on the disk (notice how the file extension is changed to .xls.exe), as shown

here:

Loading a malicious binary in resource hacker shows three resources (Icon, Binary, and
Icon

Group). The malware specimen uses the icon of Microsoft Excel (to give the appearance of
 Examining PE
Resources
The executable also contains binary data; one of them has a file signature of D0 CF 11 E0 A1
B1

1A E1. This sequence of bytes represents the file signature for a Microsoft Office document

file. The attackers, in this case, stored a decoy excel sheet in the resource section. Upon

execution, the malware is executed in the background, and this decoy excel sheet is displayed

to the user as a diversion:

 Examining PE
Resources
To save the binary to disk, right-click on the resource that you want to extract and click
on

Save Resource to a *.bin file. In this case, the resource was saved as sample.xls.

The following screenshot shows the decoy excel sheet that will be displayed to

the user: