2- Basic Malware Analysis – Static – Part 1


To perform Basic Static Analysis we need to complete several steps, which will allow us to answer some of the following questions:

  1. What the suspicious file is?

  2. What does it do?

  3. When was it made?

  4. Does it depend on other files?

  5. Does it download other files?

  6. How does it work?

  7. What type of Malware is it?

Each of the Malware Analysis stages (Basic and Advanced) will provide us answers to some of the above questions and to be able to answer them all we need to exhaust each of the stages we mentioned in the first tutorial (1- Practical Malware Analysis – Introduction).

In today’s tutorial’s case we will be performing the following:

  1. We will run the suspicious file through multiple Anti Virus scanners such as Virustotal.com to see if the file is already known and have been flagged previously.

  2. We will create an MD5 signature of the file, that we can use to share with our colleagues and we can also use it to search online for a file with the same MD5 hash.

  3. We will look at the strings of the program using strings.exe.

  4. We will check if the program is packed?

  5. Also we will check the Portable Executable File Format (PE) header, which will provide us with valuable information about the code, the type of application, required library functions and space requirements.

  6. To end this we will examine Linked libraries and functions.

The Programs needed for this tutorial are:

  1. WinMD5

  2. strings.exe

  3. Dependency Walker

  4. PE View

  5. PEiD

The above programs can be found with a simple search on any search engine.

Also what would be handy is if you download the lab files from http://www.practicalmalwareanalysis.com

OK let us now begin with Dissecting some Malware, I am following the book here so let us begin with looking at Lab 1 files.

Scanning with Anti Virus

The first step would be to scan the file with multiple anti virus scanners to see if this has been encountered before and to get some information on the file. The next step would be to create an MD5 hash and search for it online and also we can use it to share it between the Analyst team. So we will start with the scan.

  1. In your lab environment, open a browser and go to virustotal.com

  2. Select the file tap if not already selected and click on choose a file. As you can see I am using Windows XP and I have selected the file Lab01-01.

1

  1. Then click open and then scan it!.

  2. You should get the following:

2

  1. If you get a message stating that the file already analysed click on re analyse.

  2. As you can see the results indicate that the file has been flagged by 7 anti virus scanners. The results also gives you the signature name given to the file by each of the scanners. Also if you click through the taps at the top such as analysis (the one you are already on), File detail, etc… you will see more interesting information that will become more understandable as we progress further into these tutorials, so stay tuned.

3

Creating an MD5 Hash

To create an MD5 hash for the file, you need to do the following:

  1. Open WinMD5.exe or your favorite MD5 calculation tool.

  2. In WinMD5’s case all you need to do is drag the file or files into the small box that is labelled “currently processing” as shown below.

4

  1. As you can see above within a second and you have your md5 hash for the file.

  2. If you copy the hash and paste it into google you should get something like this:

5

  1. As you can see with a simple search we get around 76 results of files flagged to be malicious that has the same hash finger print.

Conclusion

Usually when we first start analysing files we start with a certain file or files that we are not really sure yet whether they are suspicious or not but we have a suspicion that this file or these files could be suspicious and they could be related to the incident we are investigating and each one of the steps we have completed so far and that we are going to complete in the upcoming tutorials will either confirm our suspicion or the opposite.

What we know so far about the file of our tutorial is that it is known and has been flagged by multiple antivirus scanners and its MD5 hash also has a presence online with relation to malware. Therefore at this stage we kind of quite sure that this file needs to be included in our list of malware files to be investigated further and thus we need to dig deeper to answer the questions we have set in the beginning of this tutorial.

In part 2 of this tutorial we will dig deeper using the basic static analysis to look at the strings, PE headers and so on. 

Advertisements

2 thoughts on “2- Basic Malware Analysis – Static – Part 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s