Static Analysis of Malware (Pt.1)

I previously did articles on Malware Analysis 101 and how-to setup a lab.

In this article I’ll be taking you through how to analyze malware for your organization or learning purposes. There are various ways of analyzing malware. The two main ones are static and dynamic analysis.

We will start with static analysis since dynamic analysis mainly relies on the information we have collected during this stage.

It is the process of analyzing malware without executing it.

The main objective here is to extract useful information from the malware. This should help us get an idea of the type of malware, what it can do and also give us a better approach of what to focus on when we will be performing dynamic analysis.

Some of the business questions that you can ask yourself as a malware analyst when performing this analysis include:

  • Purpose of the malware?
  • How did it get there?
  • How can you get rid of it?
  • Did the malware steal any information?
  • How long has it been there?
  • Does the malware spread on its own? If so, how?
  • How can you prevent this from happening in future?

Technical questions include:

  • What language was the malware written in?
  • Is it packed?
  • Does it have any rootkit analysis?
  • Host-based indicators?
  • Date of compilation?
  • Persistence mechanism?

We all have our own ways of doing things or performing an action that we are most comfortable doing. Below is a general static analysis flow that you can adapt or modify as you perform your analysis:

During this step, you will be trying to identify the target Operating System and the architecture of the malware.

We have malwares that are target windows x32bit (Architecture), windows x64bit, windows x86bit, Linux among others.

To accurately identify a file type, one needs to analyze the file signature so as to avoid false positives caused by the use of double extensions.

The file signature exists on the file header and is represented by hexadecimal values. For example, for a window’s portable executable, the file signature will be 4D 5A or MZ and they come in the form of Portable Executable (PE), Dynamic Link Library (DLL).

Tools used during this stage include: Pestudio, HxD (Hex Editor), Exeinfo PE and CFF explorer.

In my demonstration, I will use pestudio and HxD to analyze my malware sample.

From this screenshot, this tool has been able to identify that the file type of the malware is a DLL meaning that the target operating system is windows and target a 32bit architecture machine.

Also, we can tell that the malware is a portable executable because of the file signature (4D 5A).

From the HxD tool, we get the same information as we can see that the file is a portable executable.

Note: A malware can be presented to you in the form of a file which will easily trick you into opening it so that you can read its contents without realizing that it is really an executable file.

2. Malware Identification

Here, you will have to generate the hash of the malware that will give you the unique ID of the malware.

Malware hashing: is the process of generating cryptographic hashes for the file content of the malware you are analyzing. Basically, we are hashing the malware file.

Example of hashing algorithms used in malware identification include: MD5, SHA1, SHA256.

The hashing process will generate for you a unique digest known as a fingerprint.

Every malware sample, has to have a unique fingerprint generated.

  • For accurate identification of malware samples since hashes are unique unlike file names. You can use 2 hashing algorithms e.g.MD5 and SHA-1.
  • Hashes are used to identify malware on any malware sites such as Virus Total.
  • You can use hashes to search for any previous detections or to check online if the sample has been analyzed by other researchers and what their end result was.

Tools that can be used at this step include: hashmyfiles, HashCal, Virus Total.

These tools will generate for you MD5, SHA-1 and SHA-256 hashes of the malware files which you can copy and look it up on Google, Virus Total among others.

Looking up the hash of the malware on the internet will help you find out more details about the malware to avoid false positives and also as stated earlier, if any researchers came across this malware, analyzed it and were able to solve/contain the situation then you can apply the same approach to your organization.

For my illustration, I used the same malware sample and ran it through hashmyfiles so as to extract the hash algorithms. I was able to obtain information such as the MD5, SHA-1, SHA-256, SHA-512, created time, modified time among others.

Below is an example:

I was able to copy the MD5 hash and ran it through Virus Total so that I can try and acquire more details about the malware.

The malware has been flagged as malicious by 62/69 engines as shown above. I also dived into the details section to try and verify the hashes and nullify any false positives and from the research, I was right about the identity of the file.

See you in part 2 of the static analysis series.

Article by @Christine Wambiru. Wambiru is a final year student, Bachelors of Science (Mathematics and Computer Science), at Machakos University. She is passionate about tech, especially cybersecurity. She is a vibrant member of SheHacks KE and a trainer-she has trained on information gathering and social engineering. Engage with her on her socials; LinkedIn: Christine Wambiru, Twitter: @cwambiru

A community of Women in Cybersecurity from various backgrounds and counties across Kenya.