Static Analysis of Malware (Pt. 3)

In this part of the series, I will be taking you through why examining the resource section is important and also how to identify and classify malware. We have gone through the basic steps that you can alter to suit your organization or your needs if you are a malware analyst or forensic analyst.

Some of the basic steps we talked about include:

Examining the Resource Section

Importance of the resource section and why it should be analyzed

  • Sometimes, it contains important information about the origin of the malware.

Tools to be used:

  • Pestudio
  • Resource hacker

Note: Not all malicious files have a resource section. You can only find out if a malicious file contains it during analysis.

I downloaded 2 types of malware but they are both ransomwares. One has a resource section and one doesn’t. I used the exeinfope tool to try and find out more information about the malware especially the pe file section which will help me identify if the malware has a resource section.

Both of them were zipped and they required a password for you to access it. The password I used was infected which may be the password for most zipped malwares.

For this first malware, below is some of the information I gathered. But I was interested in the section part which would inform me of the different file sections of the malware. Below is a screenshot of what I found.

You can see that the file sections are .text, .rdata, .data, .reloc. The tool also tells us the section status.

The above screenshot was from the second malware which was Locky ransomware. From the screenshot, we can see that the malware is a 32bit DLL which means it targets a 32bit Windows machine. If we try and focus on the sections part, below is the information I found.

The above screenshot gives us information about the different sections the malware has and we can see that it includes the resource section which is identified through the name “.rsrc

From the previous article, we talked about the PE file section but we didn’t dig deep into the nine different sections a windows application has. It is important to know that a typical windows application has different predefined sections but depending on the application, some of these sections will be used but not all.

In windows, all code segments of the executable reside in the .text or .code section. Windows operating system uses a page based virtual system which means it has one large section of code that makes it easy to manage. This is also known as the entry point and thunk table.

Below is a table that shows the different PE file sections and what the different sections contain:

I tried analyzing the malware further for more information about the resource section using pestudio (favorite tool so far) and below is some of the information I gathered.

We can see from the above screenshot that the signature and also the language used by the malware. It is important if you know this since it may give you hints about where the malware originated from. Also, we can see that the malware is self-modifying.

From the version section, this is the information we have obtained.

Article by Christine Wambiru. Wambiru is a final year student, Bachelors of Science (Mathematics and Computer Science), at Machakos University. She is passionate about tech, especially cybersecurity. She is a vibrant member of SheHacks KE and a trainer-she has trained on information gathering and social engineering. Engage with her on her socials; LinkedIn: Christine Wambiru, Twitter: @cwambiru

A community of Women in Cybersecurity from various backgrounds and counties across Kenya. https://shehackske.com/