Basic version of Static Malware Analysis is really very simple. It doesn’t involves going through each and every instructions analysis. So, for those who are afraid of going through the codes can take a easy breathe. Depending upon how advance techniques were used by malware author in resisting reverse engineering during his creation, the basic static analyst could prove itself from very useful to big zero failure. But it’s worth trying before moving forward to more advance static analysis techniques and dynamic analysis which might cost you some good amount of time.
I’ll try to keep it very simple and straight for you.
Malware Static Analysis Techniques
1. Virustotal Results:
Well, you have a file which you think could be malicious. You want to verify if it’s worth spending your analysis time or not. A good start could be to upload that file to Virustotal. Some very useful information you might get from there.
I found one interesting file from a submission on online malware analysis tool: malwr.com
Here is the analysis link: https://malwr.com/analysis/MGM5MWI5NjYxMzhhNGMxMDlhYmM1MzE0MTg5NGMwMmU/
You can download the file from there. Just be careful about having it in your system. At least change the extension of the file to save yourself from any miss click.
Let’s check the result of the file named “csrss.exe” with a MD5 value “4dd45e9ddd7a24540c07b11cbb0775b5”.
In case, you don’t know how to search with Virustotal, click here.
Below picture shows you Virustotal results for this file:
So what useful information can we extract out of it, let’s check out.
First and the most useful information is the “Detection ratio”. It tells me about how many Virus detection data providers are providing detection against this file. In this case, 50 vendors out of 57 are triggering on this sample. 99.9% chances are that we are going to find the specific family of malware this sample belongs to.
Next useful information i see here is “Analysis Date”. It tells me about when the file with similar hash value was uploaded in Virustotal for analysis. Sometimes, this information could prove very useful in understanding how old the malware is, specially in zero day malware cases. In above case, the file was first seen by Virustotal 22 hours ago which is quite recent.
Go ahead, see what these vendors are calling this sample. In first few rows, i can see the word “Bladabindi” repeated mostly and next highest seen word is “Backdoor” and then comes “MSIL”. Well, do you get it what universe is trying to shout here?
Well, click on the “File Detail” section.
A few more details that can help you understand this file can be found here. Like target machine tells you about the processor the file supports to execute itself. Or the entropy column in “PE sections” which tells you about the sections encrypted or not. In this case, The file is 32-bit executable and its .text and .rsrc sections are encrypted considering their entropy values above 5.
A malware if not obfuscated/packed by its malware author can really make you feel as your luckiest day. If the malware is packed, you wouldn’t be getting much visibility to any useful strings. To check if a file is packed or not, read our post at :
How is it Useful?
Consecutive readable characters from a file can provide a lot of useful information about the malware’s behavior. A program usually contains strings. Specially, when it copies a file to some location, prints some message or tries to connect to some site. Before we go any further, first let me tell you how to find strings out of a file.
It’s quite simple. In windows, Strings tool from Microsoft makes it easy for you. It scans the file for you pass it for UNICODE or ASCII strings of a default length of 3. You can change this value based on your requirement.
Below you can see a section of a file where i stored the output of command “Strings <filename>”. In my case, <filename> is replaced by Bladabindi malware file downloaded from malwr.com link.
What to look for?
Here you can see few commands like “netsh firewall delete allowedprogram” and “netsh firewall add allowedprogram” playing with the windows firewall rules. A legit file is not expected to do such things. Another interesting entry is “Software\Microsoft\Windows\CurrentVersion\Run”. It tells me that this file might add or change few registry keys at this path.
You can search for some keywords like “http” to look for any malicious site it might try to connect to connect its Command and control server.
In next section of this chapter, i’ll tell you how to gather information from Portable Executatble(PE) file format. Till then, enjoy learning…
Please comment whatever comes in your mind after reading this post.