Basic static analysis:
Static analysis is usually the first step that is followed when analyzing any malicious sample. The sample is never run during static analysis. Some common techniques are described below:
AV scanning:
Common malware are usually detected by most AV based on file signatures. It is best to check using multi AV scanners such as Virus Total, Hybrid Analysis which provide a detailed report of the behavior of the sample. But, make sure you don't share your samples in case of targeted attacks as this would alert the attacker and take steps to cover his tracks. Ideal way is to search for the hash of the file on VirusTotal and check if it has been already uploaded by anyone.
Strings:
By extracting strings present in an executable, a lot can be deduced about the behavior. Bits of information such as the Windows APIs, URLs, IP Addresses, useful text information etc., can be extracted.
Some good tools to extract strings on Windows are GNU Strings, SysInternals Strings and FireEye Floss.
Floss from a FireEye is a very good tool to extract strings as it includes some dynamic extraction too instead of just static extraction. You can find Floss here: https://github.com/fireeye/flare-floss
PE Header:
By analyzing the PE header a lot of information can be obtained about the sample. Some important fields that can be captured from PE header are Imports, Exports, Time date stamp, Sections, Resources.
A very good resource for learning more about PE header is the Life of Binaries(LoB) course by Xeno Kovah at OpenSecurityTraining.info
URL: http://opensecuritytraining.info/LifeOfBinaries.html
You can test your understanding by playing the game roxor: https://code.google.com/archive/p/roxor-arcade/wikis/BinaryScavengerHunt.wiki
PE Studio and CFF Explorer are some very good tools that can be used for PE header analysis.
The next part will have a walkthrough of the Labs of Chapter-1 of Practical Malware Analysis book.
No comments:
Post a Comment