Static Analysis

Static Analysis

Static analysis is the technique of analyzing the suspect file without

executing it.It is an initial analysis method that involves extracting
useful information from the suspect binary to make an informed
decision on how to classify or analyze it and where to focus your
subsequent analysis efforts.
 Determining the File Type

During your analysis, determining the file type of a suspect binary will help you
identify the malware's target operating system (Windows, Linux, and so on) and
architecture (32-bit or 64-bit platforms).

For example, if the suspect binary has a file type of Portable Executable (PE),
which is the file format for Windows executable files (.exe, .dll, .sys, .drv, .com,

.ocx, and so on), then you can deduce that the file is designed to target the
Windows operating system.
 Determining the File Type

Most Windows-based malware are executable files ending with extensions such as
.exe, .dll, .sys, and so on. But relying on file extensions alone is not
recommended. File extension is not the sole indicator of file type. Attackers use
different tricks to hide their file by modifying the file extension and changing its

appearance to trick users into executing it. Instead of relying on file extension,
File signature can be used to determine the file type.
 Identifying File Type Using Manual Method

The manual method of determining the file type is to look for the file signature by
opening it in a hex editor.

A hex editor is a tool that allows an examiner to inspect each byte of the file; most
hex editors provide many functionalities that help in the analysis of a file. The
following screenshot shows the file signature of MZ in the first two bytes when an
executable file is opened with the HxD hex editor.
 Fingerprinting the Malware

Fingerprinting involves generating the cryptographic hash values for the suspect binary based
on its file content. The cryptographic hashing algorithms such as MD5, SHA1 or SHA256 are
considered the de facto standard for generating file hashes for the malware specimens. The

following list outlines the use of cryptographic hashes:

1. Identifying a malware specimen based on filename is ineffective because the same malware
sample can use different filenames, but the cryptographic hash that is calculated based on
the file content will remain the same. Hence, a cryptographic hash for your suspect file

serves as a unique identifier throughout the course of analysis.

 Fingerprinting the Malware
2. During dynamic analysis, when malware is executed, it can copy itself to a different location
or drop another piece of malware. Having the cryptographic hash of the sample can help in

identifying whether the newly dropped/copied sample is the same as the original sample or a
different one. This information can assist you in deciding whether the analysis needs to be

performed on a single sample or multiple samples.

3.File hash is frequently used as an indicator to share with other security researchers to help

them identify the sample.

4.File hash can be used to determine whether the sample has been previously detected by
searching online or searching the database of multi Anti-virus scanning service like VirusTotal.
 VirusTotal
Scanning the Suspect Binary with VirusTotal

VirusTotal (http:/ / www. virustotal. com) is a popular web-based malware scanning service.
It allows you to upload a file, which is then scanned with various anti-virus scanners, and

the scan results are presented in real time on the web page. In addition to uploading files
for scanning, the VirusTotal web interface provides you the ability to search their database
using hash, URL, domain, or IP address.
 Analyzing The PE Header

The PE (Portable Executable) header is the first part of a Windows executable file that contains
important information about the file, including:

Signature: Indicates that the file is a PE file

COFF (Common Object File Format) header: Describes the file's format and architecture

Optional header: Contains information about the executable, including its size, required
subsystem, and the address of the entry point

Section headers: Describe the layout of the file's sections and their characteristics, such as
their size, permissions, and location in memory

You can inspect the PE header information of a Windows executable file using a tool such as
Microsoft's PEview or a hex editor.
 Analyzing The PE Header
The PE header contains the information the OS requires to run the executable.
In static analysis, we are looking for information about the executable, that can give us a

glimpse of it’s functionality and origin.

What information are we interested in?

1. Compiler Stamp - When and where the malware was compiled.

2. Subsystem - What subsystem is being used?

3. Sections - Is the executable packed and are there any inconsistent permissions.
4. Libraries & Imports - What libraries and imports are being used, and what information do

they give us about the functionality of the malware.

PE Header Structure
Sections (PE Sections)
 Analyzing The PE Header
Malware interacts with the file, registry, network, and so on. To perform such
interactions, malware frequently depends on the functions exposed by the
operating system. Windows exports most of its functions, called Application
Programming Interfaces (API), required for these interactions in Dynamic Link
Libary (DLL) files. Executables import and call these functions typically from
various DLLs that provide different functionality. The functions that an
executable imports from other files (mostly DLLs) are called imported functions
(or imports).
 Inspecting File Dependencies and Imports

Malware interacts with the file, registry, network, and so on. To perform such interactions,

malware frequently depends on the functions exposed by the operating system.

Windows exports most of its functions, called Application Programming Interfaces (API),

required for these interactions in Dynamic Link Libary (DLL) files.

Executables import and call these functions typically from various DLLs that provide different
functionality. The functions that an executable imports from other files (mostly DLLs) are called

imported functions (or imports).

 Inspecting File Dependencies and Imports

For example
If a malware executable wants to create a file on disk, on Windows, it can use an API

CreateFile(), which is exported in kernel32.dll. To call the API, it first has to load kernel32.dll
into its memory and then call the CreateFile() function.

Inspecting the DLLs that a malware relies upon and the API functions that it imports from
the DLLs can give an idea about the functionality and capability of malware and what to

anticipate during its execution. The file dependencies in Windows executables are stored in

the import table of the PE file structure.

 Inspecting File Dependencies and Imports

Libraries button in pestudio displays all the DLL files the executable depends on and the
number of imported functions imported from each DLL. These are the DLL files that will be
loaded into the memory when the program is executed
 Inspecting File Dependencies and Imports

Libraries button in pestudio displays all the DLL files the executable depends on and the
number of imported functions imported from each DLL. These are the DLL files that will be
loaded into the memory when the program is executed
Inspecting File Dependencies and Imports
 Examining PE Resources

The resources required by the executable file such as icons, menu, dialog, and strings are

stored in the resource section (.rsrc) of an executable file.

Often, attackers store information such as additional binary, decoy documents, and

configuration data in the resource section, so examining the resource can reveal valuable

information about a binary.

The resource section also contains version information that can reveal information about the

origin, company name, program author details, and copyright information.

(http:/ / www. angusj. com/ resourcehacker/)

 Examining PE Resources

Resource Hacker (http:/ / www. angusj. com/ resourcehacker/ ) is a great tool to examine, view,
and extract the resource from a suspect binary. Let's take an example of binary that looks like

an Excel file on the disk (notice how the file extension is changed to .xls.exe), as shown here:

Loading a malicious binary in resource hacker shows three resources (Icon, Binary, and Icon
Group). The malware specimen uses the icon of Microsoft Excel (to give the appearance of an
excel sheet)
 Examining PE Resources

The executable also contains binary data; one of them has a file signature of D0 CF 11 E0 A1 B1
1A E1. This sequence of bytes represents the file signature for a Microsoft Office document file.

The attackers, in this case, stored a decoy excel sheet in the resource section. Upon execution,
the malware is executed in the background, and this decoy excel sheet is displayed to the user

as a diversion:
 Examining PE Resources
To save the binary to disk, right-click on the resource that you want to extract and click on
Save Resource to a *.bin file. In this case, the resource was saved as sample.xls. The

following screenshot shows the decoy excel sheet that will be displayed to the user: