Scribd
Upload
10 views19 pages

Week 4

The document outlines the objectives and techniques of basic static analysis in malware analysis, emphasizing the importance of obtaining information without executing the malware. It discusses various methods such as using antivirus tools, hashing, and finding strings to gather insights about the malware's functionality and behavior. Additionally, it highlights the significance of using multiple AV scanners and tools like VirusTotal to enhance detection capabilities.

Uploaded by

221513
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
10 views19 pages

Week 4

The document outlines the objectives and techniques of basic static analysis in malware analysis, emphasizing the importance of obtaining information without executing the malware. It discusses various methods such as using antivirus tools, hashing, and finding strings to gather insights about the malware's functionality and behavior. Additionally, it highlights the significance of using multiple AV scanners and tools like VirusTotal to enhance detection capabilities.

Uploaded by

221513
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

CY328

Malware Analysis

Spring 2025

Dr. Syed Muhammad Sajjad Slides prepared by Dr M Imran, using with


his permission
Assistant Professor
Dept. of Cyber Security
Malware Analysis 1

Basic Static Analysis


Malware Analysis 2

Contents
 Objectives of static analysis
 Techniques for basic static analysis
• Using an AV tool!
• Hashing
• Finding strings
• Finding linked libraries and functions
• Handling packed and obfuscated malware
Malware Analysis 3

Static analysis objectives


 To obtain information about a malware without executing it
 We can get useful information without even looking at the code!
• Checking the malware using an AV tool
• Looking for the malware’s hash on security forums
• Extracting the strings inside the malware code
• Identifying linked libraries ad functions used by the malware
 For more in-depth static analysis, we might need to dissect the
malware code, disassemble it, decompile it…
• This will provide us information on the functionality of the malware
Malware Analysis 4

AV Scanning
 An AV scanning tool is commonly used to check if a given malware
sample is already known to world
 One scanner may not be able to detect the malware…
• The malware scanners depend on signature databases to detect
malware
• Behavioral and pattern-matching analysis (heuristics) is also carried out
to identify suspect files
• Malware writers can easily modify their code thereby changing
their program’s signature and evading virus scanners.
• The database may not have signatures of rare, uncommon malware
• Heuristics are generally successful in identifying unknown malicious
code, but can be bypassed by unique, new malware
Malware Analysis 5

AV Scanning
 Due to the stated reasons, it is advisable to use multiple AV
scanners to enhance detection probability
 VirusTotal is a well-known online resource which analyses a given
sample using multiple scanners
 VirusTotal generates a report that provides:
• The total number of engines that marked the file as malicious
• The malware name
• Any additional information available about the malware
Malware Analysis 6

Hashing
 Hashing is a concept from cryptography
 A hashing function returns a fixed length string, called hash value or
simply hash, when applied to input data of any length
 The hash value can be thought of as a fingerprint for the data
• Ideally, no two inputs should have the same hash value
• That’s impossible, but the hash functions in use today produce hash
values that have high probability of being unique
 For malware analysis, calculating a malware sample’s hash using a
well known algorithm may be helpful
• We can share its hash with the community to see if anyone has seen it!
Malware Analysis 7

Finding Strings
 A string is a sequence of ‘printable’ characters
 Programs usually use strings for:
• Displaying messages to the user
• Storing a URL
• Storing a filename
• Storing a registry entry, etc.
 Strings present in a code may give you a hint at the possible
function of the program
Malware Analysis 8

Finding Strings
 Both ASCII and Unicode formats store characters in sequences
that end with a NULL character (the terminator) to indicate that the
string is complete
 ASCII strings use 1 byte per character, and Unicode uses 2 bytes
per character
• Other Unicode implementations also exist such as UTF-8,16 and 32
Malware Analysis 9

Finding Strings
 The figure shows the string “BAD” stored as ASCII and Unicode

 The ASCII string is stored as the bytes 0x42, 0x41, 0x44, and 0x00,
where 0x42 is the ASCII representation of a capital letter B, 0x41
represents the letter A, and so on
 The 0x00 at the end is the NULL character, the string terminator
 The Unicode string is stored as the bytes 0x42, 0x00, 0x41, 0x00 …..
 The terminator for Unicode string is 0x00, 0x00
Malware Analysis 10

Finding Strings
 The SysInternals Strings utility (http://bit.ly/ic4plL) can be used to search
an executable for strings, which are typically stored in either ASCII or
Unicode format
 Strings utility searches for a three-letter or greater sequence of ASCII and
Unicode characters, followed by a NULL character
 Strings ignores context and formatting, so that it can analyze any file type
and detect strings across an entire file
• It may identify bytes of characters as strings when they are not!
 The strings detected by Strings may not be actual strings!
• The sequence of bytes 0x56, 0x50, 0x33, 0x00 may not be the string “VP3”
• This could be a memory address, CPU instructions, or numeric data
 Strings leaves it up to the analyst to filter out the invalid strings…
Malware Analysis 11

Finding Strings
 With experience, you’ll see that most invalid strings are obvious,
because they do not represent legitimate text
 For example, see the result of running Strings on the file bp6.ex_:
Malware Analysis 12

Finding Strings
 Some strings may be easily ignored
• If a string is short and doesn’t correspond to words, it’s probably
meaningless
Malware Analysis 13

Finding Strings
 On the other hand, the strings GetLayout and SetLayout represent
Windows functions used by the Windows graphics library!
• These can be identified as meaningful strings because Windows
function names normally begin with a capital letter and subsequent
words also begin with a capital letter
Malware Analysis 14

Finding Strings
 GDI32.DLL is meaningful because it’s the name of a common
Windows Dynamic Link Library (DLL) used by graphics programs
• DLL files contain executable code that is shared among multiple
applications
Malware Analysis 15

Finding Strings
 You guessed right! 99.124.22.1 is an IP address that will be most
probably used by malware
Malware Analysis 16

Finding Strings
 “Mail system DLL is invalid! Send Mail failed to send message.” is an
error message
• The most useful information obtained by Strings is most often found in
error messages!
Malware Analysis 17

Finding Strings
 This particular error message reveals two things:
• The subject malware sends messages (through email)
• It depends on a Mail System DLL
Malware Analysis 18

Finding Strings
 This information suggests that the analyst should:
• Check email logs for suspicious traffic
• Another DLL (Mail system DLL) might be associated with this particular
malware
The missing DLL itself may not necessarily be malicious!
Malware often uses legitimate libraries and DLLs for its purposes

You might also like