Experiment-3.

4
Aim:- Performing Static Analysis on a Suspicious File and System Behaviour Analysis

Mapped CO :-

CO5 To Analyze the methods to perform Critical analysis of data to identify evidence

Objective: - To understand performing static analysis on a suspicious file and analyzing system behavior
using VirusTotal to detect potential malware.

Theory:- Static analysis on a suspicious file involves examining its characteristics without
executing it to identify potential malicious traits. The process begins with gathering basic file
information, such as its type, format, and cryptographic hashes (MD5, SHA-1, SHA-256), which
can be compared against known malware databases like VirusTotal. Extracting readable text from
the file using tools like strings or BinText helps identify suspicious elements such as URLs, IP
addresses, API calls, and commands. Further analysis of the Portable Executable (PE) headers
using PEStudio or CFF Explorer can reveal anomalies, including unusual section names, abnormal
imports like VirtualAlloc or WriteProcessMemory, and inconsistencies in timestamps. Additionally,
embedded resources can be inspected for hidden payloads or encryption methods, and packed files
can be unpacked using tools like UPX. Checking the digital signature of an executable using
sigcheck.exe helps determine its legitimacy, as unsigned or self-signed files can indicate potential
threats.
System behavior analysis using VirusTotal provides deeper insights by allowing the submission of
files, URLs, and domains for multi-engine scanning. When a file is uploaded, VirusTotal checks it
against multiple antivirus databases and presents a detection score based on previous and real-time
scans. The platform also offers dynamic analysis, where the file is executed in a sandbox
environment to observe its behavior, including attempts to modify system files, make registry
changes for persistence, establish network connections, or inject malicious code into other
processes. VirusTotal Graph further aids in investigating file relationships, helping security analysts
connect a file to known malware families or threat actor campaigns. Additionally, URL and domain
reputation checks provide insights into phishing sites and malicious servers. For automation,
VirusTotal’s API allows security teams to integrate file and URL scanning into their workflows,
improving threat intelligence and response capabilities. Combining static analysis with VirusTotal’s
behavioral insights enhances malware detection and investigation, making it a crucial approach in
cybersecurity.
Step 1: File Collection & Environment Setup
1. Obtain a suspicious file (ensure it's in a controlled environment).
2. Move the file to a safe analysis environment (preferably a VM).
 3. Ensure all necessary tools are installed.
Step 2: Basic File Information Analysis
1. Check the file extension to identify its format (e.g., .exe, .dll, .doc, etc.).
2. Use the file command in Linux or right-click properties in Windows to get metadata.
3. Note the file size, creation date, and hashes (MD5, SHA-256) using:
o Windows: certutil -hashfile <filename> MD5 / SHA256
o Linux: md5sum <filename> / sha256sum <filename>

Step 3: Static Analysis

1. Open the file in a hex editor and inspect for suspicious headers or signatures.
2. Use PE Studio or PEid to analyze the file structure:
o Identify compiler details and sections (e.g., .text, .data, .rdata).
o Look for suspicious API calls and obfuscation techniques.
o Check for digital signatures.
3. Run Strings analysis:
o Use strings <filename> in Linux or tools like Strings from Sysinternals.
o Look for suspicious URLs, IP addresses, registry keys, or encoded data.
Step 4: VirusTotal Analysis
1. Go to VirusTotal.
2. Upload the suspicious file (or enter its hash if previously scanned).
3. Review scan results from multiple AV engines.
4. Analyze file behavior based on VirusTotal’s behavioral insights.
5. Look at the Community tab for comments and additional threat intelligence.
Step 5: System Behavior Analysis (Optional)
1. If dynamic analysis is required:
o Use tools like Procmon, Wireshark, or Cuckoo Sandbox.
o Monitor file activity, registry changes, and network communications.
2. Review any abnormal behavior such as unauthorized processes or system modifications.

Step 6: Documentation & Reporting

1. Document all findings, including:
o File metadata and hash values.
o PE analysis results and suspicious indicators.
o VirusTotal results and detections.
o Any behavioral indicators.
Video Link: -
https://www.youtube.com/watch?v=p3AQjmEvApI
Viva Questions:
1. What is static analysis in the context of cybersecurity and malware detection?
2. How does static analysis differ from dynamic analysis?
3. What are the key advantages and disadvantages of static analysis?
4. What are some common tools used for static file analysis?
5. How can you determine if an executable file is malicious using static analysis?
6. What is the role of hash functions (MD5, SHA-256) in static analysis?
7. What is a PE (Portable Executable) file, and how can you analyze its headers?
8. How do you detect obfuscation or packing in a suspicious file?
9. What is the significance of strings analysis in static analysis?
10. How do you extract embedded resources from a suspicious file?