Open in app

Sign in

Write

Sign in

Static Malware Analysis

Jayvin Gohel
8 min readFeb 29, 2024

--

Hello Hackers….. I hope you all are doing well. In today’s article, I am going to share my experience with static malware analysis.

Static analysis is the technique of analyzing a suspect file without executing it.

Process

1. Introduction to Static Malware Analysis

Overview of static analysis

2. Motive: Finding the Flag

Explanation of the specific goal of the analysis

3. Tools Required for Static Malware Analysis

Description of essential tools

exeinfo

hxD

PEstudio

Strings

upx

4. Determining File Type

Identifying the file type

Manual method using a hex editor.

5. Determining File Obfuscation

Understanding malware obfuscation techniques

6. Exeinfo PE

Detailed analysis using Exeinfo PE tool

File information

Entry point

Section information

Linker information

Import/export information

Overlay information

Unpack information

7. PE Studio

Analysis using PE Studio tool

VirusTotal scans

Impact areas and flags

8. UPX

Compression with UPX tool

Comparison between compressed and original files

9. Strings

Extracting useful information using Strings tool

Identifying URLs and keys

10. Conclusion

Summary of the importance of static analysis

Continuous vigilance and collaboration in cybersecurity

Introduction

Malware analysis is like being a detective for computer viruses. When a computer gets infected by a virus or malicious software, experts use malware analysis to figure out what the virus does, how it works, and how it can be stopped. It’s important because it helps us understand where the virus came from, how much damage it can do, and how to fix the problem. Think of it as solving a mystery to protect computers and information from bad guys online.

  1. Static Analysis: This involves examining the malware without executing it. Analysts study the code, structure, and content of the malware file to identify characteristics such as embedded strings, cryptographic hashes, and potential indicators of compromise (IOCs).
  2. Dynamic Analysis: In dynamic analysis, the malware is executed in a controlled environment, like a virtual machine or sandbox. Analysts observe its behavior, such as file modifications, network communications, and system interactions, to understand its functionality and potential impact.
  • We are now thoroughly examining the static analysis. We analyze a specific malware sample.
malware sample

Determining the File Type: Figuring out what type of file a suspicious binary is helps us know which computer system it’s meant to mess with. For example, if we see it’s a Portable Executable (PE) file, which is usually for Windows stuff like.exe or.dll files, we know it’s aimed at Windows computers. This helps cybersecurity folks figure out quickly what the malware can do and how it can mess things up. So, basically, knowing the file type is like a quick way to know what kind of computer the bad stuff is targeting, which makes it easier to stop it.

The manual method of determining the file type is to look for the file signature by opening it in a hex editor to find and identify the file format.

hex editor is a specialized software tool used for viewing and editing binary files. Unlike text editors, which are designed for editing text-based files such as source code or documents, hex editors display the raw hexadecimal representation of a file’s contents, allowing users to view and modify individual bytes directly.

hex editor malware analsysis

Here are the first two bytes: 4D and 5A.

capture the signature

The file can be identified by the ASCII string “MZ” (hexadecimal: 4D 5A) at the beginning of the file

identifiy the signature

Determining File Obfuscation: Malware creators use obfuscation to hide how their malicious software works from security experts and researchers. They use tricks to make it hard to understand or analyze the code.

now we analyze this malware file using the Exeinfo PE tool

Exeinfo PE

Exeinfo PE is a program that lets you verify .exe files and check out all their properties. You can also change the file name, directly open the .exe, or simply delete it.

Exeinfo PE analysis

In Exeinfo PE, we enter the malware file, and we can see here that so many details are identified.

identifying file format
  • File information: This includes the name of the file, its size, and its hash value.
  • Entry point: This is the address of the first instruction that the program will execute when it is loaded into memory.
  • Section information: PE files are divided into sections, which are named blocks of data. Exeinfo PE can show you information about each section, such as its name, size, and virtual address.
  • Linker information: This information includes the version of the linker that was used to create the PE file, as well as the subsystem for which the PE file was designed (e.g., Windows GUI, Windows console).
  • Import information: This information shows you the DLLs that the PE file imports.
  • Export information: This information shows you the functions that the PE file exports, which can be used by other programs.
  • Overlay information: This information shows you if the PE file contains an overlay, which is a special type of section that can be loaded and unloaded from memory at runtime.
  • Unpack information: This information shows you if the PE file is packed, which means that it has been compressed or obfuscated in some way. If the PE file is packed, Exeinfo PE can try to unpack it for you.

here we can see the file format is Not packed right now

now we use PE Studio tool to analyze this file

PE Studio

PeStudio is a tool to find suspicious artifacts within executable files to accelerate the first malware assessment. Using this tool, the analyst can easily spot the functionalities commonly used for malicious activities by malware creators.

PE analysis

In this PE studio, here is the virus total to identify what engines are used.

VirusTotal scans files, URLs, IPs, and domains for malware. Detects threats like spyware, ransomware, and Trojans. Gathers threat intelligence and researches unfamiliar files. Tracks threats and facilitates information sharing in the security community.

virustotal impact

Here, some.dll files are triggered out where the malware is impacting this.dll file.

and here the other flags are identified, and also the group (security/registry/network) is also impacted by this malware.

imports flags
strings count

upx

Now we are using Ultimate Packer for Executables (UPX), an open-source packer that can reduce the file size of an executable drastically and is compatible with a large range of executable formats, like Windows DLLs, macOS apps, or Linux ELF.

UPX can pack a malicious executable and modify its bytes to generate an undetectable version of malware. Through a self-extracting archive executable, a packer can unpack itself in memory when a packed file is executed. The packed file is usually smaller on disk but bigger in memory

upx analysis

here we are comparing this malware file using UPX to packed malware

upx -qvfk -9 -o <compress_malware> <original malware path>

-q, : be quite

-v, : display version number

-f, : force compression of suspicious files

-k, : keep backup files

-9, : compress better

-o : output

successfully compresed

now we analyze the compressed file using exeinfo

compressed file analysis in Exeinfo

here we can see the difference between compressing file

Strings

The tool Strings is one of the most used tools when analysing malware. It allows the analyst to quickly identify the sequence of characters that can be useful in identifying features or any other variable used by the malware.

Strings is a native tool built into any Linux system. A Windows version is available, and on Mac OS X, strings are available in the Xcode Command Line Tools package.

Below is the default output of strings.

string analysis

here are we using the -a for finding the ASCII-only

finding Ascii

In malware research, it can be useful to extract strings and compare them in a large dataset to identify similar samples or similar variables.

Here you may notice some useful information, like user32.dll commands to run a dll and registry key changes that may indicate the behavior of the sample.

now here, we are use the original malware file to extract the strings

see the output of the original malware file, we get the
Facebook URL and the flag.

successfully get flag

Conclusion

Static malware analysis is like examining a suspect without letting them move. Instead of running the malware, analysts use tools such as exeinfo, PEstudio, Strings, and UPX to look at its details. They figure out what type of file it is, how it’s hidden, and where it tries to cause damage.

This analysis helps understand what the malware wants to do and how it’s built. By finding out its file type, uncovering tricks to hide its true purpose, and pulling out useful information like URLs or changes to the system, analysts can create ways to stop it.

It’s crucial for cybersecurity because it helps protect computers and data from online threats. It’s like being a detective, solving the mystery of how the virus works to keep it from harming anything.

--

--

Jayvin Gohel

Written by Jayvin Gohel

65 Followers

Networking | cyber security | Ethical Hacking | OSINT | CTF | Malware analysis

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams