Static Analysis - O-LavenderAshburn/Knowledgebase_MalwareAnalysis GitHub Wiki

Basic Static Analysis

Basic static analysis is a basic form of static analysis where the analysesr uses basic techniques to identify possible malware based on traits found in file headers, program types, program inports and staticly avalible information. This the information that can be analised with out executing the malware.

Common Tools

  1. File Identification/Analysis
  • CFF Explorer - CFF can be used to discover file types, hex editing/veiwing, dependency walker,and import addresses.
  • PEiD - Identification for packers, and compilers used in Portable Executable (PE) files.
  • Strings (command line tool) - Used for extracting readable text from binary files.
  1. Hashing
  • SHA256 - Command line tool to generate the a hash digest of a potentually malicious program which can then be used to check against online databases of known malware.
  • MD5SUM - Same as SHA256.

These tools are usually sufficient for Basic Static Analysis

Advanced Static Analysis

Advanced static analysis involves a deeper examination of a malware sample without executing it. This includes using disassemblers, decompilers to outline a malware samples code and understanding how it interacts with system components. Unlike basic static analysis, this approach requires specialized tools and knowledge of assembly language, executable file structures, and malware behaviors.

Common Techniques

1. Disassembly, Decompilation & Reverse Engineering

  • Convert machine code into human-readable assembly instructions to understand the malware's logic and binary code back into high-level programming languages (C, C++, etc.).

2. Packer & Obfuscation Analysis

  • Determine if the malware is packed or obfuscated. Clear signs of packed or obfucscated high entropy (randomness) in their .text, .data, or .rdata sections. Sometimes packer information can be easily determined using PEiD.

3. Advanced String Analysis

  • Using more advanced tools for string filtering and decoding.Some strings may be encoded in but not limited to hexidecimal and base64. Some stings may have multiple layers of encoding.

Common Tools

1. Disassembly & Reverse Engineering

  • IDA Pro – Industry-standard disassembler and decompiler for analyzing binary code.
  • Ghidra – Open-source reverse engineering tool developed by the NSA, offering powerful decompilation features.
  • JetBrains dotPeek - A decomipler that supports dll, exe and winmd formats.

2. Packing & Obfuscation Detection

  • Detect It Easy (DIE) – Identifies file packers, compilers, and signatures.
  • UPX (Ultimate Packer for Executables) – Common packer used by malware authors.

3. Advanced String Decoding and Analysis

  • Cyberchif – String filtering and multiple step decoding.

Workflow

What a common workflow in basic and advanced static analysis might look like.

Basic Analysis

1. Using CFF Explorer to examine the malware to look for and answer the following.

  • What type of file is it ?,

  • When was it compiled ?

  • What do the section headers contain ?

    Is there signs of packing or obfuscation Is there any missing

  • What Dll's are being used ?

    What functions are being imported ?

    Are the imported function ones commonly seen in malware ?

    What do these functions do ?

    Are there any network related Dlls imported ?

2. Analysis with strings

  • Are there any potential host based signatures we can see (such as file directories) ?
  • Are there any potential network based signatures (such as ip addresses) ?
  • Are there any mentions of any other Dlls not imported yet ?
  • Is there any potential obfuscation ?

3. PEiD

  • Does PEiD recognize any packers ?

Advanced Analysis

Decompiling and Dissassembly

  1. Are there any susspcious memory allocations or function calls ?
  2. Are there any susspcious data in the data feilds ?
  3. If present can any decrpytion/encryption functinality be spoted ?

Can it be reversed engineered?

Are there any indicators of encryption keys hard coded or generated at runtime?

Credits and References

The workflow follows a similar guidline to the textbook Practical Malware Analysis by Michael Sikorski, Andrew Honig February 2012 labs.