-
Hashing malware samples:
# extract the malware file from zip # no need to change extension sha256sum.exe Malware.Unknown.exe.malz md5sum.exe Malware.Unknown.exe.malz # note down the hashes - we can lookup these on Virustotal
-
Static string analysis:
# strings utility can be used as well floss Malware.Unknown.exe.malz # prints out any string of len >= 4 floss -n 6 Malware.Unknown.exe.malz # prints strings with len >= 6
-
Analyzing import address table:
- Done using
PEViewtool - Offers a byte-level view of portable executables
- Under
IMAGE_FILE_HEADER, we can check forTime Date Stampas an indicator - In
IMAGE_SECTION_HEADER.text, we can compare decimal values forVirtual SizeandSize of Raw Data- ifVirtual Size>>Size of Raw Data, it could be a packed binary - In
IMPORT Address Table(underSECTION.rdata), we can inspect for suspicious Windows API calls - likeURLDownloadToFileW&ShellExecuteW - malAPI.io can be used to refer malicious APIs and use-cases
- A packed binary includes lesser API calls - uses
LoadLibraryA&GetProcAddressat runtime
- Done using
-
PEStudiois also used for static analysis and offers a lot of data about the executable - like 'indicators', 'imports' and 'strings'. -
We can also use the capa utility:
capa.exe -h capa.exe Malware.Unknown.exe.malz # prints high-level info about binary # run with -v for verbose # or -vv for more details