Part 2 — Static Analysis

Photo by Markus Spiske on Unsplash

Static analysis techniques examine the characteristics of malware without executing it. In this phase, we’ll be gathering pieces of information about the malware and using it to help us look for key features in the dynamic analysis phase when we execute the malware and watch what it does.

With the setup ready and already discussed in Part 1, we can now perform static analysis of malwares. In order to do so, some tools really come handy. During our work we came across many tools, here we have discussed few of those by first mentioning about the task they achieve, followed by the tool used.

1. File Identification

One of the most common ways an attacker tricks potential clients or users by the use of double extensions. Another common method employed to get around signature-based analysis is by packaging the malware in self-extracting archives. File identification provides security analysts tools to examine these methodologies. Tools used are listed below:

1.1 File command: File works by comparing the file header with known signatures of different file types, which it stores in a plain text file called the magic file.

Command: file [file name]
Output: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

1.2 Exeinfo-PE: This GUI tool works only on Windows executable. It returns exhaustive information of the file examined including the compiler used by it and detecting packers associated with the file.

Exeinfo PE output

1.3 TrID: TrID uses a pattern database to determine the file type, contrary to signature file type detection. If the file contains any of the patterns TrID has, it displays them to you.

TrID output

2. Embedded Strings Analysis

Strings are ASCII and Unicode-printable sequences of characters embedded within a file. It is key to understanding the program functionalities and indicators associated with a suspect binary. The characteristics of a malicious file can be, to a certain extent, be clear with the analysis of the embedded strings. To do so, we have incorporated the use of BinText.

BinText output. Given link when opened some malicious behaviour was seen.

2.1 BinText: BinText is a GUI tool that also extracts Unicode and ASCII strings at the same time. By default, it pulls strings with a minimum length of five. Analysis of strings includes looking for words and phrases in the file like registry keys, URL’s, file names, domain addresses, attack commands, and so on.

3. PE Header

PE header is used by the operating system for two reasons. First, it contains all of the information necessary for Windows to execute the program. The PE header also tells the OS where the pieces of the executable go in memory. We focused on a few of these header fields namely — file header, sections of executable, import table, resource table. this has been achieved by the use of PE Studio application.

3.1 PE Studio: PE Studio is made specifically for malware analysis.It extracts embedded strings and analyzes them to pull out strings it associates with malware and are more suspicious. PE Studio also categorizes the APIs in the import address table for you and will mark those often used by malware as blacklisted.

Extensive list of options available in PE Studio.

Snapshot of a ransomware analysis.

Sample result of static analysis

Static analysis was performed on various infected and clean files. Analysis of such malware is as follows:

File 1

Folder Name: Ransomware.WannaCry_Plus
File: Win32.Wannacry
Path: C:\Users\Windows7\Desktop\Win32.Wannacry.exe

— Normal Analysis

The file seems to be a normal executable file. But antivirus showed potential threat upon extracting zip.

— File command analysis

Command: file [file name]
Output: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

— TrID analysis

TrID analysis shows the file is an executable file. It shows the packer and compiler. For more analysis, we use Exeinfo PE.

— Exeinfo PE analysis

It shows the file is not packed. The hash value is also shown. We can search this hash value on Virustotal. We can get information if somebody already analyzed it. In our case, we got a match on Virustotal.

— String analysis using bintext

We can see many malicious HTTP links. I tried to open the first link. Nothing opened but antivirus started giving warning and some dll and exe file got downloaded those were not present initially in the download folder. Some crypto-key calls were made.

— PE header analysis

Snapshots are included. An extensive information was showed. Red color show all malicious things. This is best tool to analyze any file.

In the next part we will discuss another approach to analyze malwares referred to as ‘Dynamic Analysis’

Source: Part — 2: Static Analysis, Amrit Anand