Static Analysis

Static analysis involves several key steps and important parameters to consider:

• File Identification: The first step is to identify the file type and the associated metadata. Tools like file command in Linux or file analysis tools can be used to get information such as file type, size, creation and modification dates, and more.

• String Analysis: This step involves extracting readable strings from the binary. Strings can reveal a lot about what the binary might do, such as file names, URLs, IP addresses, registry keys, error messages, and more. Tools like strings command in Linux or Windows can be used for this purpose. Looking for strings in static analysis is crucial in malware analysis because it can reveal key details about the malware's functionality without needing to execute it. This can include command and control servers, potential file names, and other malware it may attempt to download. It can also uncover hard-coded passwords, error messages, or other signs that hint at the malware's purpose. Furthermore, certain strings may be unique to specific malware families, helping analysts identify the type of malware they are dealing with. Tools include FLOSS.

• Code Disassembly: This step involves converting the binary instructions into assembly code using disassemblers. This can reveal the program logic and flow without executing the malware.

• Library and System Call Analysis: This step involves identifying the library functions and system calls used by the malware. These can give insights into the malware's capabilities, for example, network communication, file manipulation, process creation, etc.

• Signature-Based Detection: This step involves checking the file against a database of known malware signatures. This can help in identifying known malware or variants.

• Packer Detection: Packers are tools used by malware authors to obfuscate their code and avoid detection. Identifying whether the binary is packed is important as it may require additional tools or steps to analyze.

• Hashing: Creating a hash of the file can be useful for identifying the same malware in future investigations or for sharing information with other researchers.