Malware Handbook
  • Preface
  • Author
  • Prerequisites for Malware
  • Prerequisites for Lab Set-Up
  • Setting Up Labs
  • Download Sample Malware Exercises
  • Intro to Assembly Language
  • Assembly Language Basics
  • Commonly Used Instructions
  • Win32 Assembly Programming
  • PE Format
    • PE32
    • PE32+
  • Malware
    • Types of Malware
    • Malware Classification by Windows Defender
    • Sourcing Malware
  • Malware Development
  • Malware Analysis
    • Malware Analysis Methodologies
      • Static Analysis
        • Static Analysis Tools/Methods
        • Static Analysis of Sample Files
      • Dynamic Analysis
        • Dynamic Analysis Tools/Methods
        • Analyzing Files with Regshot, Process Monitor, and Wireshark
        • Analyzing calc.exe and Network Activity
      • Manual Code Reversing
        • Reverse Engineering Simple Windows Executable Files
        • Reverse Engineering re_lotsastuff.exe
        • Reverse Engineering re_lotsastuff.exe Using Ghidra
      • Analyzing PowerShell Scripts
      • Analyzing JavaScript Samples
        • Analyzing JavaScript in HTML
      • Analyzing Macro Code in Office Documents
      • Setting Up REMnux Environment
        • Setting Up and Configuring FakeNet in REMnux
      • Analyzing an ELF File
      • Analyzing ASPX Webshells
      • Analyzing JAR Files
    • SAMPLE NOTES (of Notes.txt)
Powered by GitBook
On this page
  1. Malware Analysis
  2. Malware Analysis Methodologies
  3. Static Analysis

Static Analysis of Sample Files

1. Getting File Hashes

  • Tools: Use tools to calculate MD5 and SHA-256 hashes of files.

  • Example: For re_lotsastuff.exe, calculate MD5 and SHA-256 hashes to identify the file.

2. Identifying File Type

  • Tool: Detect it using Detect It Easy (DIE).

    • File Type: P32 (indicates a PE file for 32-bit architecture).

    • Additional Info: Includes addresses for code and disassembly.

3. Viewing File Contents

  • Tool: Use HxD (Hex Editor).

    • Signature: PE files start with 4D 5A (MZ signature).

    • Offset: At offset 0x3C, read the address in little-endian format to find the PE header.

4. Analyzing PE Headers

  • Tool: Use PEiD or similar PE analysis tools.

    • MZ Header: Indicates the start of the PE file.

    • PE Header: Contains important information about the file structure, including:

      • Entry Point: Offset where code execution begins.

      • Base of Code/Data: Addresses where code and data start.

      • Section Headers: Details about code and data sections (e.g., .text, .data, .rsrc).

5. Inspecting Imports

  • Details:

    • Imports: Lists API functions from DLLs used by the file.

    • Common DLLs:

      • Kernel32.dll: System functions (e.g., file operations, process management).

      • Advapi32.dll: Registry functions.

      • Shell32.dll: File execution functions.

      • Ws2_32.dll: Network functions.

6. Viewing File Strings

  • Tool: Use strings command-line tool.

    • Command: strings re_lotsastuff.exe > lotsastuff.txt

    • Review: Look for interesting strings and API functions.

7. Analyzing PowerShell Scripts

  • File: A_message.ps1 (suggests a PowerShell script).

    • Action: Open with Notepad++.

    • Decoding:

      • Base64: Decode using CyberChef.

      • SORE Algorithm: Decrypt using CyberChef with the appropriate key.

8. Tools for Static Analysis

  • HxD: Hex editor for viewing raw file contents.

  • PEiD: Tool for analyzing PE file headers.

  • CyberChef: Tool for decoding and decrypting encoded data.

PreviousStatic Analysis Tools/MethodsNextDynamic Analysis

Last updated 9 months ago