Static Analysis of Sample Files

1. Getting File Hashes

• Tools: Use tools to calculate MD5 and SHA-256 hashes of files.

• Example: For re_lotsastuff.exe, calculate MD5 and SHA-256 hashes to identify the file.

2. Identifying File Type

• Tool: Detect it using Detect It Easy (DIE).

  • File Type: P32 (indicates a PE file for 32-bit architecture).

  • Additional Info: Includes addresses for code and disassembly.

3. Viewing File Contents

• Tool: Use HxD (Hex Editor).

  • Signature: PE files start with 4D 5A (MZ signature).

  • Offset: At offset 0x3C, read the address in little-endian format to find the PE header.

4. Analyzing PE Headers

• Tool: Use PEiD or similar PE analysis tools.

  • MZ Header: Indicates the start of the PE file.

  • PE Header: Contains important information about the file structure, including:

    • Entry Point: Offset where code execution begins.

    • Base of Code/Data: Addresses where code and data start.

    • Section Headers: Details about code and data sections (e.g., .text, .data, .rsrc).

5. Inspecting Imports

• Details:

  • Imports: Lists API functions from DLLs used by the file.

  • Common DLLs:

    • Kernel32.dll: System functions (e.g., file operations, process management).

    • Advapi32.dll: Registry functions.

    • Shell32.dll: File execution functions.

    • Ws2_32.dll: Network functions.

6. Viewing File Strings

• Tool: Use strings command-line tool.

  • Command: strings re_lotsastuff.exe > lotsastuff.txt

  • Review: Look for interesting strings and API functions.

7. Analyzing PowerShell Scripts

• File: A_message.ps1 (suggests a PowerShell script).

  • Action: Open with Notepad++.

  • Decoding:

    • Base64: Decode using CyberChef.

    • SORE Algorithm: Decrypt using CyberChef with the appropriate key.

8. Tools for Static Analysis

• HxD: Hex editor for viewing raw file contents.

• PEiD: Tool for analyzing PE file headers.

• CyberChef: Tool for decoding and decrypting encoded data.