Module 2: Static Analysis

Title: Tools and Methods for Static Malware Analysis

Task 1: Basic Information on Static Analysis
Static analysis is a technique employed to examine malware without executing
it. This method allows researchers to safely investigate the code, file structure,
and metadata of a suspicious file, offering valuable insights into its behavior and
purpose. By scrutinizing the characteristics of the malware, analysts can identify
its type, potential impacts, and indicators of compromise (IOCs).
Key Aspects of Static Analysis:
 Code Examination: Involves inspecting the code for signatures, patterns,
and suspicious constructs that may indicate malicious intent.
 File Structure Analysis: Analyzing the file format and structure assists
in identifying the malware type and understanding its construction.
 String Analysis: Extracting human-readable strings from the binary can
reveal URLs, commands, or error messages that hint at the malware's
functionality and intentions.
 Header Inspection: Reviewing the file headers for abnormal
characteristics or attributes can provide early warnings of potentially
malicious behavior.
Static analysis serves as a crucial first step in malware analysis, allowing
researchers to build a profile of the malware based on its static properties.
Answer the questions below-----------------------------------------------------------
1. What analysis type avoids executing malware?
Answer: Static analysis
2. What helps identify malware indicators?
Answer: Code examination

1 | Page
Task 2: Using PEStudio for Static Analysis
PEStudio is a robust static analysis tool tailored for analyzing Portable
Executable (PE) files. It provides comprehensive information about executables
and libraries without requiring execution, making it particularly useful for
malware analysis.
Overview of PEStudio: PEStudio allows analysts to inspect various aspects of
a PE file, such as its structure, imported libraries, and strings. The tool features
a user-friendly interface that organizes information into several tabs for efficient
navigation.
PEStudio Tabs:
 Overview Tab:
o Displays essential information about the PE file, including the file
name, size, and last modified date.
o Highlights indicators of potentially malicious behavior based on
various criteria.

2 | Page
 Sections Tab:
o Lists the sections of the PE file, such as .text, .data, and .rsrc.
o Provides insights into the size and characteristics of each section,
helping analysts identify unusual modifications or suspicious
sections.

 Imports Tab:
o Shows the libraries and functions imported by the PE file.
o Identifying critical functions like CreateProcess, WriteFile, or
InternetOpen can indicate the capabilities of the malware.

3 | Page
 Resources Tab:
o Displays any resources embedded in the executable, such as icons,
images, or additional data.
o Malicious resources can provide clues about the malware's purpose
or intended targets.

 Strings Tab:
o Extracts and displays all readable strings found within the
executable.
o Analysts can search for suspicious URLs, file paths, or command
strings that may suggest malicious activity.

 Checksum Tab:
4 | Page
 o Provides calculated checksums (MD5, SHA-1, SHA-256) for the
file.
o Useful for verifying the integrity of the file and comparing it
against known malware hashes.

Performing Static Analysis in PEStudio:

1. Load the PE File: Open PEStudio and load the executable file you want
to analyze (in this case, the malware sample with hash
fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477
621
2. Examine the Overview Tab: Start by checking the overview for any red
flags or indicators of potential malicious activity.
3. Analyze Sections: Navigate to the sections tab to identify any anomalies
in size or content that may suggest packing or obfuscation.
4. Inspect Imports and Exports: Review the imports and exports tabs to
understand the file’s capabilities and how it may interact with other
system components.
5. Explore Strings: Check the strings tab for suspicious or notable strings
that could indicate the malware’s behavior or targets.

5 | Page
By effectively utilizing PEStudio, analysts can conduct thorough static analyses
that uncover vital information about malware, aiding in the formulation of
appropriate defensive measures.
Answer the questions below-----------------------------------------------------------
Q1) What is the overlay hash?
Answer:
4D454F03CF5B31DE9F770749EB059DE923E743F8370A6BA73C03F1A8E0
86A353
Q2) File entropy level?
Answer: 7.997
Q4) Entry point?
Answer: 0x000030E2
Q5) File ratio percentage?
Answer: 69.04%

Task 4: Analyzing Malware with VirusTotal

VirusTotal is an online service that aggregates detection results from multiple
antivirus engines and analysis tools. It provides a comprehensive overview of a
file’s reputation and helps analysts identify potentially malicious behavior based
on the results from various security vendors.
Using VirusTotal to Analyze the Malware Sample: The malware sample
associated with the hash
fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477621
can be analyzed through VirusTotal by following these steps:
1. Access VirusTotal: Go to the VirusTotal website.

6 | Page
2. Input the Hash:
Enter the hash:
fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477
621in the search bar and initiate the search.
3. Review the Analysis Results:
Once the results load, examine the following sections:

o Overview Tab: This tab provides a general summary, including the file
name, size, and any flags raised by antivirus engines.

7 | Page
o Detection Results: This section displays the number of engines that
flagged the file as malicious versus those that did not. Pay close attention
to any significant detections or comments provided by the engines.

o Details Tab: The details section will include information such as file type,
the date the file was first seen, and additional metadata that can provide
context about the sample.

8 | Page
o Relations Information: If available, this section lists any Relations
patterns identified during static or dynamic analysis.

o Behavior Tab: The Behavior tab in VirusTotal offers insights into the real-
time actions a file takes when executed in a controlled sandbox
environment. This includes information on network communications, file
and process creation, registry alterations, and any other interactions that
might indicate malicious behavior.

9 | Page
o Community Comments: Analysts can review comments from the
VirusTotal community that may provide insights or additional context
regarding the file.

10 | P a g e
Answer the questions below-----------------------------------------------------------

Q1) What is the first Create date of the sample?

Answer: 2014-05-11

Q2) What popular threat label is associated with this malware?

Answer: trojan.tedy/makoob

11 | P a g e
Task 5: Using Detect It Easy (DIE) for Malware Analysis
Detect It Easy (DIE) is a tool widely used for identifying packers, compilers,
and obfuscators used in malware files. It can provide valuable insights into
whether a file is packed or obfuscated, which may indicate attempts by the
malware author to evade analysis.
Purpose of Using DIE for Static Analysis: By identifying packers and
compilers, DIE helps analysts understand the potential complexity and
obfuscation of the malware. Packed or obfuscated files may hide malicious code
within layers, making them harder to analyze. DIE’s analysis can help decide if
additional unpacking is needed before further examination.
Steps to Analyze the Malware Sample with DIE:
1. Open the Malware Sample in DIE: Launch DIE, and load the malware file
associated with the hash
fdaaef3df184431dac7f489471ec9de34d4dff895ef7b04be85eb40117477621
.
2. Identify the Packer or Compiler Used:
o Packer Detection: DIE will display any identified packer used to
obfuscate the malware. Common packers might include UPX,
Themida, or PECompact.
o Compiler Identification: DIE can detect the compiler used to build
the malware, such as MSVC, Borland, or GCC, which can give insight
into the development environment.
3. Review File Sections for Irregularities:
o Packed files often show unusual section sizes or suspiciously
compressed sections.
o Check the .text and .data sections for unexpected or abnormal
characteristics that may indicate tampering or obfuscation.
4. Evaluate Signature Results:
o DIE comes with a built-in signature database that matches known
packers, compilers, and libraries to the file.

12 | P a g e
 o Look for any specific signatures that DIE associates with the file;
these can provide hints about the malware’s capabilities and potential
unpacking requirements.
5. Analyze the Entropy Levels:
o High entropy values in specific sections may indicate encryption or
compression, suggesting that the malware is packed. This insight is
critical, as it informs whether additional unpacking steps are needed to
fully analyze the code.
6. Document Observations and Plan Next Steps:
o Based on DIE’s findings, determine if the malware needs unpacking
before continuing with deeper analysis.
o Take note of any specific packer or compiler detected, as this
information can guide further research or help identify patterns in
malware campaigns.
By using Detect It Easy, analysts gain a foundational understanding of the file's
structure, potential obfuscation layers, and packing methods, all of which are
essential for a thorough and effective malware analysis.
Answer the questions below-----------------------------------------------------------
Q1) What is the entropy level of the .text section?
Answer: 6.509
Q2) Which section is packed?
Answer: .txt
Q2) What is the SHA-256 hash for the .rdata section?
Answer:
7CDE5F387256223AA7527AEC642234537DAB482BAE262234282730F0589
704A2
Q3) How many sections are there in total in the file?
Answer: 5
Q4) What is the virtual size of the .ndata section?
Answer: 0x00015000 (86016 bytes)

13 | P a g e