How to statically analyze a malware

The static malware analysis is analyzing malicious a file without executing it.

A Static analysis can help you  to detect or find indicator that can prove that the file is malicious.

Once you perform a static analysis, the following details can be revealed:

• Hashes of the file
• Identified if the file is packed
• Imports and exports
• Libraries used
• Strings embedded in the file
• Digital certificates
• Detecting the files format type
• Finding details such as (domain, IP address and others)

 NB: For security reason, we are not providing you the malicious file.

Imagine that you received a suspicious file to analyze at work, your job will be to set up your Sandbox t to perform your investigation.

We already have set up our sandbox, we have installed two machines (Windows guest and Remnux).

Remnux is a prebuild Linux machine for malware analysis, you can download the OS: Get the Virtual Appliance – REMnux Documentation

Windows guest was downloaded from Download a Windows virtual machine – Windows app development | Microsoft Developer. There is a new version of Windows to download Windows 11.

VirtualBox can be downloaded from Downloads – Oracle VM VirtualBox

After installing the machines and the VM, you can install Flare VM (a set of tools for malware analysis for Windows) from GitHub – mandiant/flare-vm.

Flare VM does not come with all the applications for the analysis, so you must install some tools such as PEid, BinText, PeStudio, Dependency walker and others based on your needs.

When we finished to install all the applications, the environment looks like this:

The both guests’ machines are running in “Host Only Network” which means that they don’t have any internet connection.

NB: One important thing, take the snapshot of the machine before you start the investigation so you can go back to a secure state after the investigation.

Let’s start the investigation.

 1. Strings command

In Remnux host. The String command helps you to find the strings embedded in the file.

First, type the help option to find more details about the command.

Run the command with the file:

2. Pestr

In Remnux host, go and open the terminal. Type the command with the file name below.

You can put the output in a file to have a better view of the output

The output

At this point, we can observe some indicators such as imports, libraries call and dll extension files, persistency method used in the registry, domain name and others. This is a good point as most of the malware usually used those attributes.

3. PEiD

In Windows host. The tool is used to detect common packers, crypto and compilers for PE files.

Take the file that you analyzing and drag in the tool, in our case the file is not packed, we can see that the file is written in C++.

4. PEStudio

In Windows host. The tool is very useful for the static analysis, it can detect the following information:

• File signature
• Imports
• Export
• URL and IP addresses
• Show Virus total score
• Virus total scoring
• Strings embedded in the files

Run the tool, drag the application in the tool and go through each option from the left side and analyze the output on the right side.

Virus Total scoring

Imports

Strings

5. BINTEXT

 In Windows host. Run the tool and it will display the strings embedded in the file.

6. Peframe

The tool is used to analyze a portable executable files, it can detect if the file is parked, anti-debug digital signature, xor, mutex, anti-virtual machine, suspicious sections and functions, macro and others.

In Remnux host. Type the command following file the file name you are analyzing.

We got some details about the files visible in the screen such as the (hash of the file, PE32 which means that the file is Windows executable file, the file size and others).

NB: You can list all the tools used in Remnux for malware analysis by type the command in the capture below.

7. Dependency Walker

In Windows host.

After dragging the file in the tool, you can see the DLL files with the handles (imports and exports) related to each.

You can type the name of the DLL file on the internet to know what it does.

Now your static analysis finished, you can collect the information and provide a report.

Static analysis of malware is very important, it helps analyze the malware without running it and collect basics information about the malware. The information collected can help us detect if the file is a malware.