Hey Everyone, today we will be learning how to analyse Basic simple Malware sample by using Static analysis.
I have uploaded the sample Malware Files in this link, you can download it from here.
Its always advisable to use the malware files in compressed and protected format, The Password to decompress the file is infected.
Ok guys lets see what we got today,
Fire up your Malware analysis Operating system which we have have indulge it with the FlareVM distributions and packages. If You are new here, I request you to complete my previous blogs on Malware analysis here. You will get to know how to install FlareVM packages in to windows operating system in it.
Download and extract the samples that i have given my git hub link. Password will be infected
As we know the first step in Static analysis will be the File type identification, we will be doing this will a couple of tools, named as HxD, Exeinfo PE.
Drag your sample file into HxD launcher, then we can go further with it, you can clearly see that the file type is Portable Executable because the first two bit 00 and 01 clearly indicates it is having 4D 5A as i said in my previous blogs, if you select M in Decoded text then bit 00 will be selected.
Then like I said we can clearly see the Header text contains a string saying “This program cannot be run in DOS mode”.
Next to that string, there it goes the PE header that’s where Portable Executable header Starts.
Next, You can Drag the malware sample into Exeinfo PE launcher to check additional details like whether its packed or not, and we can check for the sections also, i will explain you about this sections and all in a bit don’t worry.
We can use the Dis-assembler in this application too to check for the Hex Values, and PE header and the header string as we did with HxD application.
Next, I need you to Open the file with pestudio application it will clearly tell you what this file type is, what it is made for(Architecture), hashes, signature and entry point too, pestudio is the multiple feature application with lots and lot of features.
In the above image we can see clearly this piece of malware is designed for 32 bit Architecture system and it is a dynamic-link-library (.dll) file type.
Next Step in Static Analysis is Hash Generation to give a unique identity to the malware, we can use HashCalc and Hashmyfiles tools for this purpose
These above mentioned tools will give different Hashed values for different algorithms like MD5, SHA1, SHA256, SHA512. so that we can use these values in websites like VirusTotal.com to check for already analysed malware. we can hash a file by using right click and MD5 hash options.
Just copy Hash and put it in virus total.com and google it to analyze the hashed files.
In virus total website we can see where the malware is first found and the history about it.
Next Step in Static Analysis is looking for STRINGS,
We can look for strings in CLI and GUI interfaces, first lets learn how to do it in CLI then we can go with GUI type.
Open Command Prompt (PowerShell) then type strings command then hit Enter, you can see a list of helping commands.
Malware contains two types of strings one is ASCII code and UNICODE strings, so we need to specify the type we need to search and we need to mention the amount of minimum characters we need to filter off, by using this command strings -a -n 6 “Malware file Path” (Omit Double quotes)
As above we can search for unicode strings by using strings -u -n 6 “Malware file path”
It is having some kind of key in it, and a Facebook URL also has been found.
We can inspect strings by using right click and strings options, we may find some usefull information like Reverse connection URLs and Socket information.
Next Step in the Flow is Packing and Obfuscation. why Attackers do Packing to obfuscate files?
Attackers do this step to Pack the malware file so that it’s Strings are very difficult to identify and understand. Packing of files can lead to Hiding of Some important functions like section details and Origin Details etc.
We can do Packing and Unpacking by using a Prebuilt command line utility in FlareVM indulged Operating system called as upx.
We can use upx tool by using the below commands to pack and unpack the file.
upx -9(it gives you high compression) “malware path” to Pack the malware upx -d “Packed malware path” to unpack the malware.
We can Identify a malware sample whether it is packed or not by using Exeinfo PE tool. Just drag the sample into Exeinfo PE. In the below image we can see it is packed, and its asking us to unpack, it is also suggesting a tool with it. That’s great right?
In the above image we can see the differences between the strings of packed and unpacked Malware samples, its mostly gibberish in the Packed file, so we need to unpack it before proceeding it with further analysis.
Next Step in the flow is Analyzing PE HEADER, lets find out what we can get more in this.
We can do this step by using the malware sample in pestudio tool, drag and open the malware sample file in pestudio.
In the above image we can clearly see the compiler stamp where the malware is compiled very first it is stated that its on October 17th 2016. We can see the subsystem details also, it is stated that GUI in here.
Ok lets proceed with the options which are in left panel, I found nothing serious in the DOS header tag, then i moved to sections part.
In Sections Part as I Explained in my previous blog about PE header section we can get lot of information from here, if you are not sure what i am talking here then you should read it from here.
In the above image we can see Offset address of Raw data,text and reloc values, in which the Cross sign(x) indicates the permission of the malware file can do with it. it is clear that it have full read permission to read and initialized data.
When it is packed malware we cannot see much information like this it will simply show the detail of the packer that has been used.
Next we move to libraries Part here we will be gathering lot of information about what malware can do, what it is capable of, in here we can see that a list of dll files its associated to work with which are blacklisted by the MSN, like urlmon.dll, wsock32.dll (used to create socket connection), it is designed to work with kernel32.dll so it can take the whole system access to its control, Then we can see advapi32.dll which is an very important dll used to interact will the registry keys and info.
Next into Import section where we can see the libraries files action to enumerate registry keys, socket details, if it has any dropper files then it will be associated here. If we can’t understand any of these libraries function just right click and copy the libraries name then we can search it in Microsoft Development Network.
In this tool we also can access the Strings easily, as i told you already its a multi feature tool, in this malware we don’t have any Resource files, so i need to load another file to show you the Resources part.
Resources part contains additional information about malware, additional payload files, Droppers to be dropped if any and origin of the malware.
Let us check this malware sample whether it is packed or not, it seems to be unpacked.
We can inspect the sections details in this tool by using the small icon (second one below the magnifier icon), it seems this file is having some resource file in it.
Open the Malware in pestudio tool and move to resources section, here you can see this malware is Made in the computer who is using English-United States, but it may be anywhere who knows to speak in English, sometimes it may be France, China, Russia. This part is an essential part to get to know about the origin of the malware
Check the malware with another tool called Resource Hacker which comes with Flare VM, it will show us what Logo the malware is using in Bitmap Section, and we can see lot of information about the original file name Product Name, here it is Alert May be it is made for some kind of alert to pop up in the face of affected systems.
We can see those information in pestudio tool also.
That’s it for today guys, I hope you guys can understand and practice this one with various Malware samples. Its the basic one with static analysis, lets try more in the upcoming blogs.
You can download these tools without going for FlareVM but it needs some dependency files, so its up-to you to choose it
Tomorrow we will learn how to set up YARA rules and how to check it with the malware sample.
See you Guys, bye bye!