Scribd
Upload
170 views

Static Analysis

This document discusses techniques for static malware analysis, including determining a file's type and architecture using its signature, fingerprinting malware using cryptographic hashes, extracting strings, detecting file obfuscation like packing and encryption, and comparing samples to classify malware using fuzzy hashing, import hashing, section hashing, and YARA rules. The goal of static analysis is to extract useful information from a file without executing it to inform further dynamic analysis.

Uploaded by

sarim imran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
170 views

Static Analysis

This document discusses techniques for static malware analysis, including determining a file's type and architecture using its signature, fingerprinting malware using cryptographic hashes, extracting strings, detecting file obfuscation like packing and encryption, and comparing samples to classify malware using fuzzy hashing, import hashing, section hashing, and YARA rules. The goal of static analysis is to extract useful information from a file without executing it to inform further dynamic analysis.

Uploaded by

sarim imran
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 39

Malware Analysis CIS-672

Lecture 02: Static Analysis


Dr. Muhammad Abid,
DCIS, PIEAS

Malware Analysis, PIEAS


Static Analysis

Static analysis is the technique of analyzing


the suspect file without executing it.
It is an initial analysis method that involves
extracting useful information from the
suspect binary to make an informed
decision on how to classify or analyze it
and where to focus your subsequent
analysis efforts.

Malware Analysis, PIEAS


Determining the File Type

file type of a suspect binary will help you


identify:
the malware's target operating system (Windows,
Linux, and so on) and
architecture (32-bit or 64-bit platforms).
For example, if the suspect binary has a file
type of Portable Executable (PE), which is
the file format for Windows executable files
then you can deduce that the file is designed
to target the Windows operating system.

Malware Analysis, PIEAS


Determining the File Type

Why not use file extension to identify file


type?
Attackers use different tricks to hide their
file by modifying the file extension and
changing its appearance to trick users into
executing it.
Instead of relying on file extension, File
signature can be used to determine the file
type.

Malware Analysis, PIEAS


Linux and Windows VMs

A file signature is a unique sequence of


bytes that is written to the file's header.
Different files have different signatures,
which can be used to identify the type of file.
The Windows executable files, also called PE
files (such as the files ending with .exe,
.dll, .com, .drv, .sys, and so on), have a file
signature of MZ or hexadecimal
characters 4D 5A in the first two bytes of
the file.
http://www.filesignatures.net/

Malware Analysis, PIEAS


Identifying File Type Using Manual
Method
The manual method of determining the file
type is to look for the file signature by
opening it in a hex editor, e.g. HxD hex editor
https://mh-nexus.de/en/hxd/

Malware Analysis, PIEAS


Identifying File Type Using Manual
Method
On Linux systems, to look for the file
signature, the xxd command can be used,
which generates a hex dump of the file:

Malware Analysis, PIEAS


Determining File Type Using Python

Malware Analysis, PIEAS


Fingerprinting the Malware

Fingerprinting involves generating the


cryptographic hash values for the suspect
binary based on its file content.
The cryptographic hashing algorithms such
as MD5, SHA1 or SHA256 are considered
the de facto standard for generating file
hashes for the malware specimens.

Malware Analysis, PIEAS


Why Fingerprinting the Malware?

Identifying a malware specimen based on


filename is ineffective because the same
malware sample can use different filenames,
but the cryptographic hash that is calculated
based on the file content will remain the
same (unique identifier)
when malware is executed, it can copy itself
to a different location or drop another piece
of malware. Having the cryptographic hash of
the sample can help in identifying whether
the newly dropped/copied sample is the
same as the original sample or a different
one. PIEAS
Malware Analysis,
Why Fingerprinting the Malware?

File hash is frequently used as an indicator to


share with other security researchers to help
them identify the sample.
File hash can be used to determine whether
the sample has been previously detected by
searching online or searching the database
of multi Anti-virus scanning service like
VirusTotal.com

Malware Analysis, PIEAS


Generating Cryptographic Hash Using
Tools
Linux

Windows
HashMyFiles
(http://www.nirsoft.net/utils/hash_my_files.html)

Malware Analysis, PIEAS


Determining Cryptographic Hash in
Python

Malware Analysis, PIEAS


Extracting Strings

Strings are ASCII and Unicode-printable


sequences of characters
Strings extracted from the binary can contain
references to filenames, URLs, domain
names, IP addresses, attack commands,
registry keys, and so on.
Srings give a hint about what malware is
capable of doing.

Malware Analysis, PIEAS


String Extraction Using Tools

Linux
The strings command, by default, extracts the
ASCII strings that are at least four characters
long. With the -a option it is possible to extract
strings from the entire file.
strings -a -el multi.exe //Unicode
Windows
pestudio

Malware Analysis, PIEAS


Decoding Obfuscated Strings Using
FLOSS
Malware authors use simple string
obfuscation techniques to avoid detection.
Obfuscated strings will not show up in the
strings utility and other string extraction tools.
FireEye Labs Obfuscated String Solver
(FLOSS) is a tool designed to identify and
extract obfuscated strings from malware
automatically.
FLOSS can also be used just like the strings
utility to extract human-readable strings
(ASCII and Unicode).

Malware Analysis, PIEAS


Determining File Obfuscation

File obfuscation: to protect the inner workings


of the malware from security researchers,
malware analysts, and reverse engineers.
make it difficult to detect/analyze the binary;
extracting the strings from such binary results in
very fewer strings, and most of the strings are
obscured.
Programs: Packers and Cryptors

Malware Analysis, PIEAS


Packers and Cryptors

Packer: uses compression to obfuscate the


executable's content.
obfuscated content stored within the
structure of a new executable file (packed
program) on the disk.
Upon execution of the packed program, it
executes a decompression routine, which
extracts the original binary in memory during
runtime and triggers the execution.
Cryptor is similar to a Packer, but uses
encryption

Malware Analysis, PIEAS


Packers: UPX

UPX is a free, portable, extendable, high-


performance executable packer for several
executable formats.
excellent compression ratio and
offers very fast decompression
upx –o file_packed file
upx –d file_packed
upx –t file_packed

Malware Analysis, PIEAS


Detecting File Obfuscation

To detect packers on Windows: Exeinfo PE


more than 4,500 signatures to detect various
compilers, packers, or cryptors utilized to build the
program.

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
want to know:
whether the malware sample belongs to a
particular malware family or
if it has characteristics that match with the
previously analyzed samples.
Goal: Identifying similar samples
Fuzzy Hashing:
ssdeep (http://ssdeep.sourceforge.net)
generates the fuzzy hash for a sample
Determine percentage similarity between the
samples.

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
Fuzzy hash
ssdeep samplename // generate fuzzy hash
ssdeep -pb * //determine % similarity.
ssdeep –lrpa directory // on directory
Comparing against previous samples:
ssdeep * > all_hashes.txt
ssdeep -m all_hashes.txt sample

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
Fuzzy hash

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
Import Hashing:
hash values are calculated based on the
library/imported function (API) names and
their particular order within the executable.

More infor:
https://blogs.jpcert.or.jp/en/2016/05/classifying
Malware Analysis, PIEAS
Comparing And Classifying The
Malware
Section Hash
calculates the MD5 of each section

Consider generating the fuzzy hash, imphash,


and section hashes for the malicious binary and
store them in a database for future comparison

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
YARA:
classify malware based on the unique strings and
the binary indicators present in the binary.
YARA is a powerful malware identification and
classification tool.
YARA rules:
based on textual or binary information contained
in malware
consist of a set of strings and a Boolean
expression, which determines its logic.

Malware Analysis, PIEAS


Linux and Windows VMs

Once the rule is written, you


can use those rules to scan files using the
YARA utility or you can use yara-python to
integrate with your tools.

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
YARA:
Use YARA utility or yara-python to scan files using
yara rules
YARA Rule Basics:
can be generic or very specific

-Save this rule in


suspicious.yara
-looks for case sensitive ascii

Malware Analysis, PIEAS


Comparing And Classifying The
Malware
Running YARA
yara -r suspicious.yara samples/
Look for case-insensitive ascii and
unicode

Malware Analysis, PIEAS


Linux and Windows VMs

Only look for PE files

Hex string

Malware Analysis, PIEAS


Applications of YARA

Finding decoy embedded docs in a malware

Skip PE headers

Malware Analysis, PIEAS


Applications of YARA

Malware detection based on serial number


9002 RAT using the serial number of its digital
certificate.

Malware Analysis, PIEAS


Applications of YARA

Detect packers
The following is an example signature format
used by Exeinfo PE to detect the UPX packer:

Malware Analysis, PIEAS


Applications of YARA

Detect packers

Malware Analysis, PIEAS


Applications of YARA

Detect patterns in any file


YARA rule that detects communication of
different variants of the Gh0stRAT malware:

Malware Analysis, PIEAS


Applications of YARA

identify malware components


Following shows an example YARA rule to
detect the driver and the DLL components of
Darkmegi Rootkit:

Malware Analysis, PIEAS


Applications of YARA

To write sound YARA rules, read


https://www.nextron-
systems.com/2015/02/16/write-simple-sound-
yara-rules/
For generating YARA rules:
https://github.com/Neo23x0/yarGen
https://
www.joesecurity.org/blog/8938263704094453988
More Info:
https://yara.readthedocs.io/en/stable/

Malware Analysis, PIEAS


Multiple Anti-Virus Scanning

Scanning the Suspect Binary with


VirusTotal
VirusTotal (http://www.virustotal.com) is a popular
web-based malware scanning service.
It allows us to upload a file, which is then scanned
with various anti-virus scanners, and the scan
results are presented in real time on the web
page.
The VirusTotal web interface provides us the
ability to search their database using hash, URL,
domain, or IP address.

Malware Analysis, PIEAS


Linux and Windows VMs

Scanning the Suspect Binary with


VirusTotal
VirusTotal Graph associates malware sample with
its indicators (domains, IP addresses, and URLs)

Malware Analysis, PIEAS

You might also like