Malware Analysis - Part 1: Static Analysis

June 25, 2020

Introduction


Some of the most annoying threats in information security are malicious programs. Every day, we hear news about data breaches and cyber attacks with malware. Attackers are enhancing their development skills and building new malware that can bypass company safeguards and AV-products. According to safetydetectives.com, the total cost of malware attacks with reach $6 trillion by 2021.

In this series, we are going to learn how to perform malware analysis. Malware analysis is the art of determining the functionality, origin, and potential impact of a given malicious software. The series will contain 3 parts

  1. Static Malware Analysis (You are here)
  2. Dynamic Malware Analysis
  3. Memory Malware Analysis

Malware analysis lab


When performing malware analysis, you ensure that you are testing in a dedicated and isolated environment. It is always a bad idea to testand analyze malware in production systems. That is why you need to build your own malware analysis lab and sandbox. The most basic technique is deploying some isolated virtual machines (Linux and Windows) or you can deploy some ready-to-use malware analysis sandboxes such as Cuckoo sandbox or FLARE VM.   You can download themfrom here:

Malware analysis approaches


In most cases, as a malware analyst you need to perform the following analysis techniques:

  • Static Analysis: It is collecting information about the malicious application without running it
  • Dynamic Analysis: It is analyzing how the malware behave after running it in a sandbox
  • Memory Analysis: It is collecting and analyzing memory artifacts to learn more about the malware.

Malware samples and datasets


In your malware analysis learning journey, it is essential to acquire some malware samples so you can start to practice what you are learning using them. Many analysts, researchers, and institutions are sharing some malware samples and machine learning data sets with the community for educational purposes some of them are the following:

Static Malware Analysis


Now, let’s learn how to perform Static Malware Analysis. For the demonstration we are going to use some sample from “theZoo


According to its Github Repository:

theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.”

Please remember that these are live and dangerous malware! They come encrypted and locked for a reason!

The zip password is “infected”

Clone the project by typing:


sudo git clone https://github.com/ytisf/theZoo


The actual malware sample can be found in theZoo/malwares/Binaries

Let’s start our analysis.


Filetype


The first thing you need to do is to know the filetype of the malicious file because it will help you identify the targeted operating system. If you are running Linux (in my case i am using Ubuntu 18.04), youcan simply type:


file <Malware_Sample>

For example, the filetype of “CryptoLocker_22Jan2014” sample is: PE32 executable.


The Portable Executable (PE) format is a file format for executables, object code, DLLs and others used in 32-bitand 64-bit versions of Windows operating systems.”


Also, you can use a hex dumper called “xxd”. Type


xxd <Malware_Sample>

The first 2 bytes are “MZ”. It is an indicator that the file is a PE. Those bytes are the initials of Mark Zbikowski, one of the leading developers of MS-DOS.


Strings

Extracting strings from malicious software will give us many additional pieces of information about it and about its functionalities. Some useful pieces of information are: IP Addresses, Bitcoin wallet addresses, Error messages, comments and so on.


To extract strings type:


strings <Malware_Sample>

Hashes


A hash function is a mathematical function  that takes a string, and generates a fixed-size output called a hash value or a message digest.There are many used hashes in the wild including: md5, sha256 and sha1.

To identify the hashes type:

Md5sum <Malware_Sample>

Sha1sum <Malware_Sample>

Sha256sum <Malware_Sample>

VirusTotal


When performing static analysis, analysts usually tend to scan the malicious files using anti-virus scanners but as you know there is no AV solution that can detect all malware pieces. Thus, it is recommended to scan the file using different AV products. To make things easier for analysts VirusTotal provides an online platform to help you scan files using different AV solutions at the same time. To analyse a file go to: https://www.virustotal.com/gui/home/upload


Upload your file or simply you can provide the file hash. Let’s enter the md5 of Zeus malware which is 3848a99f2efb923a79e7d47577ae9599

Voila! VirusTotal will generate a detailed report about the malware. It was detected by 56 AV solutions.

Also you can find some additional details about it:

Virus Total also provides an API to help you use the platform capabilities inyour projects.

PE headers


We already took a look at PE files. Inspecting PE headers will help us get more information about the malware including where the binary needs to be loaded into memory and so on.


You can find the full structure of PE 32 files here: Structure (High Resolution)

To extract these pieces of information we are going to use a powerful tool called “PE Studio”


The goal of pe studio is to spot suspicious artifacts within executable files in order to ease and accelerate Malware Initial Assessment and is used by Computer Emergency Response Teams and Labs worldwide.”

You can download it from here:  https://www.winitor.com/get.html

Once you download it you can load your malicious file and it will give youmany helpful details including the previously discussed techniques.

Imports and Exports


Imports and exports are very valuable pieces of information because it will help us get an idea about the functionalities and capabilities of the malware since it uses internal APIs to perform some tasks.

The imports are also mapped to the MITRE Framework. To learn more aboutit you can read our article: How MITRE ATT&CK can help you to defend against Advanced Persistent Threats (APTs)


Timestamps

Time stamp is very important in malware analysis; it gives us an indication about the compile time of the executable.

Packers


Malware developers use many techniques to avoid detection and stay hidden as long as possible. Some of these techniques are obfuscation and encryption. Obfuscators are also known as packers obfuscate the content of a malware using compression. Cryptors use encryption to obfuscate the malware. For To detect packers you can use an utility called “ExeInfo PE


For example this malware is packed with UPX.


UPX is a free, portable, extendable, high-performance executable packer for several executable formats.

Yara rules


Yara is a powerful classification and detection tool. It uses a rule-based approach to detect malware.  Its official website is http://yararules.com


To download yara, you can simply type:


sudo apt-get install yara

You can download a collection of Yara rules from here: https://github.com/Yara-Rules/rules


This is an example of a yara rule to detect TROJAN_Notepad_shell_crew

As you notice a yara rule contains the following sections:

  • Metadata
  • Identifiers
  • Strings identification
  • Conditions

To use yara rule to detect a malware you can simply type:


Yara <Yara_Rule> <Malware_Folder_Path>


For example,  we detected Petya Ransomware using this command:


yara RANSOM_Petya.yar

/home/azureuser/theZoo/malwares/Binaries/Ransomware.Petya

Summary


In this article, we explored the fundamentals of malware analysis and how to perform static malware analysis using a collection of powerful tools. In the 2nd part of this series, we will explore how to analyze malware dynamically by running it in a secure environment.

References and Credits:

Authored by

Chiheb Chebbi