Monday, September 1, 2014

Beginning Static Malware Analysis

In the next two post, we will perform some basic malware analysis to learn enough information about a particular .exe to see if we can draw a conclusion, as to what it may be doing. Maybe enough to develop a signature for an IPS/IDS.

In this first post, we will focus on static analysis. This is where we will try to learn about the executable without executing it. So without further ado, let's get started.

We will use will use the "lab06-02.exe" from "Practical Malware Analysis"

Our topology consists of a a WindowsXP box at 10.0.0.101 and a Kali Box at 10.0.0.102.
Both of the above are virtual machines running on virtual box, Host Only Mode.

If we suspect that a file may be malicious, one of the first things we should do is grab its hash value and compare that against virus total. For my lab I will use md5deep suite of tools to obtain the sha-256 value of this executable.

SHA-256
C:\Malware Analysis Toolkit\md5deep-4.3>sha256deep.exe c:\malware\Lab06-02.exe
b71777edbf21167c96d20ff803cbcb25d24b94b3652db2f286dcd6efd3d8416a  c:\malware\Lab06-02.exe


From the above, we see that 4 out of 53 AV engines think this is malicious. 

Time to dig a little deeper.

Next let's  see if there is/are any identifiable strings in this Lab06-02.exe. For this we will use the sysinternals strings utility.

C:\Malware Analysis Toolkit\SysinternalsSuite>strings.exe c:\malware\Lab06-02.exe | more



From above, we can see a number of Windows Functions are being called.

One of things that is normally done to allow malware to go undetectable is to pack the .exe file. Let's see if this file is packed in any way using PEiD





















From the above, we can say our application is not packed and it was built with Microsoft visual C++ 6.0. In addition, from the subsystem, we can tell it is a Win32 console application as opposed to a GUI application.


Let's use the PEView tool to see what else we can learn about this .exe.

One of the things we identify from above is the date the file was created by the linker. Which seems to be 2011/02/02 Wed 21:29:05 UTC

Let's get another perspective from a different tool. This time, let's use dependency walker.

From the above, we can see a list of Windows DLL and functions associated with them.

In this post we have gathered some information about the file and what it may be doing, without executing the file.

In the next post, we will focus on executing the file to see what it may be trying to do.



References:
http://www.nostarch.com/malware
http://technet.microsoft.com/en-ca/sysinternals/bb842062.aspx
http://md5deep.sourceforge.net
http://www.virustotal.com
http://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml
http://msdn.microsoft.com/en-us/library/windows/desktop/aa446671(v=vs.85).aspx
http://wjradburn.com/software/
http://www.dependencywalker.com

No comments:

Post a Comment