Malware analysis is a critical process in cybersecurity, enabling analysts to understand malicious software’s behavior, functionality, and objectives. By analyzing malware, cybersecurity professionals can devise effective countermeasures, protect systems, and reduce the risk of future attacks.
There are two primary approaches to malware analysis: static analysis and dynamic analysis. Static analysis involves examining the malicious code without executing it, while dynamic analysis observes the malware’s behavior during execution in a controlled environment. Here, we focus on static malware analysis, which plays a foundational role in malware research and detection.
Static Malware Analysis Steps
- ID Assignment
- File Identification
- Antivirus Scan
- String Analysis
- Protective Mechanism Detection
- PE Structure Verification
- Reverse Engineering
1. ID Assignment
Assigning a unique identifier (ID) to the malware sample is the first organizational step. A hash value (e.g., MD5, SHA-1, or SHA-256) is typically used to uniquely identify the file. This hash helps check the reputation of the file and ensures its integrity has not been compromised.
Example: Run the following command on Linux to generate a SHA-256 hash:
sha256sum malware_sample.exe
Output:
3a45a7c1f8d2e3a7b15d9e1e1fc8c7e1a3a7e2a8a1c9e3f7c7b1d1e7f7e5d2e8
Every file has a unique hash, which can be used to check its reputation and verify its integrity.
Here is the image that shows I have downloaded a Chrome file and checked its associated file hash on the Linux terminal:
Here is a short video demonstrating one of the file identification methods for better understanding
2. File Identification
Understanding the file type helps predict its functionality. Identifying the file format can give clues about its intended platform or behavior, such as whether it is an executable, script, or document.
Tools:
Linux file command
PE Studio for Windows files
Example:
file malware_sample.exe
Output:
malware_sample.exe: PE32 executable (console) Intel 80386, for MS Windows
This confirms the file is a 32-bit Windows executable.
Here is a short video demonstrating one of the file identification methods for better understanding
3. Antivirus Scanning
Scanning the file with antivirus engines helps identify known malware and associated behaviors. This step is useful for quickly determining if the sample matches any existing threat signatures.
Example: Upload the file to VirusTotal and review the results. Look for:
- Detection Ratio: How many antivirus engines flagged the file (e.g., 40/60).
- Threat Names: E.g., “Trojan.Generic” or “Ransomware.Lockbit.”
The first image shows a file analyzed using Virus Total. It indicates that the file is clean, as ‘No security vendors flagged this file as malicious.’ The overall Community Score is 0/62, confirming that no threats were detected.
The second image shows malware with 67 threats detected.
Here is a short video that shows the reputation of one of the malware files being checked on VT for reference
4.String Analysis
Extracting readable strings from the binary can reveal important clues, such as embedded URLs, IP addresses, registry keys, and commands. These strings might indicate network connections or key functionality of the malware.
Tools:
strings command on Linux
BinText for Windows
Example:
String eicar.exe
Strings eicar.exe | grep “http”
Output:
http://malicious-site.com
http://example-command-control.net
These URLs could indicate Command-and-Control (C2) servers used by the malware.
This video explains a key step in malware analysis: using the strings tool to extract readable text from a file. In this example, the file contains:
eicar_com.zipPK
eicar.comX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*PK
eicar.comPK
eicar_com.zipPK
For real malware, these strings might reveal important clues like file paths, URLs, or commands. These details are crucial for understanding what the malware does and how it impacts systems.
5. Protective Mechanism Identification
Malware often uses packing or encryption to hide from antivirus programs and make it harder to study. Unpacking the malware allows you to see its original code and understand how it works.
This process is important because it helps find clues about the malware’s behavior and creates better ways to detect and stop it. Always work in a safe, isolated environment to avoid risks while analyzing malware.
Tools:
- PEiD for packer detection
- UPX for unpacking
Example: PEiD identifies UPX packing. Unpack it using:
upx -d malware_sample.exe
This step reveals the original, unpacked file for further analysis.
For a better understanding, please refer to the video linked below, where I demonstrated this process live, showcasing the commands and their respective outputs.
6. PE Structure Verification
Portable Executable (PE) files form the core of Windows applications and processes. By examining their structure, you can uncover anomalies that may signal malicious intent. In this blog, we’ll dive into PE structure verification, highlight some commonly used tools, and provide an example analysis. Lastly, we’ll guide you through a lab exercise to enhance your skills.
PE files are the format for executables, object code, and DLLs in Windows. They contain essential metadata and sections that the operating system needs to load and run programs. Verifying their structure can help detect irregularities often associated with malware.
Analyzing the PE structure is a critical step in malware analysis and threat hunting. Hackers often manipulate PE files to bypass security mechanisms or inject malicious code. By spotting unusual patterns or discrepancies in the file’s sections, imports, or metadata, analysts can identify potentially harmful files.
Tools:
- PE Studio
- CFF Explorer
Example: Analyzing the file with PE Studio shows:
- Suspicious Sections: .text section is unusually large.
- Suspicious Imports: Functions like CreateRemoteThread and InternetConnect indicate potential malicious activity.
7. Reverse Engineering
Reverse engineering means breaking down and analyzing malware code to understand how it works and what it’s designed to do. This process helps uncover hidden features, like secret malicious actions, or tricks the malware uses to avoid detection. By studying the code, experts can figure out its purpose, the harm it can cause, and who or what it’s targeting.
Because reverse engineering is a big and detailed topic, we’ll cover it in a separate blog. In that blog, we’ll explain it step-by-step, provide examples, and include lab references to make it easier to learn and practice.
Tools:
- IDA Pro
- Ghidra
Example: Using IDA Pro, you find:
- Hardcoded IPs: 192.168.0.10
- Behavior: Keylogging via SetWindowsHookEx and exfiltration via HTTP POST requests.
Note: PE structure analysis and Reverse engineering are essential pillars of static malware analysis. In our next blog, we will provide a detailed explanation of these processes.