This article describes the steps for a basic static analysis of malware. [STILL DRAFT]
You can use a cloud service such as VirusTotal to get a report about your malware sample. Be careful because malware authors may be monitoring such services to see if their malware has been discovered.
Get the hash fingerprint of your malware sample. The most common algorithms to use are MD5, SHA1 and SHA256; get all three of them.
On Windows, we can either use HashMyFiles to compute the hash, or use the command line:
with Powershell:
PS> Get-FileHash Lab01-01.exe -algorithm SHA256
or with the built-in CertUtil utility:
> CertUtil -hashfile Lab01-01.exe SHA256
which itself may be used from within Powershell to get a nicer output:
PS> $(CertUtil -hashfile Lab01-01.exe SHA256)[1] -replace " ",""
The hash can then be used:
Searching for meaningful strings contained in our sample, can reveal many useful information about the malware.
On Windows, we can use the strings2 utility.
> strings2 Lab01-01.exe -nh
To search only for ASCII or Unicode strings we have to add the flags -a
or -u
.
By the way, the strings2 utility is able to dump strings from a process memory address space.
On Linux, we can use the strings
utility.
Periodic
upx
Opening the files with PEview and looking under: IMAGE_NT_HEADERS / IMAGE_FILE_HEADER / TimeDateStamp
reveals the compilation time.
imported functions
exported functions
compile timestamp
PEview
Resource Hacker