Member-only story
As mentioned in my prior post, I’ve found that malware analysis can be grouped into four categories:
- Basic Static (what this post will cover)
- Basic Dynamic
- Advanced Static
- Advanced Dynamic
Basic Static
When performing basic static analysis, we don’t execute the code or dig into disassembly. The idea is to obtain a quick overview of the structure of the sample and identify any low-hanging fruit. These items can be IP’s, domains, hash lookups or even keywords and phrases that may hint to the sample’s intent or purpose.
To get us started on basic static analysis, we’re going to to begin analyzing a basic Windows 32-bit executable, also known as a “PE” (i.e. Portable Executable) file. Executable files are commonly seen with a “.exe” at the end of a file name (i.e. assuming you have Windows showing hidden extensions). By default, Windows doesn’t show extensions. We can change this in Windows 7 by navigating to ”Control Panel” -> “View by” -> “Small Icons”, clicking on “Folder Options” -> “View tab”, and uncheck “Hide extensions for known file types”.
With this option unchecked, you can now see the raw file extensions. Now, why does this matter? The images below outlines the reason why it’s important:
As you can see, with the Windows default settings, the file seemed to have a “.doc” extension, however, after we uncheck the “Hide extensions for known file types”, we now see ”.doc.exe”. To make things even more confusing, attackers like to use the default “Microsoft Word Document” icon to make the file appear more legitimate. In reality, the file was always an executable, the attacker knows that Windows doesn’t show file extensions by default, so you think you’re opening a Microsoft Word document, but instead, what you actually did was execute a binary. Awesome, right?! The point here is that Windows only cares about extensions so it knows what “handlers” to use when opening a file. For example, Windows files with an extension of “.doc” is typically handled by Microsoft Word because Word is registered to that extension, as well as “.docx”.
When it comes to the Windows executable format “PE”, the extension “.exe” is not the only file that uses the PE…
