SBM Labs

Cyber Security Collaboration Project

Malware. Basic Static Analysis. Part 1.
12 Sep 2015

Let's look at basic static malware analysis. Technique that is described below can be useful in cases when you have detected unknown executable file and strange host activity. At the same time your antivirus software has not detected any threat. Guided by this technique you can perform quick file analysis and mitigate risks if necessary.

1. Check the file by several antivirus engines.

The easiest and fastest way to upload your file to VirusTotal.

Also you should send the file to antivirus laboratory of your vendor.

2. Data search.

First of all you should calculate hash of your file.

Then you should perform search request by hash in available sources. For example, in Internet or database of malware analysts .

3. Strings search.

Strings search allows to detect hostnames, IP addresses, URLs, messages and other useful information. Then you can use it for HIPS, IDS/IPS signatures.

You can use Strings utility (Windows Sysinternals) for search.

You should remember that virus developers can use packers and obfuscators. In this case strings search will not return significant results. But at least you can detect LoadLibrary and GetProcAddress functions. It's one of the malware indicators.

You can use PEiD (PE iDentifier) utility in order to get packer name.

Malware. Basic Static Analysis. Part 2.
Automated Malware Analysis in Sandbox