2.

0
Static Analysis
2.1 Identifies the file type

2.1.1 2.1.2
Identifies File Type Identifies File Type
Using manual method Using Tools
2.2 Demonstrate Techniques of Static Analysis

2.2.1 2.2.3
2.2.2
Demonstrate Display Inspecting PE
Perform Static analysis
Fingerprinting of Header Information
using Extracting Strings
Malware using:

a. Generating
b. VirusTotal
Cryptographic Hash
2.3 Display Comparing And Classifying The Malware

2.3.1 2.3.2
Studies Malware Using Studies Malware Using
Fuzzy Hashing Import Hash
 Static Analysis

Technique of analyzing the suspect file without executing it. It is an

initial analysis method that involves extracting useful information from
the suspect binary to make an informed decision on how to classify or
analyze it and where to focus your subsequent analysis efforts.
 Techniques of Static Analysis

Determining the File Type :

By extension (Not really
effective)

Identifying File Type Using

• A file signature is a unique sequence of identifying bytes written to
Manual Method: (Checking
a file's header. On a Windows system, a file signature is normally
File signature using hex contained within the first 20 bytes of the file
editor)

Identifying File Type Using • (using “file” command)

Tools : • (Using CFF Explorer)
 Techniques of Static Analysis

• Generating Cryptographic
Hash (md5sum, sha256sum,
Fingerprinting sha1sum, etc)
the Malware
• Using online platform to
fingerprint (VirusTotal)
 Techniques of Static Analysis

Strings : To extract strings

from a suspect binary Tool: pestudio
• strings –a <filename>
Techniques of Static Analysis

Determining File Obfuscation

Packers Cryptors

Tools: EXEinfo PE
Techniques of Static Analysis

Inspecting PE Header
Information

PE file is a series of
PE/COFF (Portable
structures and sub-
Executable/Common
components that contain
Object File Format). (such Tools:
the information required by
as .exe, .dll, .sys, .ocx, and
the operating system to
.drv)
load it into memory.

CFF Explorer pestudio

Techniques of Static Analysis

Inspecting PE Header
Information

Inspecting File
Dependencies and Inspecting Exports
Imports

malware frequently
OS API ~ DLL
depends on the To be used by other
(example:
functions exposed by programs
kernel32.dll)
the operating system
Structure of PE File
Section table
Section information
Example
 Techniques of Static Analysis

❖Examining PE Resources

❑ The resources required by the

executable file such as icons, menu,
dialog, and strings are stored in the
resource section (.rsrc) of an
executable file.

❑ Tool: Resource Hacker

MD5 CHECKSUM

An MD5 checksum is a mathematical algorithm is usually a set of 32-character hexadecimal

letters and numbers that are computed on a file with a tool.

These numbers are generated using special tools that employ “cryptographic hash function
producing a 128-bit (16-byte) hash value”. It is used not only to encrypt a ZIP archive or an
EXE installer but all kinds of files.

You can assign an MD5 sum even to a text or document file. The perfect match of MD5
checksum value ensures that the digital integrity and security of a file has not been broken
by someone else and also that it is the accurate copy of the original file.

https://www.winmd5.com/
5 HASHING TOOL

IgorWare Hasher

HashCheck

Nirsoft HashMyFiles

HashTools

ComputeHash 2.0
SAMPLE WEBPAGE USING HASHING
http://microformats.org/wiki/hash-examples
Gentoo as .md5 file on ftp.
GNOME as MD5SUMS-for-gz and MD5SUMS-for-bz2 files on ftp.
http://www.openoffice.org/download/index.html
GnuPG SHA-1 on web.
Apache HTTP Server in .md5 file from web.
KDE on web and on ftp as MD5SUMS file.
Knoppix in .md5 and .sha1 file.
Cisco MD5 for versions of IOS from Software Center on Cisco website. MySQL MD5 on web.
OpenOffice.org MD5 on web.
Darwin MD5 on web. OpenSSH SHA-1 in release announcement.
OpenSSL .md5 and .sha1 files linked to from web.
Fedora Project SHA-1 on web and SHA1SUM file on ftp. Perl link to .md5 on web.
PostgreSQL in a .md5 file.
FreeBSD on web and in CHECKSUM.MD5 and CHECKSUM.SHA256 files.
Python MD5 on web
Ubuntu as MD5SUMS on ftp.
GCC on ftp as md5.sum file.
X.org md5sums file on ftp.
Question?
In Linux, the md5sum program computes and checks MD5 hash values of a file.
It is a constituent of GNU Core Utilities package, therefore comes pre-installed on most, if not all Linux distributions.
Take a look at the contents of /etc/group saved as groups.cvs below
The md5sums command below will generate a hash
value for the file as follows:

$ md5sum groups.csv

bc527343c7ffc103111f3a694b004e2f groups.csv

The md5sums command below will generate a hash value for the file as follows:

$ md5sum groups.csv

bc527343c7ffc103111f3a694b004e2f groups.csv
You will notice that the hash value has now changed, indicating that the contents of the file where altered.
IMPORTANT: md5 sums only verifies/works with the file content rather than the file name.

The file groups_list.txt is a duplicate of groups.csv, so, try to generate the hash value of the files at the same time as
follows.

You will see that they both have equal hash values, this is because they have the exact same content

$ md5sum groups_list.txt groups.csv

bc527343c7ffc103111f3a694b004e2f groups_list.txt
bc527343c7ffc103111f3a694b004e2f groups.csv
 Let’s try on some files

Notepad.exe

Any .exe files you want!

 Techniques of Static Analysis

❖Comparing And Classifying The Malware

• During your malware investigation, when you come across a malware sample,
you may want to know whether the malware sample belongs to a particular
malware family or if it has characteristics that match with the previously analyzed
samples.

Tool: YARA
 Techniques of Static Analysis

❖YARA Rule Basics

✓ Rule identifier

✓ String Definition (optional)

✓ Condition Section
Techniques of Static Analysis:
Examples of YARA rules