Static and Dynamic Malware Analysis

5 minute read

Basic Static-Dynamic Malware Analysis

Malware analysis is the process of understanding the behaviour and purpose of a suspicious file or URL. The output of the analysis aids in the detection and mitigation of the potential threat.

Malware Sample

MD5: 1d8562c0adcaee734d63f7baaca02f7c

SHA256: 92730427321a1c4ccfc0d0580834daef98121efa9bb8963da332bfd6cf1fda8a

Basic Static Analysis :

Hashing Malware Sample

Getting File Hash is important part of Static Analysis. We will use this hash to check reputation of binary on multiple automated sandbox like VirusTotal.

Malware Repositories

The very first technique in static analysis is to upload the suspicious executable or hash on VirusTotal, which runs the executable against several AV solutions and gives the result. For example, the below file states that the detection ratio is 46 out of 70.
You can check the below output, Multiple AV solutions detected our sample as a Trojan.

String Analysis

Searching through the strings can be a simple way to get hints about the functionality of a program. For example, if the program accesses a URL, then you will see the URL accessed stored as a string in the program.
The following string was extracted from a malicious executable using a FLOSS tool. It provides us with useful information such as the URL, File Path, and Commands, as we can see.

C:\Users\Windows\Desktop
λ floss Malware.exe
FLOSS static Unicode strings
jjjj
cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "%s"
http://ssl-6582datamanager.helpdeskbros.local/favicon.ico
C:\Users\Public\Documents\CR433101.dat.exe
Mozilla/5.0
http://huskyhacks.dev
ping 1.1.1.1 -n 1 -w 3000 > Nul & C:\Users\Public\Documents\CR433101.dat.exe
open

FLOSS decoded 0 strings

FLOSS extracted 2 stackstrings
<2_/
ineIGenu

Finished execution after 0.875000 seconds

Based on the above strings, we can assume that Malware is connecting to an external URL to download a file.

Information gathering using PEView Tool.

PE file format is used by Windows executables, DDLs etc. It contains the necessary information for Windows OS loader to run the code. While examining the PE files, we can analyse which functions have been imported, exported and what type of linking is there i.e. runtime, static or dynamic.
Below are the some inportant sections from the our malware file.

DOS Header

Every PE file starts with a 64-bytes-long structure called the DOS header, it’s what makes the PE file an MS-DOS executable.

File Header

File Header holds the information about the PE file like creation time, file size etc.

Section Header

Sections are where the file’s actual contents are stored; these include things like data and resources that the program uses, as well as the program’s actual code; there are several sections, each with its own purpose.
.text: This contains the executable code.
.rdata: This sections holds read only globally accessible data.
.data: Stores global data accessed through the program.
.rsrc: This sections stores resources needed by the executable.

Import Address Table

The import address table is the part of the Windows module (executable or dynamic link library) which records the addresses of functions imported from other DLLs.

Information gathering using PEStudio Tool.

PeStudio is used to check for suspicious artifacts within executable files in order to speed up the initial malware assessment. It extracts the imports, exports, strings, resources, indicators, groups, and thresholds from the malware file.
This tool also provides MITRE attack indicators associated with imports and retrieves Virustotal detection ratio.
Check the below PeStudio result of our malware file.

Identifying Malware Capabilities using CAPA Tool.

Capa is a program that detects malicious capabilities in suspicious programs by using a set of rules. These rules are meant to be as high-level and human readable as possible. For example, Capa will examine a binary, identify an API call or string of interest, and match this piece of information against a rule that is called “receive data” or “connect to a URL”. It translates the technical information in a binary into a simple, human-readable piece of information.

capa file path file name

Capa has examined the binary, pulled out interesting information from the binary, matched it against its default rule set, and matched some suspected capabilities to items from the MITRE ATT&CK Framework. This time, we don’t have much to go on. We get a match for the ATT&CK item “T1129 - Shared Modules”.
Let’s run Capa one more time with a double verbose output.

capa file path file name -vv

The output for the “download URL to file” rule indicates that this rule triggers when the urlmon.URLDownloadToFile API call is located in the binary. It has identified this API call, provides the location in the binary where it is called, and provides some examples of where this kind of malware behavior has been seen before.

Basic Dynamic Analysis

During the dynamic analysis, we will run the malware in an isolated sandbox environment. We will use the tools “inetsim,” “Wireshark,” and “procmon” to observe malware behavior after execution and collect host and network-based indicators.
Because we assumed from our Static Analysis output that Malware would attempt to connect to an external domain, we configured “inetsim” and “wireshark” in our Remnux host to capture network-based indicators.

After execution, Malware connected to http[:]//ssl-6582datamanager[.]helpdeskbros[.]local/favicon[.]ico domain.

We discovered the file path in our string output and the function URLDownlodeToFileW in the Import address table. So I checked the file creation logs using procmon and discovered that a file was created in path. C:\Users\Public\Documents\CR433101.dat.exe.
This is the second stage payload downloaded by malware from the C2 server.

After execution, the malware checks whether the URL exists or not, and if not, it deletes itself from the disk.

cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:UsersPublicDocumentsCR433101.dat.exe".

Ranjit Patil