Lab 2 - Analysis Lab: Static Analysis Tools
In this lab, you will use static analysis tools in both your Windows and Linux virtual machines to examine malware samples of interest while the binary is "at rest" on the disk and not being executed.
Pre-Lab
Follow the Virtual Machine setup instructions for the Windows virtual machine.
SNAPSHOT SNAPSHOT SNAPSHOT!
Before proceeding further, take a snapshot of your fresh, non-infected Windows virtual machine and give it a clear label so that you can restore it later when needed.
Malware Samples
Go to the course Canvas site and download 4 samples from the Lab 2 Assignment into your Windows or Linux virtual machine as needed depending on the tools specified below. Unzip the files with password 'malware'.
Deliverables
Create a PDF document that provides the requested information for each tool below. Copy and Paste the table structure so all submissions have roughly-similar formatting for grading. Upload to the Lab 2 Assignment on Canvas when finished.
Tool 1 - PEStudio (Windows VM)
PEStudio (from https://www.winitor.com/index.html) is a great tool for initial assessment of an unknown piece of software. It can quickly show you many pieces of useful information, such as:
- What indicators might potentially indicate this file is malware?
- Does VirusTotal and its AV scanners think it's malware?
- What code sections exist in the binary?
- What is their entropy? (might indicate compressed code).
- Are any code sections suspiciously marked as read-write-execute? Perhaps malware will unpack a payload there.
- Are the section names abnormal or unique in any way?
- What resources does the binary contain? Do any items in the resource section match common file types? (EXE, DLL, ZIP, JAR, etc...)
- Does the binary use Structured Exception Handling (SEH)?
- What system libraries does the binary import?
- Which of those are commonly used in malware?
- Is there a suspicious lack of system calls?
- What strings (ASCII and UNICODE) exist in the file?
- Are any strings suspicious?
- Is there a suspicious lack of any strings at all?
For additional information on the capabilities of PEStudio, see PeStudio Standard.
Populate the following table using information from PEStudio:
| Question | Answer for binary1.exe |
Answer for binary2.exe |
|---|---|---|
| Is this a 32-bit or 64-bit PE executable? | ||
| What level 1 or level 2 indicators did PEStudio identify in this file? | ||
| How many A/V scanners flagged this file as malware? | ||
| Can this program be run in DOS mode? ;-) | ||
| What sections exist? (name, writeable, executable) | ||
| What libraries are imported? (name) | ||
| What functions are imported from the libraries? (name, maximum of 10) | ||
| Are the libraries or functions imported suspicious in any way? | ||
| Are there any interesting strings? Or anything interesting about the strings? |
Tool 2 - HxD (Windows VM)
HxD (from https://mh-nexus.de/en/hxd/) is a hex editor that can be used to view, edit, and compare binary files.
Populate the following table using information from HxD:
| Question | Answer for binary1.exe |
Answer for binary2.exe |
|---|---|---|
| What are the first two bytes of the file? | ||
| What string starts at byte offset 4E in the file? Tip: This is a very memorable string! Find the line near the top starting at address 0x40, and count bytes to the right: 0x41, 0x42, .... until you reach 0x4E and the start of the string. Look right to see the corresponding decoded ASCII string for those bytes. |
Additional Questions:
| Question | Answer |
|---|---|
| What is this at the very beginning of these two files, and indeed all PE files, anyway? (You may refer to PE Format from the MSDN library or A closer look at Portable Executable MS-DOS Stub) |
|
| Search for the meaning of the first two bytes of each file - Why were those bytes chosen out of all possible values? |
Tool 3 - BinText (Windows VM)
BinText (from http://b2b-download.mcafee.com/products/tools/foundstone/bintext303.zip) is a graphical Unicode and ASCII string extractor that is more configurable than the basic string extractor found in PEStudio. You can start your analysis with the default settings (with a generous interpretation of 'string') and then selectively narrow your search in hopes of identifying useful strings in the noise.
Configure BinText (via the 'Filter' tab) to only show strings with the characters A-Z, a-z, 0-9, <space>, _, and answer the following questions:
| Question | Answer for binary1.exe |
Answer for binary2.exe |
|---|---|---|
| How many ASCII strings were found? | ||
| How many UNICODE strings were found? | ||
At what address in memory (after the program is loaded by the OS) could the string VirtualAlloc be found?Tip: The search feature in BinText isn't successful at finding VirtualAlloc. A bug? You can, however, use the search in HxD, locate the string of interest, look at its approximate byte offset into the file, and simply scroll to that same byte offset in the BinText window. |
Tool 4 - Signsrch (REMnux VM)
Signsrch (from http://aluigi.altervista.org/mytoolz.htm) is a tool to scan a binary for evidence of anti-debugging code or compression/encryption algorithms. Note that this tool, in theory, can detect new implementations of key algorithms - it is not simply scanning for existing libraries being instantiated in the code.
Run Signsrch (at the command-line) and answer the following questions:
| Question | Answer for binary3.exe |
Answer for binary4.exe |
|---|---|---|
| What compression algorithm is detected in the code? | N/A | |
| What function call is characteristic of malware anti-reverse engineering code? | N/A | |
| What existing Windows library cryptography functions are used? | N/A |
Tool 5 - Portex (REMnux VM)
Portex (from https://github.com/katjahahn/PortEx) is a command-line tool to scan PE files, with a similar set of features to PEStudio.
Run portex (at the command-line) and answer the following questions for the binary3.exe file:
| Question | Answer for binary3.exe |
|---|---|
What is different about the imports for WS2_32.dll vs KERNEL32.DLL?Tip: There are multiple ways to call a function in a library |
|
What helpful function description does portex give for GetTickCount() in the KERNEL32.DLL file? |
Tool 6 - exiftool (REMnux VM)
Exiftool (from https://exiftool.org/) is a command-line tool to read, write, and edit file metadata. It can be useful for a quick glance inside malware executables.
Run exiftool (at the command-line) and answer the following questions:
| Question | Answer for binary3.exe |
Answer for binary4.exe |
|---|---|---|
| Is this binary for 32-bit or 64-bit systems? | ||
| At what memory address in the loaded program will execution begin? (We can confirm this in a debugger later) |
Tool 7 - trid (REMnux VM)
TrID (from http://mark0.net/soft-trid-e.html) is a command-line tool to identify file types from their binary signatures. It can be useful if you have a "binary blob" captured from a malware unpacker and you want to make an educated guess about what it is before proceeding.
No questions, but you can try TrID with binary3.exe or binary4.exe
Next Time: We run malware and observe its behavior!