Lab 2 - Analysis Lab: Static Analysis Tools

In this lab, you will use static analysis tools in both your Windows and Linux virtual machines to examine malware samples of interest while the binary is "at rest" on the disk and not being executed.

Pre-Lab

Follow the Virtual Machine setup instructions for the Windows virtual machine.

SNAPSHOT SNAPSHOT SNAPSHOT!
Before proceeding further, take a snapshot of your fresh, non-infected Windows virtual machine and give it a clear label so that you can restore it later when needed.

Malware Samples

Go to the course Canvas site and download 4 samples from the Lab 2 Assignment into your Windows or Linux virtual machine as needed depending on the tools specified below. Unzip the files with password 'malware'.

Deliverables

Create a PDF document that provides the requested information for each tool below. Copy and Paste the table structure so all submissions have roughly-similar formatting for grading. Upload to the Lab 2 Assignment on Canvas when finished.

Tool 1 - PEStudio (Windows VM)

PEStudio (from https://www.winitor.com/index.html) is a great tool for initial assessment of an unknown piece of software. It can quickly show you many pieces of useful information, such as:

  • What indicators might potentially indicate this file is malware?
  • Does VirusTotal and its AV scanners think it's malware?
  • What code sections exist in the binary?
    • What is their entropy? (might indicate compressed code).
    • Are any code sections suspiciously marked as read-write-execute? Perhaps malware will unpack a payload there.
    • Are the section names abnormal or unique in any way?
  • What resources does the binary contain? Do any items in the resource section match common file types? (EXE, DLL, ZIP, JAR, etc...)
  • Does the binary use Structured Exception Handling (SEH)?
  • What system libraries does the binary import?
    • Which of those are commonly used in malware?
    • Is there a suspicious lack of system calls?
  • What strings (ASCII and UNICODE) exist in the file?
    • Are any strings suspicious?
    • Is there a suspicious lack of any strings at all?

For additional information on the capabilities of PEStudio, see PeStudio Standard.

Populate the following table using information from PEStudio:

Question Answer for binary1.exe Answer for binary2.exe
Is this a 32-bit or 64-bit PE executable?
What level 1 or level 2 indicators did PEStudio identify in this file?
How many A/V scanners flagged this file as malware?
Can this program be run in DOS mode? ;-)
What sections exist? (name, writeable, executable)
What libraries are imported? (name)
What functions are imported from the libraries? (name, maximum of 10)
Are the libraries or functions imported suspicious in any way?
Are there any interesting strings? Or anything interesting about the strings?

Tool 2 - HxD (Windows VM)

HxD (from https://mh-nexus.de/en/hxd/) is a hex editor that can be used to view, edit, and compare binary files.

Populate the following table using information from HxD:

Question Answer for binary1.exe Answer for binary2.exe
What are the first two bytes of the file?
What string appears at byte offset 4E in the file?

Additional Questions:

  1. What is this at the very beginning of these two files, and indeed all PE files, anyway? (You may refer to PE Format from the MSDN library or A closer look at Portable Executable MS-DOS Stub)
  2. Search for the meaning of the first two bytes of each file - Why were those bytes chosen out of all possible values?

Tool 3 - BinText (Windows VM)

BinText (from http://b2b-download.mcafee.com/products/tools/foundstone/bintext303.zip) is a graphical Unicode and ASCII string extractor that is more configurable than the basic string extractor found in PEStudio. You can start your analysis with the default settings (with a generous interpretation of 'string') and then selectively narrow your search in hopes of identifying useful strings in the noise.

Configure BinText (via the 'Filter' tab) to only show strings with the characters A-Z, a-z, 0-9, <space>, _, and answer the following questions:

Question Answer for binary1.exe Answer for binary2.exe
How many ASCII strings were found?
How many UNICODE strings were found?
At what address in memory (after the program is loaded by the OS) could the string VirtualAlloc be found?

Tool 4 - Signsrch (REMnux VM)

Signsrch (from http://aluigi.altervista.org/mytoolz.htm) is a tool to scan a binary for evidence of anti-debugging code or compression/encryption algorithms. Note that this tool, in theory, can detect new implementations of key algorithms - it is not simply scanning for existing libraries being instantiated in the code.

Run Signsrch (at the command-line) and answer the following questions:

Question Answer for binary3.exe Answer for binary4.exe
What compression algorithm is detected in the code? N/A
What function call is characteristic of malware anti-reverse engineering code? N/A
What existing Windows library cryptography functions are used? N/A

Tool 5 - Portex (REMnux VM)

Portex (from https://n0where.net/pe-static-malware-analysis-portex) is a command-line tool to scan PE files, with a similar set of features to PEStudio.

Note: Portex was added to REMnux after the .ova file was produced. To add it, along with any other updates, do:

update-remnux
# And go get a cup of coffee as the whole OS is updated before the new packages are added...

Run portex (at the command-line) and answer the following questions:

  1. In the binary3.exe file, what is different about the imports for WS2_32.dll vs KERNEL32.DLL? (Hint: There are multiple ways to call a function in a library)
  2. In the binary3.exe file, what helpful function description does portex give for GetTickCount() in the KERNEL32.DLL file?

Tool 6 - exiftool (REMnux VM)

Exiftool (from https://www.sno.phy.queensu.ca/~phil/exiftool/) is a command-line tool to read, write, and edit file metadata. It can be useful for a quick glance inside malware executables.

Run exiftool (at the command-line) and answer the following questions:

Question Answer for binary3.exe Answer for binary4.exe
Is this binary for 32-bit or 64-bit systems?
At what memory address in the loaded program will execution begin?
(We can confirm this in a debugger later)

Tool 7 - trid (REMnux VM)

TrID (from http://mark0.net/soft-trid-e.html) is a command-line tool to identify file types from their binary signatures. It can be useful if you have a "binary blob" captured from a malware unpacker and you want to make an educated guess about what it is before proceeding.

No questions, but you can try TrID with binary3.exe or binary4.exe

Next Time: We run malware and observe its behavior!