Analysing Malware — Example

Is this Malware? Is it not? — Basic Static Analysis

❗️❗️❗️Reminder

This is run on a FlareVM + Remnux Malware Analysis Home lab. Thou shalt not run this on your PC ❌

Here we go:

Let’s set up the scenario. You get a file from your SOC team, and they are suspecting that the file may be malware, but aren’t very sure. You set up a process to determine if that is the case.

1. Calculate the Hash and check on Virus total

Once I have the hash value, I will then paste that into VirusTotal to see if it has been flagged before:

VirusTotal Results: Only 2 vendors flag it as malware. So there’s a slight chance it is actually malware

2. What are the suspicious Strings we can Extract?

Malware authors often employ basic string obfuscation techniques to evade detection. As a result, these obfuscated strings typically do not appear in tools like the strings utility or other string extraction methods.

To address this, the FireEye Labs Obfuscated String Solver (FLOSS) was developed. FLOSS is a specialized tool that automatically detects and extracts obfuscated strings from malware, helping analysts uncover the hidden strings that malware authors attempt to conceal from traditional extraction tools.

Extracting Strings gives you some idea about the program functionality and indicators within the malware binary file.

The strings extracted from a binary may include references to various elements such as filenames, URLs, domain names, IP addresses, attack commands, registry keys, and more.

To try things out, I will try the Strings command to see what strings I can extract from the sample:

run the string command and write the output to the strings.txt file.

Results: The Strings extracted are not very useful for our analysis. We do not see any WindowsAPI function calls or anything like that. This is a tale-tell sign that the sample is very likely obfuscated or packed!

Now let’s try the floss alternative:

It is important to note that floss cannot run on a zipped malware sample. So you will need to extract that first.

The floss command results:

With floss, we do get a lot more. But it doesnt seem like we are getting that much information from this. Better luck next time!

The floss and strings command did not really tell us much

3. What is the file Architecture of this sample?

Determining the file type of a malware sample helps to identify the malware’s sample target architecture.

For instance, if the executable type is of Portable Executable (PE), then this will tell you that the file is designed for windows operating systems.

to determine the file type, we can use the file command:

Just to check again that it is accurate, use PEStudio to check for the sample again:

The Target system is windows 32 bit;

STATIC ANALYSIS RESULTS — Here’s what we know so far:

2 security vendors have flagged it as malware

The target architecture is windows 32 bit

There isn't much we can get from floss/strings.