Table Of Contents

• MALWARE ANALYSIS
  • STATIC ANALYSIS BASICS

---

MALWARE ANALYSIS

STATIC ANALYSIS BASICS

Mount live Sysinternals toots drive:

\\live.sysinternals.com\tools

Signature check of dll, exe files:

• Ref. http://technet.microsoft.com/en­-us/sysinternals/bb897441.aspx

sigcheck.exe -u -e C:\<DIRECTORY>

Send to VirusTotat:

sigcheck.exe -vt <SUSPICIOUS FILE NAME>

Windows PE Analysis:

View Hex and ASCI of PE(exe or any file), with optional -n first 500 bytes:

hexdump -C -n 500 <SUSPICIOUS FILE NAME>

od -x somefile.exe

xxd somefile.exe

In Windows using debug tool (works for .java files too):

debug <SUSPICIOUS FILE NAME>

-d (just type d and get a page at a time of hex)

-q (quit debugger)

Windows PE analysis:

PE Fite Compile Date/Time pert script below (Windows PE only script).

• Ref. https://www.perl.org/get.html
• Ref. http://www.perlmonks.org/bare/?node_id=484287

perl.exe <SCRIPT NAME>.pl <SUSPICIOUS FILENAME>

#! perl -slw

use strict;

open EXE, '<:raw', $ARGV[0] or die "$ARGV[0] : $!";

my $dos = do{ local $/ = \65536; <EXE> };

die "$ARGV[0] is not a .exe or .dll (sig='${ \substr $dos, 0, 2 }')" unless substr( $dos, 0, 2 ) eq 'MZ';

my $coffoff = 8+ unpack 'x60 V', $dos;

read( EXE, $dos, $coffoff - 65536 + 4, 65536 ) or die $! if $coffoff > 65536;

my $ts = unpack "x$coffoff V", $dos;

print "$ARGV[0] : ", defined $ts

    ? ( scalar( localtime $ts) || "has unfathomable timestamp value $ts" )

    : 'has no timestamp';

__END__

View strings within PE and optional string length -n option:

Using stings in Linux:

strings -n 10 <SUSPICIOUS FILE NAME>

• Ref. https://technet.microsoft.com/en­-us/sysinternals/strings.aspx

Using strings in Windows:

strings <SUSPICIOUS FILE NAME>

Find Malware in memory dump using Volatility and Windows7SPFix64 profile:

• Ref. https://github.com/volatilityfoundation/volatility

python vol.py -f <MEMORY DUMP FILE NAME>.raw -profile=Win7SPFix64 malfind -D /<OUTPUT DUMP DIRECTORY>

Find Malware with PID in memory dump using Volatility:

python vol.py -f <MEMORY DUMP FILE NAME>.raw -profile=Win7SPFix64 malfind -p <PID #> -D /<OUTPUT DUMP DIRECTORY>

Find suspicious processes using Volatility:

python vol.py -f <MEMORY DUMP FILE NAME>.raw –profile=Win7SPFix64 pslist
python vol.py -f <MEMORY DUMP FILE NAME>.raw –profile=Win7SPFix64 pstree

Find suspicious DLLs using Volatility:

python vol.py -f <MEMORY DUMP FILE NAME>.raw –profile=Win7SPFix64 dlllist
python vol.py -f <MEMORY DUMP FILE NAME>.raw –profile=Win7SPFix64 dlldump -D /<OUTPUT DUMP DIRECTORY>

Malware analysis parsing Tool:

• Ref. https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP

# Install dc3-mwcp tool:
setup.py install
# Use dc3-mwcp tool to parse suspicious file:
mwcp-tool.py -p <SUSPICIOUS FILE NAME>

Install Rekall tool:

• Ref. https://github.com/google/rekall

pip install rekall
rekal --help

Run Rekall against a memory file and extract process list, dlllist, executable dump:

rekal -f <MEMORY FILE>.aff imageinfo
rekal -f <MEMORY FILE>.dd pslist
rekal -f <MEMORY FILE>.img pslist --pid <PID>
rekal -f <MEMORY FILE>.dd dlllist
rekal -f <MEMORY FILE> pedump