Static malware analysis was performed on a bot malware sample to understand its characteristics without executing the file. Key steps included taking snapshots of the virtual machine before and after file copying to preserve the original state, using PEiD and peview tools to analyze the file's Portable Executable structure and identify the machine type, compiler, imported and exported functions. This revealed the malware may modify registry values and create processes to connect to the Windows network. The analysis provided initial insight into the malware's potential behaviors and targets without risking execution in a live system.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Basic Static Malware Analysis.pdf
1. Basic Static Malware Analysis
AIM: Perform Basic Static Analysis on Bot malware sample
Description:
Static Malware Analysis is helping to understanding about is malware information
file unpack, file Signature, effected import/Export function, extracting string.
Malware Threat without execute we can analyse file is called “Static Malware
Analysis”. Best and challenge area in cyber security filed is malware analysis, before going
to malware analysis should learn about file structures, function default dll in windows
system, how to collect import string, where it is.
Requirements:
Windows xp (sample Analysis easy to basic)
Malware sample analysis tools
Malware sample
Procedure:
Step_1. However, file analysis most importance, before executing file create isolation
environment for in a system like connection less or host-only mode in virtual
machines. VMware Workstation provided snapshot option its help to more effective
to malware analysis then start executing malware take clean and safe snapshot take
from workstation. Next snapshot is creating after all malware samples and tools
copied in virtual machine.
Step_2. we need first screenshot is explain about windows xp system ready and what
does environment explain each control is where in.
2. Step_3. Now, copied all Malware Sample and Malware Analysis have in my hand.
Now Ready to take Another Snapshot for before Analysis
name(Malware_Testing_Enviorment)
Figure 1 Windows System xp Ready, cleaned vm
Figure 2 Look at screenshot, give path now to take snapshot
Figure 3 After Malware Sample copied take snapshot (Malware_Testing_Enviorment)
3. Step_4. Yes, Some times execute malware without we knowing change registry
values, than I plan take registry shot using regshot tool saved output in a system
Figure 4 Regshot 32bit ansi run execute
Figure 5 Registry 1st snapshot takes and saved location
5. Step_5. Now, Malware sample look at the time exe file, name is bot.exe. This file is
packed with obfuscation method Weather applied or normalized file can analysis
based on the tool “PEiD “
Above Figure PEiD tool help to understand about file first offset, size of the file and
importance unpacked file analysis here Message display “Nothing found”. Most of
Figure 9 Malware Sample File(bot.exe)
Figure 8 PEiD Tool here uploaded, nothing packed file Here
6. the criminal (Attacker) hide information about malicious file at the time used
packing method, upx tool help to pack the exe file.
Step_6. Now, Next step we analysis the file PE structure Using pe view tool, this tool
given useful information like (file is exe Is really or not). Sample malware(bot.exe)
upload into peview tool information look like screenshot
This Screenshot given information about pe file lift side panel pe structure format tree
information, Right side panel in details information given to analyst.
Pe structure first identify Pe header we identify windows platform signature”
Image_dos_signature MZ ” ,Subprogram “”
Step_7. Next MS-Dos sub program here we identify once here MZ Standard
Figure 10 Lift side panel tree, right side pe file information
Figure 11 mz analysis
7. Step_8. Here we identify image signature pe
Pe Signature new technologies file system execute is”Image_NT_Signtature PE”
Step_9. File Header information most importance information running window
platform, first complier date and time, machine type
We analysis machine “Window ---IMAGE_FILE_MACHINE DOS”, Time Date
stamp”2011/04/14 Thu”, Windows system 32bit platform
Figure 12 Image file Header most use full information
8. Step_10. Section text importance import Address tables, This file change some
function effected areas are Registry, process create, control release. here thinks
more function process create and registry change.
Best analysis gets internal code function, used import class function help internal
data code.
Step_11. This
Window network dll is help understand is file connection form window system.
Figure 13 Import class understand funciton
Figure 14 winnet dll function