Skip to content
Site logo Site logo ucch45

Notes on Static Analysis

To get started with static analysis, I’ll first need malware samples.

First thing to go over is the file type:

  1. Unzip the malware
  2. .bin file. The malware hence is defanged with a changed extension.

file type

To analyze file type use HxD.

Some keywords to look for when we’re looking for file types. EXE signatures —>

MZ
4D
5A
This program cannot be run in DOS mode

These are signatures/keywords that tell us that this is an exe. 4D 5A decodes to MZ.

Sometimes malware hides in an image file. EXEs often hide inside of image files.

Next tool is Cmder. This application support drag-and-drop to enter filepath which is really useful.

Terminal window
file DriveLetter:\malware_filepath\

fingerprinting the malware

  1. Grab the hash and dump in in virustotal
  2. Hashcalc, Hashmyfiles

Hashcalc also support drag-and-drop to enter filepath directly.

Search for the filehash in Virustotal

Get a better understanding of malware from the VirusTotal reports and the Community section.

Strings

Sometimes we might find very useful information inside the malware files.

  1. IP addresses
  2. URLs (C2C)
  3. Windows API
  4. Base64 or any other encoding techniques

Powershell uses Base64 encoding.

Back to Cmder run

Terminal window
strings -n 10 DriveLetter:\malware_filepath

This will dump all the strings it can find inside the file of length greater than 10. Each in a new line which is helpful to spot signatures.

Can also put the results in an output file like this

Terminal window
strings -n 10 DriveLetter:\malware_filepath > output.txt

One more tool can be used called BinText

Decrypting encoded strings

Next tool to use is Xorsearch

Encoded strings in a malware sometimes contains URLs.

Terminal window
Xorsearch DriveLetter:\malware_filepath keyword

To look for URLs I can put the keyword http. To look for EXE signature I can put This. Another keyword can be Create

Next tool is Floss

Terminal window
floss -s DriveLetter:\malware_filepath

After it is done running, Floss will show us the encrypted strings it finds. The content shown is decoded from the file. Sometimes it doesn’t decode anything, sometimes relevant info comes up. Tough luck

Packing

Packing is a technique where malware authors or people who create the malware try and use a tool that modifies the formatting of the code by compressing the code or encrypting the data. They do this because it avoid detection by antiviruses.

The tool to use to see if a malware is packed is a tool called Exeinfo

It shows us what packing technique the malware is using i.e. UPX

It will show us what to do to unpack the malware file.

Like so :

Terminal window
upx -d -o UnpackedMalware.exe DriveLetter:\malware_filepath

The -o here tells it to output the unpacked file into a new UnpackedMalware.exe file.

The unpacked file might be bigger than the original file which makes sense.

There are lots of packing techniques and so many ways to decode them.

pestudio

Another tool is pestudio. This is an all-in-one tool.

It gives us the hashes, the file signatures, packing techniques

It also shows indicators AKA suspicious things that file contains.

It automatically submits it to VirusTotal and shows the results too.

It also shows the strings that it extracts. The bad flags will mostly be found under the indicators tab.



© 2020-2025 Ucchas Muhury