Exploit Notes

Malware Static Analysis

Last modified: 2024-04-13

Malware

Static Analysis is a method of malware analysis that analyze without executing a suspicious file. It can detect basic information (e.g. packer, linker, architecture) of files but may be not enough.

file example.exe
stat example.exe
file-magic.py example.exe
binwalk -e example.exe
strings example.exe

objdump example.exe

# Identify the file type using signature.
trid example.exe

# Determine types of files and examine file properties.
# -i: Show file info
diec -i example.exe
# -r: Recursive scan
# -d: Deep scan
diec -rd example.exe
# -e: Show entropy
diec -e example.exe
# -a: Scan all types
diec -a example.exe

# Read EXIF metadata
exiftool example.exe

# Extract interesting strings
bulk_extractor example.exe -o ./extracted

# Hex editor
wxHexEditor example.exe

# View, edit, carve contents of various binary file types.
# View metadata
hachoir-metadata example.exe
# Parse a binary file
hachoir-urwid example.exe
# A graphical binary explorer
hachoir-wx example.exe
# Search a substring in a binary file
hacoir-grep --all example.exe

# GUI for reverse engineering
ghidra
cutter example.exe

PE Files

manalyze example.exe
# -p: Use plugins
manalyze -p all example.exe

peframe example.exe
pedump example.exe
pecheck example.exe

# Examine contents and structure of PE files.
pe-tree example.exe

Android Apps

# -i: Input files to process
# -o: Output directory of results
droidlysis -i example.apk -o /tmp

Zip Files

# -f L: Find PK MAGIC sequence and list (L)
zipdump.py -f L example.zip

Reverse Engieering

ghidra

# Cutter is a reverse engineering software powered by Rizin
cutter example.exe

Capabilities

CAPA

It identifies capabilities in executable files.

capa ./executable

If you found the executable is packed with a packer tool such as UPX, unpack with the same packer tool and re-analyze the file using CAPA.
For example, if the executable is packed with UPX, unpack with UPX and re-run capa.

upx -d ./executable
# Delete the cache of capa
del ./executable.viv
capa <suspicious-executable>

Micrsoft OLE Files

# Check 'M' in the result of the oledump. It indicates the stream contains macro.
oledump example.doc
# -i: Print extra info
oledump -i example.doc
# -s a: Select item (stream) in nr for dumping (a for all)
# -v: Decompress VBA expressions
oledump -s a -v example.doc
olefile example.doc
oleid example.doc
olemeta example.doc
oleobj example.doc
oletimes example.doc
olevba example.doc
# --deobf: Deobfuscate VBA expressions.
# --decode: Display all the obfuscated strings with their decoded content.
olevba --deobf --decode example.doc

Shellcode Analysis

scdbg is available for finding shellcode in Windows executables.

scdbg -f shellcode_file.sc
scdbg -f shellcode.sc -fopen bad.doc_ -s -1 -i
scdbg -f shellcode.doc -s -1