We covered the second part of malware static analysis. We went through analyzing strings, hashes and signatures. This was part of TryHackMe Basic Static Analysis room.

Static Malware Analysis Techniques I Learned

The video covered several common techniques for static analysis:

  1. Analyzing Strings: This is a fundamental technique where I extract readable sequences from a binary. These strings can reveal crucial information like IP addresses, domains, Bitcoin addresses, function calls, imported libraries (DLLs), and file paths. I use the strings command for this. If the malware is packed or obfuscated, making the strings look like gibberish, I can use a tool called floss (from FireEye/Mandiant) to uncover those hidden strings.
  2. Analyzing Hashes: I learned that extracting file hashes (MD5, SHA1, SHA256) is critical. I can then look up these hashes on threat intelligence platforms like MalwareBazaar or VirusTotal to see if the file is known malware or to find related samples. The video also introduced imphash (import hash), which helps find malware families with similar import tables, even if the exact file hash isn’t known. For comparing files and identifying similar malware samples based on a percentage match, I use the ssdeep utility for fuzzy hashing.
  3. Analyzing Signatures/Capabilities: This section showed me how to identify malware based on its characteristics:
    • YARA rules: I can use these to identify malware based on custom textual or binary patterns.
    • VirusTotal: This platform runs the sample against multiple antivirus engines, which compare the file’s signature against their databases.
    • Capa: This is a powerful tool that identifies the capabilities of an executable (e.g., if it creates a process, encrypts data, or makes HTTP requests) by analyzing its functions and code patterns. It can even map these capabilities to MITRE ATT&CK tactics and techniques and identify anti-VM execution techniques.
  4. Leveraging the PE (Portable Executable) Header: Analyzing the PE header is a crucial step for Windows executables. Tools like PE-tree and PEStudio are used for this. PEStudio, in particular, provides a comprehensive view, including:
    • Imported functions and libraries (DLLs).
    • Strings.
    • Indicators of compromise (IOCs).
    • Blacklisted items (functions, libraries, strings) commonly used by malware.
    • Debug symbols.

Technical Commands I Used in the Terminal

Here are the commands I saw and learned how to use for static analysis:

  • strings <filename>: To extract readable strings from a file.
    • Example: strings one > one_strings.txt (This redirects the output to a file named one_strings.txt).
  • floss --no-static-strings <filename>: To extract obfuscated strings.
    • Example: floss --no-static-strings 2.exe
    • Example: floss --no-static_strings 5.exe
    • Example: floss --no-static_strings 6.exe
  • ssdeep -l -r -d <directory>: To compare files in a directory recursively using fuzzy hashing.
    • Example: ssdeep -l -r -d mail
  • capa <filename>: To analyze the capabilities of an executable.
    • Example: capa malware_sample_4.exe
  • capa -vv <filename> > <output_file>: To run Capa in verbose mode and redirect its output to a file.
    • Example: capa -vv malware_sample_4.exe > results.txt

The video also demonstrated using graphical user interface (GUI) tools like PEStudio and navigating websites such as MalwareBazaar and VirusTotal for threat intelligence.

This video gave me a great foundation in static malware analysis, equipping me with essential techniques and tools to investigate suspicious files safely!

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles