Static Analysis
We use static analysis to gather information about a sample without executing it and digging deep.
Static analysis can be a quick and effective way to understand how the sample may operate, as well as how it can be identified. Some of the information that can be gathered from static analysis has been included in the table below:
Information
Explanation
Example
Checksums
These checksums are used within cyber security to track and catalogue files and executables. For example, you can Google the checksum to see if this has been identified before.
a93f7e8c4d21b19f2e12f09a5c33e48a
Strings
"Strings" are sequences of readable characters within an executable. This could be, for example, IP addresses, URLs, commands, or even passwords!
138.62.51.186
Imports
"Imports" are a list of libraries and functions that the application depends upon. For example, rather than building everything from scratch, applications will use operating system functions and libraries to interact with the OS.
These are useful, especially in Windows, as they allow you to see how the application interacts with the system.
CreateFileW
This library is used to create a file on a Windows system.
Resources
"Resources" contain data such as the icon that is displayed to the user. This is useful to examine, especially since malware might use a Word document icon to trick the user. Additionally, malware itself has been known to hide in this section!
N/A
However, it's important to note that regardless of how a sample may appear or function, we don't truly know until it's executed. Attackers use techniques such as obfuscation to obscure how the sample appears, primarily to evade anti-viruses but also to evade a curious analyst.
PE Studio
First, we will launch PeStudio and load the executable into it. The shortcut for this has been placed on the Desktop of your analyst machine. You can drag and drop the executable into the PeStudio window, or load it by selecting File -> Open File from the toolbar. PeStudio will display some information about the executable.
For us, at this stage, the file > sha256 property within the table is of interest. This value is a checksum, which is a unique identifier for the executable. We can keep a note of this SHA256 as threat intelligence.
Next, we will proceed with reviewing the "Strings" of the executable. You can do this by clicking on the "strings" indicator on the left pane of PeStudio.
In the context of malware analysis, strings are sequences of readable characters present within an executable. This could be, for example, IP addresses, URLs, commands, or even passwords! As a malware analyst, it's great to have a look at these, as these could reveal the attacker's command infrastructure, which we can use for our defences.
Last updated