Static Analysis

Pyramid of Pain

Static Analysis Introduction

We use static analysis to gather information about a sample without executing it and digging deep.

Static analysis can be a quick and effective way to understand how the sample may operate, as well as how it can be identified. Some of the information that can be gathered from static analysis has been included in the table below:

Information

Explanation

Example

Checksums

These checksums are used within cyber security to track and catalogue files and executables. For example, you can Google the checksum to see if this has been identified before.

a93f7e8c4d21b19f2e12f09a5c33e48a

Strings

"Strings" are sequences of readable characters within an executable. This could be, for example, IP addresses, URLs, commands, or even passwords!

138.62.51.186

Imports

"Imports" are a list of libraries and functions that the application depends upon. For example, rather than building everything from scratch, applications will use operating system functions and libraries to interact with the OS.

These are useful, especially in Windows, as they allow you to see how the application interacts with the system.

CreateFileW

This library is used to create a file on a Windows system.

Resources

"Resources" contain data such as the icon that is displayed to the user. This is useful to examine, especially since malware might use a Word document icon to trick the user. Additionally, malware itself has been known to hide in this section!

N/A

However, it's important to note that regardless of how a sample may appear or function, we don't truly know until it's executed. Attackers use techniques such as obfuscation to obscure how the sample appears, primarily to evade anti-viruses but also to evade a curious analyst.

Examining the file type

user@machine$ file wannacry 
wannacry: PE32 executable (GUI) Intel 80386, for MS Windows
user@machine$

Filenames and Paths

Filepath Analysis

File paths and names are like crime scene clues, revealing attacker behaviour. Attackers may use different disk locations to hide their actions and reduce visibility. For example:

C:\ (System drive) can be a common target for persistence mechanisms.
C:\Users\Public profile can enable cross-user access of detonated adversary tools.
C:\Users\Public\Public Downloads provides a high-traffic directory that would often evade strict monitoring.

Additionally, adversaries may utilise other malware staging patterns such as:

Utilising temporary directories such as C:\Windows\Temp\ for ephemeral payloads.
Placing payloads in writable system paths, such as C:\ProgramData\ for stealth persistence.

Filename Heuristic Indicators

Attackers are also known to modify filenames to escape detection through implementing various types of heuristic indicators, including:

Double extensions - An example of this would be invoice.pdf.exe, which leverages default Windows settings that hide file extensions.
System binary impersonation - A filename such as scvhost.exe abuses the user's familiarity with core system processes. Defenders should include legitimate locations for system processes in an allowlist, rather than standalone filenames.
High-entropy Strings – A filename such as jh8F21.exe suggests automated packing or polymorphic generation, which is commonly used in a high-churn phishing operation.
Masquerading - Filenames such as backup-2300.exe can blend with routine files, thus leveraging on reduced suspicion. Another example is a single character substitution, which can bypass detection while looking visually legitimate to an unsuspecting employee.

Static Analysis Tools

Dependency Walker
PeID
PE Explorer
PEview
ResourceHacker
ResourceHacker

PreviousMalware Sandbox NextHashes

Last updated 8 days ago

hashtagPyramid of Pain

hashtagStatic Analysis Introduction

hashtagExamining the file type

hashtagFilenames and Paths

hashtagFilepath Analysis

hashtagFilename Heuristic Indicators

hashtagStatic Analysis Tools