Currently, I am really interested in the malware behavior. I think is essential to learn how the malware is evolving if we want to fight with this pest...
In this post I am going to talk about some steps to make a Basic Static Analysis of a malware sample. Also we will see some techniques used by malware developers in order to try to hide their malicious activities to the anti-virus systems and to the malware analyst's tasks.
We can use tools like Dependency Walker, PEview, PEBrowse Professional, PE Header Summary to achieve our goal but in this post we will use Cuckoo Sandbox.
Cuckoo Sandbox offers us more features than the ones offered by the tools mentioned above like Behavioral Analysis, Network Analysis...
You have two options, install Cuckoo in your computer or use the online free version here https://malwr.com/. If you choose the second option, I recommend you to be registered in their website because you will get more details about your malware like getting traffic captures...
Ok. Let's go. I have submited the sample to the Cuckoo website. You can see the report here. If someone wants the sample, just let me know... It is called sexe-online.exe.
Remember in this post I going to talk only about the Static Analysis. For this, we will go to this section in the report above.
First of all, we can see that this file has been recognized by the majority of the anti-virus systems...
First of all, we can see that this file has been recognized by the majority of the anti-virus systems...
Now we need to go to the Static Analysis section. Here we can see that this file has three sections: UPX0, UPX1 and .rsc.
We can check that this file has been compressed with UPX. You can see the file has no size in the disk (RAW DATA = 0x00000000) but it has size in memory when it is uncompressed by itself (VIRTUAL ADDRESS = 0X00001000).
Part of the malware's code is packed in order to obfuscate it. It makes difficult to be detected and analyzed.
If we go to the "Strings" section, we can not see a lot readable strings...
If we go back to the Static Analysis section, we can see few Imports because the file is packed. The few imports that we can see are related with packed code like LoadLibrary and GetProcAddress which allow a program to access any function in any library on the system.
I usually work with Linux. With the command below you can unpack the file and export it to a new one.
The executable called sexe-online_uncompress.exe has just unpacked. We submit it to Cuckoo again and we will see how we get more details about it.
You can see the report of the unpacked sample here.
Now, the uncompressed file has commonly PE sections:
- .text: This section should be contain the program's code.
- .rdata: The .rdata section contains the imports an export information.
- .data: This section contains the programs global data.
- .rsrc: This sections usually contains the resources needed by the executable like images, icons...
If we go to the the static analysis section we can see that now we can see a lot of imports more...
You can continue reading about this Basic Static Analysis example in the next post which will be published in a few days where we are going to try of figure out what the malware activity is.
Continue reading here: Static analysis of a packed malware sample with Cuckoo Part2
0 comments:
Post a Comment