Static Analysis Techniques
Static Analysis Techniques
Static analysis provides initial insights without risk of infection:
File Identification and Hashing:
# Generate multiple hashes
md5sum malware.exe
sha1sum malware.exe
sha256sum malware.exe
# File type identification
file malware.exe
# Check against known malware
# Submit hashes to VirusTotal or similar services
String Extraction:
# Extract ASCII strings
strings -n 8 malware.exe > strings.txt
# Extract Unicode strings
strings -n 8 -el malware.exe >> strings.txt
# Look for interesting patterns
grep -E "(http|ftp|www|.com|.exe|cmd|powershell)" strings.txt
PE Header Analysis: Understanding Portable Executable structure reveals valuable information:
- Import Address Table (IAT)
- Export functions
- Compilation timestamp
- Section characteristics
- Entry point
- Resource data
Disassembly Basics:
; Common malware patterns
; Process injection setup
push 0
push 0
push CREATE_SUSPENDED
push 0
push 0
push 0
push 0
push 0
push targetProcess
push 0
call CreateProcessA
; Registry persistence
push KEY_WRITE
push 0
push 0
push REG_SZ
push "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
push HKEY_CURRENT_USER
call RegCreateKeyExA