# Static Analysis On Linux Static analysis involves examining malware without executing it. It helps identify malware properties, such as file type, strings, hashes, embedded elements, and packer information, serving as a foundation for deeper analysis. #### Key Static Analysis Components * **File Type**: Identifying actual file types prevents reliance on potentially misleading file extensions. * **File Hashes**: Unique identifiers for tracking malware samples. * **Strings**: Extracted ASCII and Unicode strings provide insights into potential malware functionality. * **Embedded Elements**: Identifiable elements (like domains or file paths). * **Packer Information**: Detects if malware is packed or compressed, which may obscure analysis. * **Imports/Exports**: Identifies imported and exported functions. * **Assembly Code**: Provides low-level insights. #### File Type Identification To identify the actual file type: ``` file /path/to/malware.exe ``` Example result: ``` PE32 executable (GUI) Intel 80386, for MS Windows ``` Alternatively, inspect the file header: ``` hexdump -C /path/to/malware.exe | more ``` Look for the **"MZ"** (4D 5A) magic number to confirm it's a Windows executable. #### Malware Fingerprinting #### File Hashes Generate MD5 or SHA256 hashes to uniquely identify malware samples: ``` md5sum /path/to/malware.exe sha256sum /path/to/malware.exe ``` Use these hashes to cross-reference with online databases like VirusTotal. #### Import Hash (IMPHASH) IMPHASH identifies similar malware by hashing imports in alphabetical order. Example Python code: ``` import sys import pefile pe_file = sys.argv[1] pe = pefile.PE(pe_file) imphash = pe.get_imphash() print(imphash) ``` Run the script: ``` python3 imphash_calc.py /path/to/malware.exe ``` #### Fuzzy Hashing (SSDEEP) Calculate SSDEEP for similarity matching: ``` ssdeep /path/to/malware.exe ``` #### Section Hashing (Hashing PE Sections) Hashing individual PE sections helps detect small changes in malware. Example Python code: ``` import sys import pefile pe_file = sys.argv[1] pe = pefile.PE(pe_file) for section in pe.sections: print(section.Name, "MD5 hash:", section.get_hash_md5()) print(section.Name, "SHA256 hash:", section.get_hash_sha256()) ``` Run the script: ``` python3 section_hashing.py /path/to/malware.exe ``` #### String Analysis Strings help reveal filenames, IPs, registry paths, API functions, etc. Extract strings: ``` strings -n 15 /path/to/malware.exe ``` To analyze obfuscated strings, use FLOSS: ``` floss /path/to/malware.exe ``` #### Unpacking UPX-Packed Malware Packed malware obfuscates or compresses code. Detect UPX-packed malware by looking for **UPX** in the `strings` output. Unpack with UPX: ``` upx -d -o /path/to/unpacked_malware.exe /path/to/malware.exe ``` After unpacking, rerun `strings` to see unobfuscated data: ``` strings /path/to/unpacked_malware.exe ```