# Static Analysis On Linux Static analysis involves examining malware without executing it. It helps identify malware properties, such as file type, strings, hashes, embedded elements, and packer information, serving as a foundation for deeper analysis. #### Key Static Analysis Components * **File Type**: Identifying actual file types prevents reliance on potentially misleading file extensions. * **File Hashes**: Unique identifiers for tracking malware samples. * **Strings**: Extracted ASCII and Unicode strings provide insights into potential malware functionality. * **Embedded Elements**: Identifiable elements (like domains or file paths). * **Packer Information**: Detects if malware is packed or compressed, which may obscure analysis. * **Imports/Exports**: Identifies imported and exported functions. * **Assembly Code**: Provides low-level insights. #### File Type Identification To identify the actual file type: ``` file /path/to/malware.exe ``` Example result: ``` PE32 executable (GUI) Intel 80386, for MS Windows ``` Alternatively, inspect the file header: ``` hexdump -C /path/to/malware.exe | more ``` Look for the **"MZ"** (4D 5A) magic number to confirm it's a Windows executable. #### Malware Fingerprinting #### File Hashes Generate MD5 or SHA256 hashes to uniquely identify malware samples: ``` md5sum /path/to/malware.exe sha256sum /path/to/malware.exe ``` Use these hashes to cross-reference with online databases like VirusTotal. #### Import Hash (IMPHASH) IMPHASH identifies similar malware by hashing imports in alphabetical order. Example Python code: ``` import sys import pefile pe_file = sys.argv[1] pe = pefile.PE(pe_file) imphash = pe.get_imphash() print(imphash) ``` Run the script: ``` python3 imphash_calc.py /path/to/malware.exe ``` #### Fuzzy Hashing (SSDEEP) Calculate SSDEEP for similarity matching: ``` ssdeep /path/to/malware.exe ``` #### Section Hashing (Hashing PE Sections) Hashing individual PE sections helps detect small changes in malware. Example Python code: ``` import sys import pefile pe_file = sys.argv[1] pe = pefile.PE(pe_file) for section in pe.sections: print(section.Name, "MD5 hash:", section.get_hash_md5()) print(section.Name, "SHA256 hash:", section.get_hash_sha256()) ``` Run the script: ``` python3 section_hashing.py /path/to/malware.exe ``` #### String Analysis Strings help reveal filenames, IPs, registry paths, API functions, etc. Extract strings: ``` strings -n 15 /path/to/malware.exe ``` To analyze obfuscated strings, use FLOSS: ``` floss /path/to/malware.exe ``` #### Unpacking UPX-Packed Malware Packed malware obfuscates or compresses code. Detect UPX-packed malware by looking for **UPX** in the `strings` output. Unpack with UPX: ``` upx -d -o /path/to/unpacked_malware.exe /path/to/malware.exe ``` After unpacking, rerun `strings` to see unobfuscated data: ``` strings /path/to/unpacked_malware.exe ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://savitar.gitbook.io/mynotes/certifications-and-notes/blue-team/cdsa/introduction-to-malware-analysis/static-analysis-on-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.