Static Analysis On Linux

Static analysis involves examining malware without executing it. It helps identify malware properties, such as file type, strings, hashes, embedded elements, and packer information, serving as a foundation for deeper analysis.

Key Static Analysis Components

• File Type: Identifying actual file types prevents reliance on potentially misleading file extensions.

• File Hashes: Unique identifiers for tracking malware samples.

• Strings: Extracted ASCII and Unicode strings provide insights into potential malware functionality.

• Embedded Elements: Identifiable elements (like domains or file paths).

• Packer Information: Detects if malware is packed or compressed, which may obscure analysis.

• Imports/Exports: Identifies imported and exported functions.

• Assembly Code: Provides low-level insights.

File Type Identification

To identify the actual file type:

file /path/to/malware.exe

Example result:

PE32 executable (GUI) Intel 80386, for MS Windows

Alternatively, inspect the file header:

hexdump -C /path/to/malware.exe | more

Look for the "MZ" (4D 5A) magic number to confirm it's a Windows executable.

Malware Fingerprinting

File Hashes

Generate MD5 or SHA256 hashes to uniquely identify malware samples:

md5sum /path/to/malware.exe
sha256sum /path/to/malware.exe

Use these hashes to cross-reference with online databases like VirusTotal.

Import Hash (IMPHASH)

IMPHASH identifies similar malware by hashing imports in alphabetical order. Example Python code:

import sys
import pefile

pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
imphash = pe.get_imphash()
print(imphash)

Run the script:

python3 imphash_calc.py /path/to/malware.exe

Fuzzy Hashing (SSDEEP)

Calculate SSDEEP for similarity matching:

ssdeep /path/to/malware.exe

Section Hashing (Hashing PE Sections)

Hashing individual PE sections helps detect small changes in malware. Example Python code:

import sys
import pefile

pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
for section in pe.sections:
    print(section.Name, "MD5 hash:", section.get_hash_md5())
    print(section.Name, "SHA256 hash:", section.get_hash_sha256())

Run the script:

python3 section_hashing.py /path/to/malware.exe

String Analysis

Strings help reveal filenames, IPs, registry paths, API functions, etc. Extract strings:

strings -n 15 /path/to/malware.exe

To analyze obfuscated strings, use FLOSS:

floss /path/to/malware.exe

Unpacking UPX-Packed Malware

Packed malware obfuscates or compresses code. Detect UPX-packed malware by looking for UPX in the strings output.

Unpack with UPX:

upx -d -o /path/to/unpacked_malware.exe /path/to/malware.exe

After unpacking, rerun strings to see unobfuscated data:

strings /path/to/unpacked_malware.exe