Static Analysis On Windows
Static analysis on Windows mirrors similar tasks to Linux but uses Windows-specific tools to identify file properties, hashes, strings, and packing details. This guide covers essential commands and tools for Windows-based static malware analysis.
Key Static Analysis Components on Windows
File Type Identification: Use tools to verify executable types (e.g., PE files).
File Hashing: Generate unique file hashes (MD5, SHA256) for malware tracking.
Import Hashing (IMPHASH): A hash based on imported functions to identify similar samples.
Fuzzy Hashing (SSDEEP): Content similarity hashing for slight variations.
Section Hashing: Hashing individual PE sections to detect changes.
String Analysis: Extracts embedded text strings, often revealing useful insights.
Unpacking Packed Malware: Remove obfuscation to reveal underlying code.
File Type Identification
Use CFF Explorer (located at C:\Tools\Explorer Suite) to check the file type and confirm it as a Windows executable by looking for the ASCII string "MZ" in the file header.
Malware Fingerprinting
File Hashing with PowerShell
Generate MD5 or SHA256 hashes for identifying malware samples:
Get-FileHash -Algorithm MD5 C:\Samples\MalwareAnalysis\malware.exe
Get-FileHash -Algorithm SHA256 C:\Samples\MalwareAnalysis\malware.exeImport Hash (IMPHASH) Calculation
IMPHASH provides a consistent hash for identical imports across similar samples. It can be calculated using pefile in Python:
import sys
import pefile
pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
print(pe.get_imphash())Run the script:
python imphash_calc.py C:\Samples\MalwareAnalysis\malware.exeFuzzy Hashing (SSDEEP)
Use SSDEEP for similarity matching of malware variations:
C:\Tools\ssdeep-2.14.1\ssdeep.exe C:\Samples\MalwareAnalysis\malware.exeSection Hashing with Python
Section hashing is useful for identifying modified sections in similar malware samples. Example code using pefile:
import sys
import pefile
pe_file = sys.argv[1]
pe = pefile.PE(pe_file)
for section in pe.sections:
print(section.Name, "MD5 hash:", section.get_hash_md5())
print(section.Name, "SHA256 hash:", section.get_hash_sha256())To use section hashing, tools like pestudio (located at C:\Tools\pestudio\pestudio) can also be helpful.
String Analysis
Extracting strings provides insights into the malware’s behavior, such as IPs, file paths, or API calls. Use Strings from Sysinternals:
C:\Sysinternals\strings.exe C:\Samples\MalwareAnalysis\malware.exeAlternatively, use FLOSS for deobfuscating strings:
C:\FLOSS\floss.exe C:\Samples\MalwareAnalysis\malware.exeUnpacking UPX-Packed Malware
UPX packing often conceals code. Identify packed files by looking for "UPX" in the strings output. Unpack with UPX:
C:\Tools\upx\upx-4.0.2-win64\upx.exe -d -o unpacked_malware.exe C:\Samples\MalwareAnalysis\packed\malware.exeAfter unpacking, rerun strings to examine the revealed contents:
C:\Sysinternals\strings.exe unpacked_malware.exeLast updated