Static Analysis On Linux
Static analysis involves examining malware without executing it. It helps identify malware properties, such as file type, strings, hashes, embedded elements, and packer information, serving as a foundation for deeper analysis.
Key Static Analysis Components
File Type: Identifying actual file types prevents reliance on potentially misleading file extensions.
File Hashes: Unique identifiers for tracking malware samples.
Strings: Extracted ASCII and Unicode strings provide insights into potential malware functionality.
Embedded Elements: Identifiable elements (like domains or file paths).
Packer Information: Detects if malware is packed or compressed, which may obscure analysis.
Imports/Exports: Identifies imported and exported functions.
Assembly Code: Provides low-level insights.
File Type Identification
To identify the actual file type:
file /path/to/malware.exeExample result:
PE32 executable (GUI) Intel 80386, for MS WindowsAlternatively, inspect the file header:
hexdump -C /path/to/malware.exe | moreLook for the "MZ" (4D 5A) magic number to confirm it's a Windows executable.
Malware Fingerprinting
File Hashes
Generate MD5 or SHA256 hashes to uniquely identify malware samples:
Use these hashes to cross-reference with online databases like VirusTotal.
Import Hash (IMPHASH)
IMPHASH identifies similar malware by hashing imports in alphabetical order. Example Python code:
Run the script:
Fuzzy Hashing (SSDEEP)
Calculate SSDEEP for similarity matching:
Section Hashing (Hashing PE Sections)
Hashing individual PE sections helps detect small changes in malware. Example Python code:
Run the script:
String Analysis
Strings help reveal filenames, IPs, registry paths, API functions, etc. Extract strings:
To analyze obfuscated strings, use FLOSS:
Unpacking UPX-Packed Malware
Packed malware obfuscates or compresses code. Detect UPX-packed malware by looking for UPX in the strings output.
Unpack with UPX:
After unpacking, rerun strings to see unobfuscated data:
Last updated