In the intricate and ever-evolving landscape of cybersecurity, the dangerous and subtle ways malware operates have continued to advance, leaving a wake of security breaches, stolen data, and compromised systems.
In response to this, a robust set of strategies and tools have been developed to enable analysts to dissect malicious software, gain an understanding of its intent, and devise countermeasures.
Whether you’re a seasoned cybersecurity professional or just starting on your journey, understanding the toolset available for malware analysis is a must.
Each tool contributes a unique piece to the puzzle, shedding light on the insidious behavior of malware.
Static Analysis
As we already seen in previous blog post, Malware Analyst Road, “Malware static analysis is a method of analyzing malicious software (malware) without actually executing it. It involves examining the malware’s code or binary file to identify its functionality, behavior, and potential impact on a system.”
Static analysis has tools for “simple” analysis such as findings patterns and suspicious functionalities, but also, tools that serve much more challenging analysis such as reverse engineering.
As mentioned, static analysis can go both ways, let divide it into two categories, basic static analysis and reverse engineering – which is an advanced static analysis.
Basic Static Analysis
When we talk about basic static analysis our goal is to understand the general attributes of the file such as:
- How the file was compiled?
- When the file was compiled?
- What are the strings included in the file?
- Is the file packed?
- What is the file format? (PE,ELF)
- Imported packages
- Operation System functions
And much more. The best tools to answer these questions are:
Detect-It-Easy
Detect It Easy, or DiE, is a program designed to analyze executable files in order to identify different types of packers, cryptors, and compilers, among other things. It is an open-source tool and is particularly useful in the realm of malware analysis and reverse engineering.
DiE provides many functionalities, the ones i use the most are:
- Multitude of Supported Formats: DiE supports a wide array of file formats such as PE, ELF, Mach-O, and others, making it suitable for analyzing various kinds of executable files.
- Packer Detection: Detect It Easy can identify many types of packers, cryptors, and compilers, which can be useful for uncovering obfuscation and encryption in potentially malicious files.
- Entropy Analysis: One of the standout features of DiE is its entropy analysis functionality. It can graphically present the entropy of the data in a file, which can help identify packed or encrypted data.
- Section Analysis: DiE can provide detailed information about the different sections of an executable, such as their sizes, entropy, and hashes.
- Heuristic Analysis: Heuristic methods are used to analyze unknown file formats. If a file format is not recognized, DiE will analyze the entropy of the file’s contents to make a guess at the type of file.
- Scripting Support: DiE supports scripting, which can be used to extend its functionality. Scripts can be written in Python or Lua.
PEStudio
This tool is one of the tools that i don’t see discussed a lot, but i find it VERY helpful. It can be a bit slow as it does a thorough static analysis on a given file but i believe that it is one of the most helpful tools out there.
PEStudio is a Windows executable (.exe) analysis tool used primarily in malware initial assessment and works by inspecting different aspects of the PE file structure. It’s a comprehensive tool that gives an analyst an overview of the suspicious indicators related to a given executable without even running it (a static analysis approach).
It provides great functionalities such as:
- Indicators: PEStudio calculates an indicator for each suspicious finding in the executable file, making it easier to identify potential threats. It also aggregates these into a single threat score, which can help determine if further analysis is necessary.
- Imports and Exports: PEStudio displays the functions that are imported and exported by the executable. This can be useful for identifying potentially dangerous function calls.
- Sections: The tool can display the different sections of the PE file, their sizes, and characteristics, which can help identify unusual features or hidden data.
- VirusTotal Integration: PEStudio integrates with VirusTotal, allowing you to check the file against a comprehensive database of known viruses and malware.
- String Analysis: PEStudio is capable of extracting strings present in the code, which can provide clues about the executable’s functionality.
- Resources Analysis: PEStudio can analyze the resources that an executable uses, including bitmap images, icons, or other data. These can sometimes contain hidden or encoded malicious payloads.
- Libraries and DLLs: PEStudio lists the DLLs that the executable loads, which could provide insight into the functionality of the program.
- Certificate and Signature Information: The tool displays the certificate and signature information of the executable. It can indicate if the binary is signed by a trusted vendor or if the signature is valid.
- Rich Header: PEStudio provides a view of the Rich Header, which might provide information about the compiler and linker versions used to create the executable.
As you can probably already see, PEStudio provides us with a vast amounts of information about the investigated file. It also has a paid version, although to be honest i have never tried it.
PE-Bear
PE-Bear has some functionalities that we already mentioned in PEStudio and DiE, but it is also being used by malware analysts as a hex viewer, it really is a matter of choice.
It is developed by hasherezade, an independent researcher and cybersecurity expert.
Some of its main features include:
- PE Viewer/Editor: PE-bear provides an intuitive interface for viewing and editing the structure of Portable Executable (PE) files. This includes headers, sections, imports, exports, resources, and other aspects of the PE format.
- Data Inspector: It provides a feature for inspecting data within the PE file, providing a way to analyze bytes, strings, and structures in detail.
- Rebuilding PE: PE-bear can be used to rebuild the PE file after modifications have been made. This is particularly useful in malware analysis where one might need to unpack, modify, and then repack an executable.
- Support for Many PE Features: PE-bear supports a wide range of PE features such as handling of DLLs, .NET executables, system drivers, and more.
- Import/Export Analysis: It allows a user to view and analyze the import and export tables of a PE file. These often provide useful insights into what an executable might do, based on the Windows API functions it uses.
- Hex Viewer: PE-bear comes with a built-in hex viewer for examining binary data.
- Portable and Lightweight: PE-bear is a standalone application that doesn’t require installation and is lightweight, making it easy to use on any Windows machine.
Reverse Engineering
Reverse engineering considered as one of the most challenging research and analysis we can do, whether if we are reversing a malware in order to understand it better or reversing a product we analyze in order to find vulnerabilities.
The best tools for reversing binaries that are:
Ghidra
Ghidra is one of the most popular tools for malware analysts that wants a good free all-a-round tools for static analysis, especially when we talk about reverse engineering.
Ghidra was developed by the National Security Agency (NSA), Ghidra is a free, open-source software reverse engineering (SRE) tool that includes a suite of software analysis tools for many different types of software and architectures. It’s a good entry point for beginners due to its user-friendly interface.
Radare2
Radare2 is a portable reverse-engineering framework that does a wide variety of tasks, including binary viewing, patching, analysis, and more.
It is powerful but can have a steep learning curve. It’s recommended for intermediate users or ambitious beginners who are willing to spend time learning the tool. Personally, i don’t like using Radare2 but i understand that a lot of researchers in the community enjoy it so i figured it deserved mentioning.
IDA Free/Pro
This in my opinion, the most popular tools for static analysis. It allows you to disassemble and debug an application without running it, patching it, making it easier to understand the control flow and functionality.
In addition, in the Pro version, which is VERY expensive, you can have additional functionalities such as adding customize plugins, integration with Python, 64-bit binaries disassembly, decompilers, etc.
Decompilers
To be honest i am not sure where does decompilers fit in. However, they are still a big part of malware analysis, especially if we handle files that we can decompile which gives us huge advantage on .NET files for example.
Here is a list for different decompilers that handles different files:
- JD Project:JD Project is a well-known free tool that can decompile Java bytecode. It’s very useful for analyzing Java-based malware.
- .NET Reflector:.NET Reflector is a class browser and decompiler for .NET. It can be used to debug your own code, understand how a problem occurred, or examine classes and functions in .NET assemblies.
- DnSpy:DnSpy is a tool to reverse engineer .NET assemblies that also includes a decompiler. It lets you see and edit the high-level code and is particularly useful for analyzing .NET malware.
- ILSPY:ILSpy is another very useful tool for decompiling .NET malwares. It serves as an invaluable tool for reverse engineers who need to inspect the functionality of .NET applications or libraries without having access to the original source code.
The Didier Stevens ToolKit
To whoever don’t know Didier Stevens, Didier Stevens is a highly respected information security researcher and professional based in Belgium. He’s known for his work in various areas of cybersecurity, including but not limited to malware analysis, digital forensics, and incident response.
One of his many contributions to the researchers community is the ongoing development of static analysis tools that are being used in analyzing not only malwares, but also delivery method files such as Doc and PDF files. Some of his well-known tools include oledump, a tool for analyzing Microsoft Office documents, and PDF tools for the analysis of potentially malicious PDF files.
It should take a whole blog only to cover his tools. Fortunately! Dider did it for us in his blog.
I highly encourage you to go and see the amazing tools and scripts he share there. Personally it helps me a lot when i need to analyze a malicious DOC file or anything with that nature.