Intermediate

Static Analysis

Static analysis involves examining the malware's code and structure without executing it. This is the safest first step to gather indicators of compromise (IOCs) and understand capabilities.

File Identification

Determine the file type and architecture. Malware often masquerades as legitimate file types.

bash 

# Check file type signature
file malicious.exe

# Calculate hashes for VirusTotal lookup
sha256sum malicious.exe
md5sum malicious.exe

Strings Analysis

Extracting ASCII and Unicode strings can reveal IP addresses, URLs, file paths, and function imports.

bash 

# Extract strings (min length 4)
strings -n 4 malicious.exe > strings.txt

# Look for interesting patterns
grep -E "http|https|ftp" strings.txt
grep -E "[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}" strings.txt

Obfuscation

If you see very few strings or random garbage, the sample is likely packed or obfuscated.

PE Header Analysis

For Windows executables (PE files), the header contains critical information.

  • Import Address Table (IAT): Lists functions imported from DLLs. (e.g., `InternetOpenUrl` suggests network activity, `WriteProcessMemory` suggests injection).
  • Sections: Check for abnormal sections or high entropy (indicating packing).
  • Time Date Stamp: Compilation time (can be faked).

Tools: PEStudio, PE-bear, CFF Explorer.

Disassembly & Decompilation

Viewing the assembly instructions or pseudo-code to understand logic.

Tools

  • Ghidra: NSA's open-source reverse engineering suite. Excellent decompiler.
  • IDA Pro / Free: The industry standard disassembler.
  • Cutter (Rizin): Modern GUI for Rizin reverse engineering framework.