Below are my notes based on the book Practical Malware Analysis and class Malware Analysis - CSCI 4976 (RPISEC) covering basic analysis of malware. This is not an in-depth tutorial on how to do basic analysis, but rather a quick reference. For a more in-depth guide I would highly recommend reading the book and doing the labs from the course provided by RPISEC.
- Finger print the malware using MD5HASH and uploading to VirusTotal
- To find out if this malware has been analyzed before and to confirm you have the right executable.
- Run PEid on the executable to determine if it is packed or obfuscated
- To unpack use "upx -d PackedProg.exe" (if packed using upx)
- Portable Executable File Format(PE) "is a data structure that contains information necessary for Windows OS loader to manage the wrapped code."(14)
- Check for linked libraries and functions the program calls.
- These libraries often give us more information on what the program is doing
- Dependency Walker can be used to explore dynamically linked functions
Use PEview to view the PE file header. Information on file header:
One thing that we may be able to see from examining the file header information is whether or not its packed. PEview will give you the "virtual size" and "size of raw data". If there is a big difference between the two the program is most likely packed.
Finally more information we can get from the file header include:
Time Date Stamp