Dissection 101: Step-By-Step Static Analysis of Unknown PE files (EXE) to Recognize Malware and Assess Impact

Webinar Registration

Files. As cyber security pros we’re confronted with files constantly. Your EDR alerts you to a suspicious file. You find some weird files on a system you are cleaning up from compromise. A concerned user forwards you an email attachment.  

You can triage the file against resources like VirusTotal to see if it’s known bad or known good. But what about the files left over? There are 2 ways to analyze unknown files: 

  • Dynamic analysis – execute or open the file – in a safe, isolated environment - and observe it doing its thing. Sandboxes are all about dynamic analysis.  
  • Static analysis – analyze the file – do not allow it to run or open. This requires understanding the file type and format intimately so that you can infer its composition and behavior.

Dynamic analysis sounds easier, right? Forget about its type and format, just detonate and watch the fireworks. If it starts reading every file on the sandbox system and rewriting them you’ve probably caught some malware. If it initiates a network connection to kdjfke88x.ci then you are probably seeing a malagent phone home to its command and control server.

But every tool has its limitations and dynamic analysis sandboxes must deal with some pretty big challenges which I’ll briefly cover in this real training-for-free event. As just one example smart bad guys craft their malware to sleep for a good while before detonating. Sandboxes can’t wait forever to see if a file is going to do something bad so this creates an ever-escalating cat-and-mouse cycle between sandbox and malware developers. Dynamic analysis also has some limitations on supported file types and maximum size.  

Static analysis is a valuable counterpoint to dynamic analysis. In this webinar, we’re going to show you how to manually perform basic static analysis of a PE (portable executable – usually an .exe file). We’ll use free utilities designed for this purpose. I’ll show you how to confirm that a file really is a PE. Then I’ll show you the structure of a PE including:

  • Headers
  • Imports
  • Exports
  • Sections
  • Resources

Then we’ll zero in on fundamental ways of recognizing signs of malware. We will look at how the Imports of a file help us understand it’s possible functionality by seeing what functions of the OS and other libraries the PE calls. We’ll also look at how to extract all the strings in a PE to look for things like shell commands, IP addresses, domain names and the like. We will explore how PEs can embed other files – event other malicious EXEs.  

Of course, the bad guys know about static analysis so I’ll provide a brief introduction to obfuscation techniques such as packing, XORing, compressing and encoding.

The session won’t make you an expert in static file analysis but it will help you grasp the fundamentals and make you more effective at using malware analysis, understanding indicators of compromise, and getting pointed in the right direction if you want to dig deeper into static analysis.

But at the end of the day you can only manually analyze so many files each day. ReversingLabs is the perfect sponsor for this event and Robert Perica, a Principal Engineer/ Threat Analyst at ReversingLabs will briefly show you their extremely fast and deep automated static file analysis Titanium Platform technology.

Join us for this real-training-for-free session.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
State:  
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources