SECTION 01

What is Static Analysis?

Static analysis is the process of examining malware without executing it. Think of it like examining a suspicious package without opening it - you can learn a lot from the outside before deciding to interact with it.

This approach is crucial because:

Safe

No risk of infection since the malware never runs

Fast

Quick triage to determine threat level

Thorough

Reveals hidden code that may not execute

Scalable

Can be automated for large sample sets

Remember: Static analysis shows you what a sample could do, not necessarily what it will do. Some code paths may never execute, and some functionality may be hidden through obfuscation.

GUIDED WALKTHROUGH

Your First Static Analysis

Before diving into each technique in detail, let's walk through a complete static analysis of a suspicious file — step by step. You'll examine a PE file called update_service.exe that was flagged by an automated scanner.

Guided Walkthrough: Analyzing update_service.exe

Walk through each phase of static analysis. Answer the question at each step to reveal the next layer of the PE anatomy diagram.

EVIDENCE PANEL — update_service.exe

PE Sections:

.text 0x1A00 (code)

.rdata 0x0800 (read-only)

.data 0x0400 (data)

.xdata 0x3000 (???)

Imports:

kernel32: VirtualAlloc,

WriteProcessMemory,

CreateRemoteThread

urlmon: URLDownloadToFileA

Strings:

"http://91.203.xx.xx/cmd"

"HKLM\...\Run"

"%TEMP%\svchost.exe"

Entropy:

.text 5.1 | .rdata 3.4

.data 2.1 | .xdata 7.9

Walkthrough complete! You've performed a full static analysis triage. Now explore each technique in depth below.

SECTION 02

PE File Structure

Windows executables use the Portable Executable (PE) format. Understanding this structure is fundamental to malware analysis.

sample.exe - PE Viewer

e_magic 0x5A4D ("MZ") DOS signature - every PE starts with this

e_lfanew 0x00000080 Offset to PE header

Quick Check: If a file doesn't start with "MZ", it's not a valid Windows executable.

Signature 0x00004550 ("PE\0\0") PE signature

Machine 0x8664 (AMD64) Target architecture

TimeDateStamp 0x5F8A2B3C Compilation time (can be faked)

Characteristics 0x0022 EXECUTABLE_IMAGE | LARGE_ADDRESS_AWARE

.text VirtualSize: 0x1A00, RawSize: 0x1C00 Executable code

.rdata VirtualSize: 0x0800, RawSize: 0x0A00 Read-only data, imports

.data VirtualSize: 0x0400, RawSize: 0x0200 Initialized data

.enigma VirtualSize: 0x2000, RawSize: 0x2000 Suspicious - non-standard section

00000000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............

00000010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......

00000080 50 45 00 00 64 86 06 00 3C 2B 8A 5F 00 00 00 00 PE..d...<+._.....

Red Flags in PE Headers:

Non-standard section names (.enigma, .packed, .UPX)
Section with write + execute permissions
Very old or very recent timestamps
Mismatched virtual and raw sizes

SECTION 03

Strings Analysis

Extracting strings from a binary can reveal valuable intelligence: URLs, file paths, registry keys, error messages, and API names that hint at the malware's capabilities.

Extracted Strings (156 found)

http://185.234.xx.xx/gate.php URL

https://pastebin.com/raw/XXXXXX URL

SOFTWARE\Microsoft\Windows\CurrentVersion\Run REGISTRY

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer REGISTRY

VirtualAllocEx API

WriteProcessMemory API

CreateRemoteThread API

%APPDATA%\Microsoft\svchost.exe FILE

C:\Windows\Temp\payload.dll FILE

CryptEncrypt CRYPTO

-----BEGIN RSA PUBLIC KEY----- CRYPTO

Interpreting Strings: The combination of VirtualAllocEx + WriteProcessMemory + CreateRemoteThread is a classic indicator of process injection - a technique to hide malicious code in legitimate processes.

SECTION 04

Entropy Analysis

Entropy measures the randomness of data. High entropy (close to 8.0) indicates encrypted or compressed data, which is often a sign of packed malware trying to evade detection.

Section Entropy Analysis

">

0.0 (Uniform) 4.0 (Normal code) 8.0 (Random/Encrypted)

High Entropy Detected: The .enigma section has entropy of 7.6, strongly suggesting encrypted or compressed content. This sample is likely packed.

Low (0-3)

Plain text, resources, sparse data

Normal (4-6)

Compiled code, typical executable

High (7-8)

Encrypted, compressed, or packed

SECTION 05

Import Analysis

The Import Address Table (IAT) lists all external functions the executable uses. Certain API combinations are strong indicators of malicious behavior.

kernel32.dll 12 functions

CreateFileW

ReadFile

WriteFile

VirtualAllocEx

WriteProcessMemory

CreateRemoteThread

GetProcAddress

LoadLibraryA

advapi32.dll 6 functions

RegSetValueExW

RegOpenKeyExW

RegCloseKey

OpenProcessToken

AdjustTokenPrivileges

LookupPrivilegeValueW

ws2_32.dll 5 functions

WSAStartup

socket

connect

send

recv

MITRE ATT&CK Mapping

Based on imported functions, this sample likely uses these techniques:

T1055.001

Process Injection: DLL Injection

Evidence: VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

T1547.001

Boot/Logon Autostart: Registry Run Keys

Evidence: RegSetValueExW + Run key string

T1134.001

Access Token Manipulation

Evidence: OpenProcessToken, AdjustTokenPrivileges

T1071.001

Application Layer Protocol: Web

Evidence: ws2_32.dll imports + HTTP URLs

SECTION 06

Knowledge Check

A PE section has entropy of 7.8. What does this most likely indicate?

Normal compiled code

Encrypted or packed content

Plain text strings

Image resources

Which API combination is a classic indicator of process injection?

CreateFile, ReadFile, WriteFile

RegOpenKey, RegSetValue, RegCloseKey

VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

socket, connect, send, recv

What does "MZ" at the beginning of a file indicate?

The file is a ZIP archive

The file is a Windows executable (PE format)

The file is encrypted

The file is a PDF document

What is Static Analysis?

Your First Static Analysis

PE File Structure

Strings Analysis

Entropy Analysis

Section Entropy Analysis

Import Analysis

MITRE ATT&CK Mapping

Knowledge Check

Module Complete!