Malware Analysis- Basics

In this blog following tools are used:

  1. 1. PEstudio (Malware analysis)
  2. 2. WinHEX (To see hex value)
  3. 3. Snort (Intrusion detection)

Malware analysis is the process of learning how malware functions and any potential repercussions of a given malware. Malware code can differ radically, and it's essential to know that malware can have many functionalities. These may come in the form of viruses, worms, spyware, and Trojan horses. Each type of malware gathers information about the infected device without the knowledge, or authorization of the user. In this assignment PEstudio and WinHEX are used to analyze/study the type of malware and to write rule for snort.

  • PEstudio

First of all, I have selected a and did file analyses using PEstudio


  • Indicators

PeStudio has a list of indicators it uses to identify whether a file is worthy of suspicion beyond simply doing a VirusTotal lookup. There are two items which indicates that the file is a malware. This file ignores Address Space Layout Randomization (ASLR). ASLR is a feature which simply loads an application into memory at a somewhat randomized preventing the ability to successfully perform a buffer overflow attack. It also ignores Data Execution Prevention (DEP) which would allow for code execution from the Data Section in memory.

  • Packers

Furthermore, moving down the menu along with other useful feature of PEstudio which shows different behavior of suspicious, file another important section is self-modification section. This section shows that this file is using packer software. Windows only cares about the entry-point and the permissions on the sections. There is software called ‘packers’ which compress PE files which can decompress themselves during runtime. Packers will often change the section names. For example, the popular UPX packer renames all the sections to .UPX. We can clearly see that this file is using UPX packer which make it more suspicious.