0
1
00:00:11,050 --> 00:00:18,690
Hi everyone in this video we will look at some of the Static analysis tools primarily for PE files.
1

2
00:00:18,750 --> 00:00:25,960
So what I mean by static analysis is that you're not going to run or execute that file.
2

3
00:00:26,040 --> 00:00:33,630
They are only going to use this standalone on disk version of the file and then run it through a
3

4
00:00:33,630 --> 00:00:37,020
bunch of static analysis tools to understand its behavior.
4

5
00:00:37,500 --> 00:00:44,970
So if you remember in our previous videos we used tools like hex editors and file format parsers to
5

6
00:00:44,970 --> 00:00:48,720
understand the structure of the file. In this video,
6

7
00:00:48,720 --> 00:00:55,140
We specifically want to focus on some additional tools which can help us understand whether the file
7

8
00:00:55,140 --> 00:00:58,990
that we are looking at is actually a malware file or not.
8

9
00:00:59,010 --> 00:01:06,650
So these are pretty popular Static analysis tools and they are freely available for us to load and use.
9

10
00:01:06,690 --> 00:01:14,150
These are the list of tools that I want you to quickly go through let us come to our virtual machine.
10

11
00:01:14,260 --> 00:01:21,220
So all the all the tools which I'm going to discuss is a part of the FLARE VM utility as well.
11

12
00:01:21,220 --> 00:01:26,410
So if you have installed FLARE then you will have these tools already present on your machine.
12

13
00:01:26,410 --> 00:01:33,040
If you haven't you can individually search for them and download them and that should also be sufficient
13

14
00:01:33,040 --> 00:01:34,650
for you to work with too.
14

15
00:01:35,500 --> 00:01:39,180
So the first tool that I want to talk about is hash calc.
15

16
00:01:39,260 --> 00:01:44,080
It's pretty simple and standard tool for calculating hash of a file.
16

17
00:01:44,140 --> 00:01:52,600
So if you drop any file inside it it will help you calculate Md5, Sha1, Sha2 and whatever hash value
17

18
00:01:52,600 --> 00:01:53,470
you want.
18

19
00:01:53,470 --> 00:02:01,510
So this is a very useful tool for calculating files hash and you can use it as you know an IOC or you
19

20
00:02:01,510 --> 00:02:10,220
can use it for searching on Virus Total and other such services. Second tool that we want to talk about
20

21
00:02:10,220 --> 00:02:11,970
is EXEinfo.
21

22
00:02:12,020 --> 00:02:13,760
This is a very interesting tool
22

23
00:02:19,950 --> 00:02:29,090
so what EXEinfo tells us is, it gives us certain information about the file like the entry point, the
23

24
00:02:29,090 --> 00:02:36,070
EP sections, the files offset, file size, Overlay sections information.
24

25
00:02:36,260 --> 00:02:42,730
And the most important part is it also helps us understand if the file is packed or not.
25

26
00:02:42,770 --> 00:02:50,020
So here I'm using two different malware files for this video section.
26

27
00:02:50,020 --> 00:02:56,260
I'll be uploading both these files and I'll provide the link in the description of this video
27

28
00:02:56,290 --> 00:03:03,800
so you can go ahead and download it from there so that you can replicate the same analysis. So the two
28

29
00:03:03,800 --> 00:03:10,790
files that I'm using is: first one is Maze ransomware. Maze is ransomware family that has been
29

30
00:03:10,790 --> 00:03:12,770
out there for for a while.
30

31
00:03:12,770 --> 00:03:21,210
This is one file and the other one is another backdoor which is packed by unknown packer called UPX.
31

32
00:03:21,380 --> 00:03:28,430
So in EXEinfo let us first drop our Maze ransomware binary.
32

33
00:03:28,430 --> 00:03:32,930
So here you'll see that it will tell us the entry point if you remember and entry point is something
33

34
00:03:32,930 --> 00:03:41,660
which we saw in our previous video that's the location from where the main PE loader of the operating
34

35
00:03:41,660 --> 00:03:45,810
system will begin executing the file. You have the PE section,.
35

36
00:03:45,890 --> 00:03:54,290
The initial few bytes of the file offset, Linker information, file size and overlay formation.
36

37
00:03:54,290 --> 00:04:00,250
Now if you see here it tells us that it's an exe file and it has a standard compiler section.
37

38
00:04:00,260 --> 00:04:01,430
Nothing out of ordinary.
38

39
00:04:01,940 --> 00:04:03,190
So that's it.
39

40
00:04:03,210 --> 00:04:09,770
It did not really pick up anything really different or it did not really pick up any packer information
40

41
00:04:09,770 --> 00:04:10,920
in the file.
41

42
00:04:10,920 --> 00:04:17,360
Now let us try our UPX packed file. If we drop it over here you'll see that it tells me that the EP section
42

43
00:04:17,690 --> 00:04:19,960
consist of a UPX. header.
43

44
00:04:20,270 --> 00:04:23,870
It's file size is this.
44

45
00:04:23,870 --> 00:04:29,150
That's the overlay information and then it tells me that it has been packed by this particular version
45

46
00:04:29,150 --> 00:04:30,490
of the UPX packer.
46

47
00:04:30,530 --> 00:04:41,540
So if you don't know about you UPX, it's a pretty well-known packer for packing the portable executable
47

48
00:04:41,540 --> 00:04:42,240
files.
48

49
00:04:42,260 --> 00:04:50,030
So what happens by packing is that you actually change the overall structure of the file and you replace
49

50
00:04:50,030 --> 00:04:51,860
it with your own structure.
50

51
00:04:51,980 --> 00:05:02,420
The file still works as a standard executable for example if your program is designed to launch calculator
51

52
00:05:03,110 --> 00:05:07,970
if you pack it with UPX, it's still going to launch calculator.
52

53
00:05:07,970 --> 00:05:16,790
The only difference is that UPXpacked file and not have those standard sections which we saw
53

54
00:05:16,820 --> 00:05:18,790
in our previous three videos.
54

55
00:05:18,800 --> 00:05:22,220
They will basically be replaced by UPX's own packer.
55

56
00:05:22,550 --> 00:05:27,030
So when you run it the file unpacked and that's when the proper section gets created.
56

57
00:05:27,470 --> 00:05:31,570
So that's the whole advantage of packers.
57

58
00:05:31,700 --> 00:05:39,680
So packers help you hide all these information like the header information, which import tables have
58

59
00:05:39,680 --> 00:05:41,940
been used and things like that.
59

60
00:05:41,960 --> 00:05:50,720
So those are that's why malware authors rely on packers in order to hide some of these behaviors from
60

61
00:05:50,720 --> 00:05:52,790
these Static analysis tools.
61

62
00:05:52,790 --> 00:06:02,620
So it also tells me that the Packer can be unpacked by downloading the unpacking from the official website
62

63
00:06:02,620 --> 00:06:08,560
site and you can just run the unpack command and it will give you the unpacked or the actual binary.
63

64
00:06:08,590 --> 00:06:11,250
The actual malware payload that you can analyse.
64

65
00:06:11,440 --> 00:06:16,180
So this is the importance of EXEinfo. it just helps us analyze that.
65

66
00:06:16,210 --> 00:06:16,480
ok
66

67
00:06:16,480 --> 00:06:22,260
There is no packer inside the file.  The next one is PEID.
67

68
00:06:22,300 --> 00:06:23,740
That's another interesting to
68

69
00:06:27,410 --> 00:06:31,850
launch PEID, drop our packed File.
69

70
00:06:32,030 --> 00:06:36,080
See if you see here again very similar to our previous tool
70

71
00:06:36,100 --> 00:06:38,830
It tells me the Packers information.
71

72
00:06:38,920 --> 00:06:47,620
So this is another common tool which malware researchers or security analysts use to identify if the
72

73
00:06:47,620 --> 00:06:49,980
file contains any Packer or not.
73

74
00:06:49,990 --> 00:06:56,590
So what happens is these tools rely on the standards set off list of known packers.
74

75
00:06:56,590 --> 00:07:03,640
If the malware is packed by a custom algorithm then these tools would not be able to identify those
75

76
00:07:03,640 --> 00:07:04,450
packers.
76

77
00:07:04,450 --> 00:07:13,340
If it is packed by a known commercial packer which we have seen being utilized by malware in the past.
77

78
00:07:13,450 --> 00:07:23,680
In that case these tools will be able to identify the packer information. PE bear is the next tool
78

79
00:07:23,680 --> 00:07:24,820
that we want to look at.
79

80
00:07:31,780 --> 00:07:43,380
Let's run it and drop our maze ransomware file which here see if you see here it's pretty much containing
80

81
00:07:43,380 --> 00:07:48,270
the same information which we have went through in our previous three videos.
81

82
00:07:48,420 --> 00:07:55,410
It tells us a general information about the file like it's hash size the DOS header the rich header
82

83
00:07:55,410 --> 00:08:04,600
information file header optional headers section headers and the import table.
83

84
00:08:04,760 --> 00:08:12,250
So let's try our other file that that would give us some interesting results here.
84

85
00:08:12,250 --> 00:08:17,930
So let's let's look at our UPX packed file.
85

86
00:08:17,960 --> 00:08:23,160
So if you look at the Dos header and if you start scrolling down that's where you'll see the UPX
86

87
00:08:23,180 --> 00:08:23,960
header inside it.
87

88
00:08:24,890 --> 00:08:32,360
So this is how these tools identify that the file is actually packed by a packer.
88

89
00:08:32,360 --> 00:08:39,710
So instead of having the standard sections, it has UPX sections inside the files.
89

90
00:08:39,710 --> 00:08:41,420
This means that the file is actually packed.
90

91
00:08:42,020 --> 00:08:46,210
So it also has the dis-assembled information.
91

92
00:08:46,220 --> 00:08:51,830
This is something that we'll be looking at later on. This will be utilized when we would be reversing
92

93
00:08:51,830 --> 00:08:54,590
the file files using dis-assemblers.
93

94
00:08:54,680 --> 00:09:00,200
So, PE bear was another tool that is pretty interesting for us to know about.