Page 27 - index
P. 27
--strings Extract all the string
--url Extract File Name and Url
--hexdump Reverse Hex dump
--import List Entry Import instances
--export List Entry Export instances
--resource List Entry Resource instances
--debug List Entry DebugData instances
You can run individual analysis tools against the file, such as –hash to calculate the MD5 and SHA1, --
peid to view see if the file is packed and with which packer or simply use the –-auto option to run all of
them. Of particular use is the –-suspicious option that lists suspicious functions and sections. Searching
4
for the functions in the MSDN Library can help understand what the sample can do, eg CreateProcessA,
which is self-explanatory. APIs to look out for are OpenProcess, VirtualAllocEx, WriteProcessMemory,
CreateRemoteThread, ReadProcessMemory, CreateProcess, WinExec, ShellExecute, HttpSendRequest,
InternetReadFile, InternetConnect, CreateService, StartService.
Armed with the output from peframe means you will have a better idea of what you’re dealing with
before attempting dynamic analysis.
Dynamic Analysis
Dynamic analysis involves running samples on a system in order to observe it’s behavior and record it’s
payload. Understanding the malware’s behavior and the system changes can help clean up the infection
on a compromised system.
Dynamic analysis can be carried out on individual samples using a selection of tools which vary in
complexity, although this can be somewhat repetitive and time consuming. An alternative approach is to
automate the entire process by using a sandbox. There are several commercial solutions available
although they are generally expensive.
Cuckoo Sandbox is a free, open source solution that runs and analyses suspicious files and generates
5
comprehensive output describing its behavior. From the Cuckoo website :
Traces of win32 API calls performed by all processes spawned by the malware.
Files being created, deleted and downloaded by the malware during its execution.
Memory dumps of the malware processes.
Network traffic trace in PCAP format.
Screenshots of Windows desktop taken during the execution of the malware.
Full memory dumps of the machines.
4
http://msdn.microsoft.com/en-us/library
5
http://docs.cuckoosandbox.org/en/latest/introduction/what/#use-cases
27 Cyber Warnings E-Magazine – August 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
