Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
20 views9 pages

Day3 Session1 Lab1 (Static Malware Analysis)

The Static Malware Analysis Lab Manual provides a structured 45-minute exercise for hands-on experience with various static malware analysis tools on a Windows operating system. It includes detailed steps for configuring network settings, using tools like VirusTotal, BinText, PEView, PEiD, and UPX to analyze and manipulate malware samples. The manual emphasizes the importance of following the environmental setup and using the specified binaries and utilities for effective analysis.

Uploaded by

shankarpakhre55
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
20 views9 pages

Day3 Session1 Lab1 (Static Malware Analysis)

The Static Malware Analysis Lab Manual provides a structured 45-minute exercise for hands-on experience with various static malware analysis tools on a Windows operating system. It includes detailed steps for configuring network settings, using tools like VirusTotal, BinText, PEView, PEiD, and UPX to analyze and manipulate malware samples. The manual emphasizes the importance of following the environmental setup and using the specified binaries and utilities for effective analysis.

Uploaded by

shankarpakhre55
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Static Malware Analysis Lab Manual

Static Malware Analysis


Estimated Time:
The below exercise may take approximately 45 minutes.

Requirements:
1.​ Windows operating system as per the environmental setup.
2.​ Web Browser: Internet Explorer or Google Chrome
3.​ Practical Malware Analysis Labs Binary Collection
4.​ BinText
5.​ PEView
6.​ MD5 and SHA Checksum Utility
7.​ PEiD
8.​ UPX

Objective:
The objective of this lab is to provide hands-on experience with various static malware analysis tools and
techniques.

Note:
●​ The binaries for this exercise are located in the C:\Users\workshop\Downloads\Practical Malware
Analysis Labs folder.
●​ The tools used in the exercise are located in the C:\Users\workshop\Downloads folder.

Network Configuration:
The network settings in the Windows 7 Virtual Machine is to be configured to NAT for lab exercises 1 and 2.
After performing exercises 1 and 2, they are to be restored to LAN segment, as per the environmental setup.

To configure the network adapter of the VM to NAT, navigate to VM -> Settings -> Network Adapter, and then
select NAT and click OK.

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 1 of 9
Static Malware Analysis Lab Manual

Figure 1: Network Settings changed to NAT

1.​ On Windows Virtual Machine,


a.​ Navigate to Control Panel -> Network and Internet -> Network and Sharing Center. Click on
Change Adapter Settings.

Figure 2: Changing adapter settings in Windows-I


b.​ Right click on the Local Area Connection and select Properties, select TCP/IPv4 from the
menu.

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 2 of 9
Static Malware Analysis Lab Manual

Figure 3: Changing adapter settings in Windows-II

c.​ Click on Properties and select “Obtain an IP address automatically”. Click “OK” to close.

Figure 4: Changing adapter settings in Windows-III

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 3 of 9
Static Malware Analysis Lab Manual

Lab Exercises:
Open VMWare Workstation and power on the Windows virtual machine.
1.​ Check the detection of a sample malware file with VirusTotal.
a.​ Open Google Chrome or Internet Explorer browser on the Virtual machine.
b.​ Navigate to https://www.virustotal.com

Figure 5: VirusTotal Home Page

c.​ Click on the “Choose File” option. And select any file From the Practical Malware Analysis ->
sample binaries, upload any one file say Lab01-01.exe.

Figure 6: Select the file for uploading

d.​ Observe how many AV engines detected the sample as malware.

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 4 of 9
Static Malware Analysis Lab Manual

Figure 7: AV engines flagging the sample as malware

2.​ Compute the hash of a sample using “MD5 and SHA Checksum Utility”, copy it and search for the hash
in VirusTotal.
a.​ Open MD5 and SHA Checksum tool in Windows 7 Virtual Machine. Click on the “Browse”
button.

Figure 8: MD5 and SHA Checksum Utility

b.​ Select any file from Practical Malware Analysis Labs -> sample binaries folder for generating
the hash, say Lab01-02.exe, and upon selection of a file, the hash will be generated and
displayed.

Figure 9: Hashes generated by the utility


Software & Network Security Fundamentals
Copyright © C-DAC Hyderabad, 2025 Page 5 of 9
Static Malware Analysis Lab Manual

c.​ Copy each of the generated hash from the utility.


d.​ Navigate to https://www.virustotal.com and click on the “Search” tab.

Figure 10: Search for hashes in VirusTotal

e.​ Paste the copied hash and hit the “Enter” button to observe whether the AV engines flag the
hash as malware. ​

Figure 11: AV engines flagging hash as a malware

3.​ Compute strings of a sample using the BinText utility.


a.​ Open the BinText tool on the Windows 7 virtual machine and click on the “Browse” button.
b.​ Select any executable, say Lab01-01.exe, and then click on the “Go” button.
c.​ Observe the strings of the sample outputted from the BinText utility.

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 6 of 9
Static Malware Analysis Lab Manual

Figure 12: Strings of an executable from BinText

4.​ Open a sample in PEView and observe the time date stamp and Imports.
a.​ Open PEView tool in Windows 7 Virtual Machine.
b.​ Open the sample Lab01-01.dll in the PEView.
c.​ Expand the IMAGE_NT_HEADERS section on the left-hand panel and click on the
IMAGE_FILE_HEADER and observe time date stamp information.

Figure 13: Time date stamp of a sample using PEView

d.​ Expand the “SECTION .rdata” on the left-hand panel and under the drop-down options, click
on the “IMPORT Name Table” that lists the functions imported from various DLLs. The
function names are observed in the Value section of the table on the right.

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 7 of 9
Static Malware Analysis Lab Manual

Figure 14: Imported functions listed for a given sample

5.​ Open a sample with PEiD and check the packaging information.
a.​ Open the PEiD tool on Windows 7 Virtual Machine and click on the button with the three
dots “…” icon.
b.​ Load any executable, say Lab01-03.exe, and the packaging information can be viewed on the
bottom pane.

Figure 15: Packaging info using PEiD

6.​ Use UPX to pack and unpack the given sample.


a.​ Open command prompt (cmd.exe) in Windows 7 Virtual machine.
b.​ Change the current working directory to the folder where upx.exe is present using the
following command.
cd C:\Users\workshop\Downloads\upx-4.2.4-win64
c.​ For packing a sample, say Lab01-01.exe, use the following command.
upx.exe "C:\Users\workshop\Downloads\Practical Malware Analysis
Labs\BinaryCollection\Chapter_1L\Lab01-01.exe" -o compressed.exe

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 8 of 9
Static Malware Analysis Lab Manual

Figure 16: UPX for packing an executable

d.​ For unpacking the compressed sample, use the following command.
upx.exe -d compressed.exe -o original.exe

Figure 17: UPX for unpacking an executable

**************************************End of the Document


**************************************

Software & Network Security Fundamentals


Copyright © C-DAC Hyderabad, 2025 Page 9 of 9

You might also like