Basic static analysis of the malware sample can be used to discover more about the malware, for example, look for important strings such as:
The PE Header, or "executable files header", is an important place to begin when you start with basic static analysis of a malware sample. There are various open source and free tools available for this task, as well as paid versions, for this demonstration, I will be using the free version of PEStudio. The executable file is organized into a specific structure, the PE header contains useful information, for example, the PE Header sets the stage for the running process by including for example import and export tables detailing the API's and DLL's necessary for the program to run.
Here I will use UPX to unpack the malware sample before loading it into PEStudio for basic static analysis. Take note of the sections columns, which are not available before the sample has been unpacked, but become available immediately after unpacking. I will be using a sample of Pony AKA Fariet malware: Pony Malware Any.Runs.
After opening the unpacked sample in PEStudio, I select the strings section from the left hand pane, and go through the section of strings looking for interesting and important strings, the first thing that I notice is a GUID, that looks like a Windows unique identifier, I copy this string and search in Google, which immediately returns a result for Pony AKA Fariet malware:
I continue to search in the strings, and I notice a URL that I investigate in Google, and I am returned the (now removed from the web) C&C server of the malware:
Share with your network
Grant Knoetze
IT Support Specialist Cybersecurity Analyst Software Developer
This is code that I wrote to help me with red teaming. Disclaimer - Nothing on this page is intended for malicious purposes, anything that you do with any code is your own responsibility, never engage a target without written permission in the form of a signed contract.