The first phase of malware analysis is basic static analysis. Meaning, limited triage approach to tools and techniques used, without running/detonating the malware. Maybe during static analysis there will be findings giving insights on what the malware is trying to achieve and other useful information and maybe IOCs. For this small exercise Windows10x64-FlareVM will be used.

In basic static analysis arming the malware is not needed(meaning to remove the .xxx extension it has after .exe to make it executable) as it will not be run, so it is better to stay safe.

First will be the collection of the 2 most common hashes, sha256 and md5 of the sample. The file hashes can give out the first info about the sample, using virustotal.com.

On the next phase of the static analysis human readable strings from the sample will be extracted, which might prove useful in order to harden the evidence and the fingerprint of the sample. In order to extract strings from a file the strings tool can be used, or the FLOSS tool, for this example I used the FLOSS tool which tries to decode any obfuscated strings it finds in the sample. Some interesting strings are the following:

These strings appear to be API calls used inside of the malware sample. Finally there is the “special” output from the FLOSS tool, pointing us to the more “fruitful”(according to the tool) information of the file’s strings. 

For the next step PEview is used in order to try to get a bit more information on the malware sample such as, the Windows API calls it is making, the raw data size and the virtual size, and the date of compilation. Comparing the raw data size and the virtual size can provide some good info on whether the malware sample is packed or not. 

Using the windows programmer calculator, and comparing the two hexadecimal values and see that they are pretty close, indicating that the sample is most likely not packed.

This info can be found in the IMAGE_SECTION_HEADER .text in PEview, and the timestamp can be found in the IMAGE_FILE_HEADER under the IMAGE_NT_HEADERS section. Finally the windows API calls can be found in the IMPORT Address Table under SECTION .rdata. Some of the interesting APIs I can find used in this sample are: ShellExecuteW, URLDownloadToFileW. None of those API calls are inherently malicious, and a trained eye(not mine) could spot maybe a bit more than the two here, indicating that we are dealing with a malicious file. For this stage, [<https://malapi.io>](<https://malapi.io/>) can also prove useful, it is a site that arranges some of the common WinAPIs, that can be used maliciously and we can find in a malware, into different categories according to what these APIs help the malware to accomplish. 

These are some of the initial steps to take in order to start fingerprinting a malware/malware sample. The above steps and information can all be found from one tool that combines many basic tools(strings, floss, md5checksum, peeview, and many more) called PEstudio. PEstudio offers also a section with possible IOCs that the sample appears to have.