Static analysis is a valuable counterpoint to dynamic analysis. In this webinar, we’re going to show you how to manually perform basic static analysis of a PE (portable executable – usually an .exe file). We’ll use free utilities designed for this purpose. I’ll show you how to confirm that a file really is a PE. Then I’ll show you the structure of a PE including:
• Headers
• Imports
• Exports
• Sections
• Resources
Then we’ll zero in on fundamental ways of recognizing signs of malware. We will look at how the Imports of a file help us understand it’s possible functionality by seeing what functions of the OS and other libraries the PE calls. We’ll also look at how to extract all the strings in a PE to look for things like shell commands, IP addresses, domain names and the like. We will explore how PEs can embed other files – event other malicious EXEs.
Of course, the bad guys know about static analysis so I’ll provide a brief introduction to obfuscation techniques such as packing, XORing, compressing and encoding.
The session won’t make you an expert in static file analysis but it will help you grasp the fundamentals and make you more effective at using malware analysis, understanding indicators of compromise, and getting pointed in the right direction if you want to dig deeper into static analysis.
But at the end of the day you can only manually analyze so many files each day. ReversingLabs is the perfect sponsor for this event and Robert Perica, a Principal Engineer/ Threat Analyst at ReversingLabs will briefly show you their extremely fast and deep automated static file analysis Titanium Platform technology.