updating static

2025-12-19 15:14:18 +01:00 · 2017-03-23 22:03:36 -07:00
parent 827e2c0bcd
commit 92ce077de4
10 changed files with 43 additions and 1 deletions
--- a/dynamic.md
+++ b/dynamic.md
@@ -5,4 +5,6 @@ title: Dynamic Analysis
 ---
 [Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)

-# Section 4: Dynamic Analysis #
+# Section 6: Dynamic Analysis #
+
+[Section 5 <- Back](https://securedorg.github.io/RE101/section5)
--- a/images/static1.png
+++ b/images/static1.png
--- a/images/static2.gif
+++ b/images/static2.gif
--- a/images/triage1.png
+++ b/images/triage1.png
--- a/images/triage2.png
+++ b/images/triage2.png
--- a/images/triage3.png
+++ b/images/triage3.png
--- a/images/triage4.png
+++ b/images/triage4.png
--- a/images/triage5.png
+++ b/images/triage5.png
--- a/static.md
+++ b/static.md
@@ -7,4 +7,42 @@ title: Static Analysis

 # Section 5: Static Analysis #

+## LAB 1
+
+### Possible Packer?
+Notice in CFF explorer that there is UPX in the header.
+![alt text](https://securedorg.github.io/images/triage2.png "UPX")
+
+When you open the executable in IDA, you will notice large section of non-disassembled code.
+![alt text](https://securedorg.github.io/images/triage4.png "IDA UPX")
+
+Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
+![alt text](https://securedorg.github.io/images/triage5.png "Unpacking UPX")
+
+### Reopen the executable in IDA.
+
+The next step is getting a sense as to what the program is doing.
+So far we can assume:
+* This exe is connecting to the internet somehow
+* This exe is using a string encryption function
+* This exe might be spawning a shell
+
+---
+
+Navigate to the **String** window.
+
+Here is an interesting string that we should start with:
+![alt text](https://securedorg.github.io/images/static1.png "Strings window")
+
+Using the **X** key we can jump to the reference of that string in the assembly code.
+![alt text](https://securedorg.github.io/images/static2.gif "Strings window")
+
+This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
+
+We should rename this function **SetRegkey**.
+
+---
+
+ 
+
 [Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
--- a/triage.md
+++ b/triage.md
@@ -77,8 +77,10 @@ You can use the **Malware Analysis Report** template [HERE](https://securedorg.g
 2. Copy over the unknown file
 3. Check the file header by opening the file in the hex editor **HxD**
 * Notice the first 1 byte is **MZ** meaning it's a PE Binary
+![alt text](https://securedorg.github.io/images/triage1.png "MZ Header")
 4. Now right click the file and select **CFF explorer** to check the PE header
 * Note the imports it's using
+![alt text](https://securedorg.github.io/images/triage3.png "Imports")
 5. Calculate the hash using **quickhash**, go to virustotal.com and search the hash
 6. Open the file in **BinText** and record any interesting strings