Tools

1- VirusTotal ([Link]
2- md5deep program; WinMD5 calculator, Hash Calc
3- Strings program ([Link] ;
Bintext: [Link]
4- PEiD : [Link]
[Link].
5- UPX ([Link]
6- Dependency Walker program ([Link]
7- Resource Hacker tool ([Link]
8- PEBrowse Professional ([Link]
9- PE Explorer ([Link]
10- PE View: [Link]

Hints:
From strings:
1- GetLayout and SetLayout are Windows functions used by the Windows graphics library. We can
easily identify these as meaningful strings because Windows function names normally begin with a
capital letter and subsequent words also begin with a capital letter.
2- [Link] at is meaningful because it’s the name of a common Windows dynamic link library
(DLL) used by graphics programs.
3- [Link] is an IP address— most likely one that the malware will use in some fashion
4- Mail system DLL is invalid.!Send Mail failed to send message. is an error message. Often, the most
useful information obtained by running Strings is found in error messages. Note that the missing DLL
itself is not necessarily malicious; malware often uses legitimate libraries and DLLs to further its goals.

From Obfuscated and Packed malwares:

5- Legitimate programs almost always include many strings. Malware that is packed or obfuscated
contains very few strings. Packed and obfuscated code will often include at least the functions
LoadLibrary and GetProcAddress, which are used to load and gain access to additional functions.
LoadLibrary and GetProcAddress allow a program to access any function in any library on the system,
which means that when these functions are used, you can’t tell statically which functions are being
linked to by the suspect program.

From Imports and Linked library:

6- Code libraries can be linked statically, at runtime, or dynamically. Knowing how the library code
is linked is critical to our understanding of malware because the information we can find in the PE file
header depends on how the library code has been linked. When analyzing code, it’s difficult to
differentiate between statically linked code and the executable’s own code, because nothing in the PE
file header indicates that the file contains linked code.
7- The PE file header stores information about every library that will be loaded and every function that
will be used by the program. The libraries used and functions called are often the most important parts
of a program, and identifying them is particularly important, because it allows us to guess at what the
program does. For example, if a program imports the function URLDownloadToFile, you might guess
that it connects to the Internet to download some content that it then stores in a local file.
From Exploring Dynamically Linked Functions with Dependency Walker:
8- We see several functions, but the most interesting is CreateProcessA, which tells us that the program
will probably create another process, and suggests that when running the program, we should watch for
the launch of additional programs.
9- Executables can import functions by ordinal instead of name. When importing a function by ordinal,
the name of the function never appears in the original executable, and it can be harder for an analyst to
figure out which function is being used. When malware imports a function by ordinal, you can find out
which function is being imported by looking up the ordinal value in the pane 4 (below function pane).

From Exported Functions

10- Software authors name their exported functions in a way that provides useful information. It’s
common for programmers to use Microsoft convention to name them, but the function can have any
name. In Microsoft, in order to run a program as a service, you must first define a ServiceMain
function. In Malware's, the presence of an exported function called ServiceMain tells you that the
malware runs as part of a service. If malware uses exports, it will often either omit names entirely or
use unclear or misleading names. We can view export information using the Dependency Walker
program.

Other Notes:
Any software that does something that causes detriment to the user, computer, or network—such as
viruses, trojan horses, worms, rootkits, scareware, and spyware—can be considered malware.

The Goals of Malware Analysis:

The purpose of malware analysis is usually to provide the information we need to respond to a network
intrusion. Our goals will typically be to determine exactly what happened, and to ensure that we’ve
located all infected machines and files.
• what a particular suspect binary can do,
• how to detect it on your network,
• how to measure and contain its damage.
Once we identify which files require full analysis, it’s time to develop signatures to detect malware
infections on our network.
Host-based signatures or indicators, are used to detect malicious code on victim computers.

The Portable Executable (PE) file format is used by Windows executables, object code, and DLLs.
The PE file format is a data structure that contains the information necessary for the Windows OS
loader to manage the wrapped executable code. Nearly every file with executable code that is loaded by
Windows is in the PE file format, though some legacy file formats do appear on rare occasion in
malware.
PE files begin with a header that includes information about the code, the type of application, required
library functions, and space requirements. The information in the PE header is of great value to the
malware analyst.
Imports are functions used by one program that are actually stored in a different program, such as code
libraries that contain functionality common to many programs. Code libraries can be connected to the
main executable by linking.
Difference between Static linking and runtime linking?
Static linking is the least commonly used method of linking libraries, although it is common in UNIX
and Linux programs. When a library is statically linked to an executable, all code from that library
is copied into the executable, which makes the executable grow in size. When analyzing code, it’s
difficult to differentiate between statically linked code and the executable’s own code, because nothing
in the PE file header indicates that the file contains linked code.

Runtime linking is commonly used in malware, especially when it’s packed or obfuscated.
Executables that use runtime linking connect to libraries only when that function is needed, not
at program start, as with dynamically linked programs.

Dynamic linking is the most common and the most interesting for malware analysts. When libraries
are dynamically linked, the host OS searches for the necessary libraries when the program is loaded.
When the program calls the linked library function, that function executes within the library.

Several Microsoft Windows functions allow programmers to import linked functions not listed in a
program’s file header. the two most commonly used are LoadLibrary and GetProcAddress.
LdrGetProcAddress and LdrLoadDll are also used.

F U N C T I O N N A M I N G C O N V E NT I O N S
When evaluating unfamiliar Windows functions, a few naming conventions are worth noting because
they come up often and might confuse you if you don’t recognize them. For example, you will often
encounter function names with an Ex suffix, such as CreateWindowEx. When Microsoft updates a
function and the new function is incompatible with the old one, Microsoft continues to support the old
function. The new function is given the same name as the old function, with an added Ex suffix.
Functions that have been significantly updated twice have two Ex suffixes in their names.
Many functions that take strings as parameters include an A or a W at the end of their names, such as
CreateDirectoryW. This letter does not appear in the documentation for the function; it simply indicates
that the function accepts a string parameter and that there are two different versions of the function: one
for ASCII strings and one for wide character strings. Remember to drop the trailing A or W when
searching for the function in the Microsoft documentation.
Imported Functions
The PE file header also includes information about specific functions used by an executable. The
names of these Windows functions can give you a good idea about what the executable does.
Exported Functions
Like imports, DLLs and EXEs export functions to interact with other programs and code. Typically, a
DLL implements one or more functions and exports them for use by an executable that can then import
and use them. The PE file contains information about which functions a file exports.
Software authors name their exported functions in a way that provides useful information. One
common convention is to use Microsoft documentation. For example, in order to run a program as a
service, you must first define a ServiceMain function. The presence of an exported function called
ServiceMain tells you that the malware runs as part of a service.
Unfortunately, while the Microsoft documentation calls this function ServiceMain, and it’s common for
programmers to do the same, the function can have any name. Therefore, the names of exported
functions are actually of limited use against sophisticated malware. If malware uses exports, it will
often either omit names entirely or use unclear or misleading names.