- THE FILE REFERENCES WHITELIST STRING AND PESTUDIO HOW TO
- THE FILE REFERENCES WHITELIST STRING AND PESTUDIO WINDOWS
In the image above we can see the section names associated with the UPX packer again confirming from using PeStudio that the malware is indeed packed. The sections tab displays the various sections which make up the executable file. This is all useful information as PeStudio has tabs on the left-hand side for strings, sections, and imports that allows us to delve deeper into these suspicious indicators. In this example, it has identified some malicious strings, sections, imports and has found another file within the sample. The above image shows how PeStudio has identified a number of indicators and classified them on a scale of 1-3, with 1 being a confident malicious indicator. The next tab in PeStudio is the indicators tab, this highlights data within the sample that may be malicious and of interest to a malware analyst. So by using PeStudio we can start to work out whether a sample is packed or not. In the image below, we can see that PeStudio has identified a signature for UPX which is a common packer used by malware authors. This is useful because PeStudio is telling us that we will need to unpack the malware in order to pull out some useful IOC's.
THE FILE REFERENCES WHITELIST STRING AND PESTUDIO HOW TO
Malware is often packed so that the code written by the malware author is obfuscated, the bad guys have taken time to write some malicious code and don't want it to be an easy task for somebody to take a quick look at the malware and in a short space of time identify what it does and how to stop it.Įntropy is measured on a scale of 0-8, the higher the value the more likely it is that the malware is packed with values of 7-8 pretty much confirming the sample is packed. The entropy of the file is also listed, this is useful because the value of the entropy can help identify if the malware is packed or not.
THE FILE REFERENCES WHITELIST STRING AND PESTUDIO WINDOWS
However, the operating system recognizes each type of file by the byte pattern in the header, a Windows executable will always begin with �4D 5A' in hex, this equates to the values �MZ' in ASCII. As Windows users, we typically identify a file by the extension appended to the file name i.e.
The first bytes in the header of a file will always have the same byte pattern depending on the type of file. This is useful because it is confirming that the file is indeed a Windows Executable. PeStudio also provides the first bytes in hexadecimal, in the image above we can see this is �4D 5A'. Here we are presented with information such as hashes of the sample, if you are dealing with a malware-related incident in your organization you could use this information to start blocking and looking for devices that have these hashes on the filesystem.
Upon opening a malware sample in PeStudio the user is presented with the �Main' tab. The user is then presented with a number of tabs that provide varying information that PeStudio has pulled out of the sample Main Tab Double-clicking the desktop icon opens the tool, to start investigating a piece of malware simply drag the malware sample into the tool. What I love about PeStudio is how easy it is to use and the clear, simple layout of the tool. In this article, I will cover what PeStudio is, some of the key features and how you can use it to begin analyzing malware. This is great for the initial triage of a malware sample.
It provides so much information about the sample and gives me a wealth of information for me to start building out my report. Whenever I begin analysing a piece of malware, I will always load it into PeStudio first. PeStudio is a tool used for statically analyzing malware and is one of my favourite tools for malware analysis.
0 kommentar(er)
