Once you have an understanding of the dynamic analysis tools and steps involved in dynamic analysis, these tools can be used together to glean maximum information from the malware sample. In this section, we will perform both static and dynamic analysis to determine the characteristics and behavior of a malware sample (sales.exe
).
Let's start the examination of the malware sample with static analysis. In static analysis, since the malware sample is not executed, it can be performed on either the Linux VM or the Windows VM, using the tools and techniques covered in Chapter 2, Static Analysis. We will start by determining the file type and the cryptographic hash. Based on the following output, the malware binary is a 32-bit executable file:
$ file sales.exe sales.exe: PE32 executable (GUI) Intel 80386, for MS Windows
$ md5sum sales.exe
51d9e2993d203bd43a502a2b1e1193da sales.exe
The ASCII strings extracted...