This repository documents an advanced technical deep-dive into Static Malware Analysis. The project involves a systematic analysis of 10 unique malware samples using an extensive suite of industry-standard tools. The objective was to achieve maximum tool coverage to identify file signatures, PE headers, embedded strings, and malicious capabilities while maintaining a zero-execution safety profile.
Malware analysis is the critical process of dissecting suspicious files to understand their intent. This lab focuses on Static Analysis to provide a baseline for threat intelligence.
| Aspect | Static Analysis | Dynamic Analysis |
|---|---|---|
| Execution | Analyzing without running the file. | Running the file in a controlled sandbox. |
| Safety | 🟢 High (Zero risk of infection). | 🟡 Moderate (Requires isolated VM). |
| Focus | Headers, Hashes, Strings, Metadata. | API hooks, Network traffic, Registry changes. |
| Goal | Quick triage and IoC extraction. | Behavioral profiling and payload analysis. |
I utilized a multi-dimensional approach to cross-verify findings across GUI, CLI, and Cloud-based platforms to ensure data integrity.
In this domain, I analyzed binary signatures to verify file formats and inspected internal headers for suspicious indicators.
🖥️ CLI Tools
- TrID: Identifies file types via a massive library of binary signatures.
- Sigcheck: Verifies file versions, digital signatures, and entropy levels.
- Strings: Initial triage to extract readable plain-text data.
- CAPA: Automatically detects high-level malicious capabilities.
- PeStudio: Flags suspicious indicators based on pre-defined blacklisted patterns.
Evidence located in Static filetype Cli ScreenShots/
💻 GUI Tools
- PeStudio / PE-bear: Advanced visualization of Portable Executable (PE) headers and sections.
- Detect It Easy (DIE): Accurately identifies compilers, linkers, and packers.
- HxD: Manual hexadecimal inspection of raw binary data.
- CFF Explorer: Comprehensive PE structure editing and deep inspection.
- TrIDNet: Graphical interface for signature-based file identification.
Evidence located in GUI FILE_TYPE ScreenShots/
Extracting hardcoded data like IP addresses, C2 URLs, and Windows APIs to map out the malware's logic.
🖱️ GUI Strings
- Detect It Easy / PE-bear: Allows viewing strings specific to PE sections.
- BinText: A high-speed GUI tool for massive string extraction.
- PeStudio: Automatically filters and highlights malicious strings.
Evidence located in Strings GUI Screenshots/
⌨️ CLI Strings
- CAPA: Maps extracted strings directly to MITRE ATT&CK techniques.
- Ripgrep (rg): Ultra-fast pattern matching (Regex) for IoCs.
- Strings64: Professional-grade raw text extraction.
- FLOSS: Extracts obfuscated strings that standard tools miss.
Evidence located in Strings cli ScreenShots/
Local findings were correlated against global databases to confirm the threat verdict and detection ratios.
- VirusTotal: Reputation check against 70+ global antivirus engines.
- Hybrid Analysis: Heuristic-based cloud reporting and threat scores.
- Mark0.net: Cloud-based TrID verification for precise identification.
Evidence located in Online tools Malware Analysis ScreenShots/
After analyzing multiple samples, here is the performance verdict of the toolset:
- 💡 Most Comprehensive Insight: CAPA (Best for understanding intent).
- ⚡ Highest Efficiency: Ripgrep (rg) (Fastest for filtering IoCs).
- 🛠️ Essential Static GUI: PeStudio (Best for instant indicator flagging).
- ✅ Primary Verification Source: VirusTotal (Best for global detections).
Detailed evidence is organized in the following linked directories:
- GUI FILE_TYPE ScreenShots/ — PE headers and architecture.
- Static filetype Cli ScreenShots/ — CLI triage and signature results.
- Strings cli ScreenShots/ — CLI pattern matching and IoC extraction.
- Strings GUI Screenshots/ — GUI based string analysis.
- Online tools Malware Analysis ScreenShots/ — Cloud verification reports.
Below are the official resources for the tools used in this laboratory:
| Tool | Type | Official Download / Link |
|---|---|---|
| PeStudio | GUI | Winitor.com |
| Detect It Easy (DIE) | GUI | GitHub - horsicq/Detect-It-Easy |
| PE-bear | GUI | GitHub - hasherezade/pe-bear |
| CAPA | CLI/GUI | GitHub - mandiant/capa |
| Ripgrep (rg) | CLI | GitHub - BurntSushi/ripgrep |
| Sigcheck / Strings | CLI | Sysinternals (Microsoft) |
| HxD | GUI | mh-nexus.de |
| CFF Explorer | GUI | NTCore |
| TrID / TrIDNet | CLI/GUI | Mark0.net |
| FLOSS | CLI | GitHub - mandiant/flare-floss |
| VirusTotal | Online | VirusTotal.com |
| Hybrid Analysis | Online | Hybrid-Analysis.com |
This repository is created strictly for educational and research purposes. All malware samples were handled in a controlled and isolated environment.