How to Perform Static Malware Analysis with Radare2
In this article, we are going to explore how to perform static malware analysis with Radare2.
Before diving into technical details let's explore first what is malware analysis and what are the different approaches to perform it.
Malware analysis is the art of determining the functionality, origin and potential impact of a given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware analyst, our main role is to collect all the information about malicious software and have a good understanding of what happened to the infected machines. Like any process, to perform a malware analysis we typically need to follow a certain methodology and a number of steps. To perform Malware Analysis we can go through three phases:
- Static Malware Analysis
- Dynamic Malware Analysis
- Memory Malware Analysis
Static Malware analysis
Static malware analysis refers to the examination of the malware sample without executing it. It consists of providing all the information about the malicious binary. The first steps in the static analysis are knowing the malware size and file type to have a clear vision about the targeted machines, in addition to determining the hashing values, because cryptographic hashes like MD5 or SHA1 can serve as a unique identifier for the sample file. To dive deeper, finding strings, dissecting the binary and reverse-engineering the code of malware using a disassembler like IDA could be a great step to explore how the malware works by studying the program instructions. Malware authors often are trying to make
the work of malware analysts harder so they are always using packers and cryptors to evade detection. That is why, during static analysis, it is necessary to detect them using tools like PEiD.
Dynamic Malware analysis
Performing static analysis is not enough to fully understand malware's true functionality. That is why running the malware in an isolated environment is the next step for the malware analysis process. During this phase, the analyst observes all the behaviours of the malicious binary. Dynamic analysis techniques track all the malware activities, including DNS summary, TCP connections, network activities, syscalls and much more.
Memory Malware analysis
Memory malware analysis is widely used for digital investigation and malware analysis. It refers to the act of analysing a dumped memory image from a targeted machine after executing the malware to obtain multiple numbers of artefacts including network information, running processes, API hooks, kernel loaded modules, Bash history, etc. ... This phase is very important because it is always a good idea to have a clearer understanding of malware capabilities. The first step of memory analysis is memory acquisition by dumping the memory of a machine using a various number of utilities. One of these tools is fmem, which is a kernel module to create a new device called /dev/fmem to allow direct access to the whole memory
To perform malware analysis you need to build a malware lab. To learn how to do it, I highly recommend you to read my article:
How to perform static malware analysis with Radare2
According to its official
Github account:
Radare2 is unix-like reverse engineering __ framework and command line tools
Source: https://rada.re/r/img/webui.png
It is more than a reverse engineering tool. R2 is able to perform many other tasks. Usually, you will find it hard to learn Radare2 but after a while, you will acquire a good understanding of most of its features.
Let's get started by exploring this great tool. As a demonstration, we are going to learn how to perform some static malware analysis with it. Usually, in the static analysis, we need to perform these tasks and to collect many pieces of information including:
- File type and architecture
- File fingerprinting and hashes
- Strings
- Decoding obfuscation
- Determining Packers and Cryptors
- Header information
- Classification and Yara Rules
- Online AV Scanning (Check the embedded article for more information)
Radare2 installation:
Before using R2 we need to install it first.
$ \<a class="mention" data-id="TMLH8gEnq2rpQcJkH" data-type="Tag" href="/tags/git"\>git clone \<a href="https://github.com/radare/radare2.git" target="_blank" rel="noopener"\>https://github.com/radare/radare2.git\</a\</a
cd radare2
and install it:
$ sys/install.sh
Radare2 contains many tools such as rabin2 , radiff2 , rax2 , rasm2 etc...
If you are using Kali Linux you can use it directly by typing:
r2
For the demonstration, I downloaded "Multi-Platform Linux Router DDoS ELF".
As discussed previously first we need to obtain information about the binary:
rabin2 -I halfnint
To extract the string from the data section type:
rabin2 -z halfnint
Load the binary
radare2 halfnint
To get information use the " i " option. Check all the available gathered information by typing:
i?
For example to collect information about Exports type:
iE
Imports:
ii
Headers:
ih
To calculate the hashes type:
rahash2 -a all halfnint
To determine the packers usually, we use PEiD
But it is a bit outdated, thus, There is Yara support in r2 and PEiD signatures are available in Yara format.
install libyara
r2pm init
r2pm -i yara3-lib
Summary
In this module, we explored the different techniques to perform malware analysis. Later we learned how to install an amazing tool called "Radare2" and how to use to perform some static malware analysis tasks.
References:
Chiheb Chebbi "Malware Analysis a Machine Learning Approach" eForensics Magazine Issue 07/2017
Chiheb Chebbi: How to bypass Machine Learning Malware Detectors with Generative adversarial Networks