Skip to content

isarmadfarooq/static-malware-analysis-nuces

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
README.md
README.md
 
 
Static Malware Anlysis Report by SarmadFarooq.pdf
Static Malware Anlysis Report by SarmadFarooq.pdf
 
 

Repository files navigation

🛡️ Static Malware Analysis Report

Course Institution Program Analysis Type Samples Environment

Assignment No. 1 – Malware Analysis and Detection
A comprehensive static analysis of 7 malware samples (4 EXE, 2 DLL, 1 Unknown) sourced from Malware Bazaar, conducted inside an isolated VMware lab environment.

📋 Table of Contents

About This Project

This repository contains a complete Basic Static Malware Analysis report submitted as Assignment #1 for the Malware Analysis course in the MS Cybersecurity program at NUCES (FAST National University).

The analysis was performed strictly using static analysis techniques — no malware samples were executed at any point. All work was conducted inside an isolated VMware virtual machine to ensure complete containment.

The objective of this assignment was to demonstrate proficiency in:

  • Identifying file types using magic bytes and signature analysis
  • Generating and verifying cryptographic fingerprints
  • Analyzing PE (Portable Executable) structures
  • Identifying imported DLLs and suspicious API calls
  • Detecting packing and obfuscation techniques
  • Extracting strings and developing YARA detection rules
  • Cross-validating results using multiple tools

Samples Analyzed

# SHA256 (truncated) Type Malware Family VirusTotal Detections Threat
1 06cb74c0...448d9a .exe qfthf 14/71 Trojan
2 885b57ac...80bee .exe epack/gen2 37/72 Trojan
3 ac43c5d2...455cd .exe sonbokli/generik 23/72 Trojan
4 e5f83c66...1aa0 .exe tedy 45/68 Trojan
5 622706fa...1877 .dll fragtor/mekotio 26/72 Trojan
6 dab744a5...ea5a .dll rugmi 28/59 Trojan
7 e702f4cd...b5e0 .unknown N/A 3/63 Suspicious

Source: Malware Bazaar — samples downloaded for academic research purposes only.

Analysis Methodology

Static Analysis Pipeline
─────────────────────────────────────────────────────────────
Sample Acquisition (Malware Bazaar)
        │
        ▼
Secure Isolated VM (VMware / Windows 10)
        │
        ▼
File Identification ──► Magic Bytes, TrIDNet, Python Magic Library
        │
        ▼
Fingerprinting ──────► MD5 / SHA1 / SHA256 (certutil + hashlib)
        │
        ▼
VirusTotal Lookup ───► Threat Intelligence Correlation
        │
        ▼
PE Structure Analysis ► CFF Explorer + Python pefile
        │
        ▼
DLL / Import Analysis ► Imported functions & suspicious APIs
        │
        ▼
Packing Detection ───► Exeinfo PE + Entropy Analysis
        │
        ▼
Strings Analysis ────► Embedded URLs, IPs, Registry Keys
        │
        ▼
YARA Rule Development ► Per-sample detection signatures
        │
        ▼
Sandbox Analysis ────► Hybrid Analysis + SNDBOX (online)
        │
        ▼
Python Automation ───► End-to-end automated analysis script
─────────────────────────────────────────────────────────────

Tools & Technologies

Tool Purpose
VMware Isolated analysis environment
Notepad++ (Hex Editor Plugin) Magic byte / hex analysis
CFF Explorer PE header and import table inspection
TrIDNet Signature-based file type identification
Exeinfo PE Packer and compiler detection
Windows certutil Command-line hash generation
YARA Malware pattern matching and rule development
Hybrid Analysis Online dynamic sandbox
SNDBOX Online behavioral analysis
VirusTotal Threat intelligence correlation
Python 3.x Automation (hashlib, pefile, python-magic)

Repository Structure

static-malware-analysis/
│
├── README.md                          ← You are here
│
├── report/
│   └── Static_Malware_Analysis_Report_SarmadFarooq.pdf
│
├── yara_rules/
│   ├── rule_sample1.yar               ← YARA rule for Sample 1
│   ├── rule_sample2.yar               ← YARA rule for Sample 2
│   ├── rule_sample3.yar               ← YARA rule for Sample 3
│   ├── rule_sample4.yar               ← YARA rule for Sample 4
│   ├── rule_sample5.yar               ← YARA rule for Sample 5
│   ├── rule_sample6.yar               ← YARA rule for Sample 6
│   └── rule_sample7.yar               ← YARA rule for Sample 7 (Linux ELF)
│
├── scripts/
│   ├── hash_generator.py              ← MD5/SHA1/SHA256 generation
│   ├── file_identifier.py             ← python-magic based file ID
│   ├── pe_structure_analyzer.py       ← pefile PE section analysis
│   ├── dll_import_analyzer.py         ← DLL & imported function extractor
│   ├── entropy_calculator.py          ← Section entropy analysis
│   └── full_automation.py             ← Complete end-to-end script
│
├── hashes/
│   └── sample_hashes.csv              ← All MD5 / SHA1 / SHA256 values
│
└── screenshots/                       ← Tool output screenshots
    ├── cff_explorer/
    ├── tridnet/
    ├── exeinfo_pe/
    ├── virustotal/
    └── sandbox/

⚠️ Note: Malware sample binaries are NOT included in this repository for safety and ethical reasons. Only analysis artifacts (hashes, YARA rules, scripts, and report) are shared.

Analysis Steps Summary

Step 1 – Safe Environment Setup

An isolated virtual machine was configured using VMware running Windows 10 (64-bit). Network adapters were disabled and host-guest file sharing was restricted. Samples from Malware Bazaar were stored only within the VM and were never executed.

Step 2 – File Identification

Magic Bytes & File Signature Analysis:

  • All 4 .exe and both .dll samples begin with 4D 5A ("MZ") — confirming valid Windows PE format.
  • Unknown Sample 1 starts with 00 00 00 00 — no recognizable signature, possibly corrupted or obfuscated.
  • Unknown Sample 2 starts with EF BB BF — UTF-8 BOM, confirming a text/script file.

TrIDNet Results (notable):

  • Sample 5 (.dll): Identified as an Inno Setup installer (63.9%) — extension mismatch, highly suspicious masquerading.
  • Sample 6 (.dll): Identified as a DOS Borland executable (48.6%) — likely file masquerading.

Python python-magic Library:

  • Provided definitive identification of all samples, consistently more accurate than TrIDNet alone.
  • Sample 7 identified as a Linux ext2 filesystem image.

Step 3 – Fingerprinting & Hashing

Cryptographic hashes (MD5, SHA1, SHA256) were generated for all 7 samples using:

  • Windows certutil utility
  • Python hashlib library

100% match was confirmed between both methods across all samples, validating integrity.

VirusTotal Lookup Results:

Sample Detections Family First Seen
Sample 1 (.exe) 14/71 qfthf 2026-02-14
Sample 2 (.exe) 37/72 epack/gen2 2026-02-14
Sample 3 (.exe) 23/72 sonbokli/generik 2026-02-14
Sample 4 (.exe) 45/68 tedy 2026-02-13
Sample 5 (.dll) 26/72 fragtor/mekotio 2025-09-17
Sample 6 (.dll) 28/59 rugmi 2025-02-23
Sample 7 (.unknown) 3/63 N/A 2026-02-15

Step 4 – PE Structure Analysis

PE sections were extracted using both CFF Explorer and the Python pefile library, and results were cross-validated. Key findings:

  • Sample 2: .rdata section has entropy of 8.00 — strong indicator of packing or encryption.
  • Sample 4: Section count discrepancy between tools (CFF Explorer: 9 vs pefile: 11) — may indicate obfuscation.
  • Sample 7: PEFormatError — DOS Header MZ signature absent; confirmed non-PE file (Linux ELF/ext2 image).

Step 5 – DLL & Import Analysis

Imported DLLs and function calls were analyzed to identify malicious capabilities:

Capability Relevant APIs Found In
Cryptography CryptDecrypt, CryptImportKey (Sample 2)
Process Enumeration CreateToolhelp32Snapshot, Process32First/Next (Sample 2)
Sandbox/VM Evasion GetTickCount64, GlobalMemoryStatusEx (Sample 2)
Dynamic API Loading LoadLibraryA, GetProcAddress (Sample 2)
Network (C2) winhttp.dll, ws2_32.dll, wsock32.dll (Sample 5)
SOCKS5 Proxy Full proxy implementation (Sample 4)
COM/WMI Automation Complete COM/OLE stack (Sample 4)

Step 6 – Packing Detection

Exeinfo PE + Python Entropy Analysis:

Sample Packer Detected Entropy Finding
Sample 1 None Normal
Sample 2 None (UPX artifacts) .rdata = 8.00 — Packed
Sample 3 Inno Setup SFX + Borland Delphi Crypted (14.2% zero bytes)
Sample 4 MEW 11 SE v1.1 → Northfox Not packed
Sample 5 MS Visual C++ / Borland Delphi Not packed
Sample 6 Radstudio v10-v12 ESD (C++ Builder) Crypted (12.9% zero bytes)
Sample 7 NOT EXE — Linux EXT2/3/4 image Very Not Packed (55% zero)

Step 7 – Strings Analysis & YARA Rules

Embedded strings were extracted using the Windows strings utility. Key IOCs found:

  • Sample 5: C2 URL — https://casabonavitta.com/api/cfg.php (CRITICAL)
  • Sample 5: Registry persistence key — HKCU\Software\Murrhas
  • Sample 4: Build path — C:/Users/Admin/Desktop/andrusha/client/build/main0.exe (developer OPSEC failure)
  • Sample 4: Impersonates Telegram Desktop v6.3.6.0
  • Sample 7: UPX-packed ELF embedded in a Linux IoT firmware image with default root shell /bin/sh

YARA rules were developed for all 7 samples, targeting:

  • Network indicators (http://, https://)
  • Persistence mechanisms (registry run keys)
  • Code injection APIs (CreateRemoteThread, VirtualAllocEx, WriteProcessMemory)
  • Cryptographic APIs (CryptDecrypt, CryptImportKey)
  • Sandbox/VM evasion techniques
  • Linux-specific IoT botnet indicators (/bin/busybox, UPX signatures)

Step 8 – Online Sandbox Analysis

Selected samples were submitted to:

  • Hybrid Analysis — behavioral threat scoring
  • SNDBOX — network activity, file modifications, MITRE ATT&CK technique mapping

Step 9 – Full Python Automation

A complete end-to-end Python automation script was developed to automate the entire static analysis pipeline — from hash generation and file identification to PE section analysis and entropy calculation — across all 7 samples in a single run.

Key Findings

Sample 2 (epack/gen2 Trojan) — HIGH THREAT

  • .rdata section entropy of 8.00 (maximum) indicating strong packing/encryption
  • Full cryptographic pipeline present (CryptDecrypt, CryptImportKey)
  • Anti-sandbox techniques: hardware fingerprinting, timing checks
  • Dynamic API resolution via LoadLibraryA + GetProcAddress

Sample 4 (tedy Trojan) — CRITICAL THREAT

  • Built-in SOCKS5 proxy server with authentication
  • Identity spoofing: impersonates Telegram Desktop
  • Go-compiled binary with fully randomized function names
  • System fingerprinting: hardware GUID, hostname, OS version
  • Developer build path leaked in binary strings

Sample 5 (fragtor/mekotio Trojan DLL) — CRITICAL THREAT

  • Hardcoded C2 beacon URL: https://casabonavitta.com/api/cfg.php
  • Registry persistence: HKCU\Software\Murrhas
  • Signed by suspicious entity: TELESEC AFRICA LIMITED, Nairobi, Kenya
  • Extension masquerading: DLL identified as Inno Setup installer

Sample 7 (Linux IoT Firmware) — HIGH / SUSPICIOUS

  • Multi-architecture firmware (x86_64, ARM, MIPS, PPC, s390)
  • UPX-packed ELF binary concealed at end of firmware image
  • Default root account with /bin/sh — critical IoT attack surface
  • Full BusyBox network toolkit (wget, curl, nc, iptables, ssh)

Threat Summary Table

Sample Family Threat Level Key Risk
Sample 1 qfthf 🟡 LOW Legitimate Sysinternals tool; low detections
Sample 2 epack/gen2 🔴 HIGH Crypto + sandbox evasion + process enumeration
Sample 3 sonbokli/generik 🟠 MEDIUM-LOW Inno Setup installer — risk depends on payload
Sample 4 tedy 🔴 CRITICAL SOCKS5 proxy + identity spoofing + system fingerprinting
Sample 5 fragtor/mekotio 🔴 CRITICAL Active C2 URL + registry persistence + suspicious signing
Sample 6 rugmi 🟡 LOW-MEDIUM Legitimate-looking Embarcadero DLL; no active C2
Sample 7 N/A 🟠 HIGH / SUSPICIOUS IoT firmware + UPX-packed ELF requires further unpacking

IOCs (Indicators of Compromise)

# C2 URLs
https://casabonavitta.com/api/cfg.php       [Sample 5 - CRITICAL]

# Registry Keys
HKCU\Software\Murrhas                       [Sample 5 - Persistence]

# File Hashes (SHA256)
06cb74c0cafe0ee369c727b5041bba96eee44d849d66fb67def1c2afbe448d9a  [Sample 1]
885b57ac755eb84c505fd41c55bc451746b29fb8101a8e1cff74d46e85a80bee  [Sample 2]
ac43c5d225758269c056dadfbc92c587b3a1da2b8d19bfc1014a154d207455cd  [Sample 3]
e5f83c66e93fc7e36cd7141ef14520ddeb95e90a8d86db4882fd9c04c68a1aa0  [Sample 4]
622706fa8bc0dfd26ea5b9b95072ae524387e351bf24aec1987c466dea5e1877  [Sample 5]
dab744a533bcbc4a2d3f19a54694ceb00587a0ce68d046ca9085d5013321ea5a  [Sample 6]
e702f4cdacc78d8e11274132a6485354b0021ba52447e66fe910efa06b9bb5e0  [Sample 7]

# Developer Artifacts
Build path: C:/Users/Admin/Desktop/andrusha/client/build/main0.exe  [Sample 4]
Impersonates: Telegram Desktop v6.3.6.0                              [Sample 4]

Ethical Declaration

I hereby declare that this report is my original work. The malware samples were analyzed strictly using static analysis techniques within a secure virtual lab environment. No malware sample was executed during the analysis process. All samples were sourced from Malware Bazaar for academic and educational purposes only.

The samples, YARA rules, and scripts in this repository are shared solely for educational, research, and defensive cybersecurity purposes. Do not use any information here for malicious or unauthorized activities.

Author

Field Details
Name Sarmad Farooq
Student ID 25I-7722
Program MS Cybersecurity
Course Malware Analysis
Instructor Jawad Hassan
Department Cybersecurity
Institution NUCES (FAST National University)

Built for educational purposes as part of the MS Cybersecurity program at NUCES.
⚠️ For defensive and research use only. Never run malware samples outside an isolated environment.

About

Static malware analysis of 7 samples (EXE, DLL, Unknown) using PE analysis, YARA rules, entropy detection, and VirusTotal correlation. MS Cybersecurity Assignment - NUCES FAST.

Topics

python virus static-analysis reverse-engineering cybersecurity malware-analysis yara virustotal nuces pe-analysis

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors