irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
docker_file_analysis/data/generated/wiki/workflows/static-analysis-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.6 KiB
Raw Permalink Blame History

Static Properties Analysis

Systematic static examination of a suspicious file without executing it. Works for PE, ELF, .NET, scripts, and documents.

FOR610 Labs: 1.1, 2.1, 4.1

Steps

Step 1: File Identification & Hashing

Tools: tools/file, tools/trid, tools/exiftool, tools/sha256sum

Determine file type using magic bytes. Compute hashes (MD5, SHA256) for lookup and documentation. Record file size and timestamps.

file specimen.exe
trid document.doc
exiftool document.pdf

Step 2: Reputation Check

Tools: tools/malwoverview, tools/virustotal-search

Look up hash on VirusTotal/MalwareBazaar. If known malware, note family name and detection rate. If clean or unknown, continue analysis.

malwoverview -v <hash>

Step 3: Packing & Entropy Check

Tools: tools/diec, tools/peframe

Check for packing indicators and high entropy sections. Look for: unusual section names, small import table, high entropy (>7.0). If packed, consider the Unpacking Workflow.

diec specimen.exe
peframe specimen.exe

Step 4: String Extraction

Tools: tools/strings, tools/floss, tools/pestr

Extract readable strings. Use FLOSS for obfuscated/stack strings. Look for: URLs, IPs, domains, registry keys, file paths, error messages, API names.

strings binary.exe
floss specimen.exe
pestr specimen.exe

Step 5: Capability Detection

Tools: tools/capa, tools/yara

Identify capabilities mapped to MITRE ATT&CK. Scan with YARA rules for known malware families. Look for: persistence, C2, evasion, lateral movement capabilities.

capa specimen.exe
yara-rules specimen.bin

Step 6: Import & Export Analysis

Tools: tools/peframe, tools/capa

Examine imported DLLs and functions. Map imports to behavior categories: networking (ws2_32), crypto (advapi32), process manipulation (kernel32). Check exports for DLL functionality.

peframe specimen.exe
capa specimen.exe

Step 7: Disassembly (if needed)

Tools: tools/ghidra, tools/cutter, tools/radare2

Load into disassembler for code-level analysis. Start at entry point, trace key functions. Use decompiler for C-like view.

ghidra
cutter specimen.exe
r2 specimen.exe

Step 8: Document Findings

Record IOCs: hashes, IPs, domains, file paths, registry keys, mutexes. Classify: malware family, capabilities, confidence level. Decide: continue to behavioral analysis?

#static #triage #pe-analysis #elf-analysis #workflow

Reference in New Issue View Git Blame Copy Permalink