Malware File Hash Recognition

It uploads a file hash to TotalVirus API to scan a string and tells you whether or not it's a virus.

Useful for a quick look up on what's already out there.

Result

Response Code Positives Total
Scan Date MD5 SHA1

There are currently two versions but I'm focused on the online version.

As this is mostly static analysis, you could automate this into your analysis workflow. Typical workflow work like this, in short:
triage -> static analysis -> dynamic analysis -> report

The way static malware analysis usually works is you analyze the malware without running it. Your first step is to try to find the signature of a binary file.

Most major OS have some way of calculating the cryptographic hash of a file. You can also write one too as I did for the desktop version.

Following that, you can reverse engineer the sample by loading the binary file into a decompiler or disassembler such as IDA Pro.

EICAR Example

Response Code Positives Total
200 49 51
Scan Date MD5 SHA1
2014-04-14 21:17:17 44d88612fea8a8f36de82e1278abb02f 3395856ce81f2b7382dee72602f798b642f14140

Lab Setup

I recommend setting up an isolated lab. A poor man's working lab is a separate computer devoted to this task. It's more of an art than science. There are pre-existing tools you can use out there if you look it up. I recommend this setup because this was the setup I used:

  1. Setup Remnux (Default password: malware)
  2. Ensure there is enough space to clone
  3. When the terminal appears, run this: 
    
              update-remnux
              sudo apt-get update
              sudo apt-get upgrade
              sudo apt-get install virtualbox-guest-utils virtualbox-guest-x11 virtualbox-guest-dkms
  4. Clone this by selecting "Full clone"
  5. If you absolutely need a shared folder (a temporary one if you must): sudo adduser remnux vboxsf
  6. You will need to log out and back in for the effect to take place

Other techniques include verifying the filetype, using public databases and exploring the PE (portable executable, largely a Windows object).

Example

Using "Bombermania.exe" as an example, start by checking the filetype. On most *nix boxes, you could just do this: file Bombermanmania.exe

This should yield: Bombermania.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

You can also use Python's magic (pip install --user python-magic) but there are some inconsistencies with the results.

If you are able to find a way to get the hash of the file as I have, putting it into the Malware Scanner should yield some stuff like this:

  • MD5: 471d39a51a79f342033c5b0636c244dc
  • SHA-1: b0324ddd99677d9b0458c7328879f8fde268effc
  • SHA-256: 1154535130d546eaa33bbc9051a9cb91e2b0e3a3991286c3d5b0a708110c9aa7
  • File Type: Win32 EXE
  • Magic literal: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Additional detail includes when it was first submitted, creation date, etc. This one was (at the time of writing in 2017) created in 2005, first submitted in 2009.

You can dig into the PE. Often, you can determine whether or not the file is good based on the PE header alone. You can use PE-Header-Parser or Icon-Extractor.

Ultimately what you do depends on you or your organization's goal but your report should probably include the following at least:

  1. Title
  2. Date
  3. Author (contact information, etc.)
  4. Abstract (summary, etc.)
  5. Files
  6. Traits (hashes, size, other names, etc.)
  7. Analysis (figures, statistics, etc.)