Static analysis

The second piece of information that you'll need to know, next to knowing the filename, is the hash of the file. Let's pick Quickhash (https://quickhash-gui.org/) to help us with this task.  After opening the passcode.exe file using Quickhash, we can get the hash calculations for various algorithms.  The following screenshot shows the calculated SHA256 hash for the passcode.exe file:

The file has a name extension of .exe. This initially sets us to use tools for analyzing Windows executable files. However, to make sure that this is indeed a Windows executable, let's use TriD to get the file type. TrID (http://mark0.net/soft-trid-e.html) is console-based and should be run on the Command Prompt. We will also need to download and extract TriD's definitions from http://mark0.net/download/triddefs.zip.  In the following screenshot, we used dir and trid. By using directory listing with dir, we were able to get the file's time stamp and file size.  With the trid tool, we were able to identify what type of file passcode.exe is:

Now that we have verified that it is a Windows executable, using CFF Explorer should give us more file structure details. Download and install CFF Explorer from https://ntcore.com/. Here is what you will see upon opening it: 

Both TrID and CFF Explorer identified the file as a Windows executable, but are not agreeing on their decisions. This might be confusing since TrID identified the file as a Win64 Executable while CFF Explorer identified it as a Portable Executable 32.  This requires identifying the machine type from the PE header itself. The header reference for PE files can be viewed at http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx.  

We can use CFF Explorer's Hex Editor to view the binary. The first column shows the file offset, the middle column shows the hexadecimal equivalent of the binary, and the right-most column shows the printable characters:

The file begins with the MZ magic header, or 0x4d5a, denoting a Microsoft executable file. At file offset 0x3c, the DWORD value, read in little endian, is 0x00000080. This is the file offset where the PE header is expected to be located. The PE header begins with a DWORD value equivalent of 0x00004550 or PE followed by two null bytes. This is followed by a WORD value that tells you on which machine type the program can run on. In this program, we get 0x014c, which is equivalent to IMAGE_FILE_MACHINE_I386 and means that it runs in Intel 386 (a 32-bit microprocessor) processors or later, but also other compatible processors.

At this point, what we already know is as follows:

Filename:  passcode.exe
Filesize:  16,766 bytes
MD5:  5D984DB6FA89BA90CF487BAE0C5DB300
SHA256:  A5A981EDC9D4933AEEE888FC2B32CA9E0E59B8945C78C9CBD84085AB8D616568
File Type: Windows PE 32-bit
Compiler: MingWin32 - Dev C++

To get to know the file better, let's run it in the sandbox.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.139.50