KE Kaspersky Academy KASPERSKY TimeDateStamp Count of sections s | achine rntel3a6 ff Syrbol table 096ee900[20000000] ‘hs Apr 20.10:03:13 2017 Size of optional header 0860 | Magic optional header 0108 Linker version 09 | 05 version 5.02 Image version 09 | Susysten version 5.01 Entry point. Size of code 9003000 Size of init data Size of uninit date 00000000 size of image Size of header 00¢0100 Base of code Base of data ee02a00 Image base supsysteu Console Section alignaent File alignrent 0600200 stack ‘0109000/02001000 | Heap ‘e100¢00/000e1000 Checksum Number of dirs 16 BP overiay ‘e2000ca6[ 2005A9A3/37161/ 362,909 KO) oO 1 Kaspersky Academy KASPERSKY — a ——— E ‘Overlay Cc) Overlay ~ data appended past ‘Count of sections 3 | Hachine intelse6 fg teen cranes ate Symbol table e0990ee0[ 00008000] Thy Jan 01 03:00:60 1970 Size of optional header 0060 | Magic optional header 0108 1 Used the same way as the Linker version 11.00 | 05 version resources additional wage version 2:00 | subsystem version executables and needed data jg Entry point oaea8act | Size of code (Gometimes encrypted) Size of init data 90600800 | Size of uninit data Size of image 0036000 | Size of header | Base of code 9002000 | Base of data nage base ‘e0400000 | Subsysten section aligesent 0002000 | File alignment Stack e1eeeee/aa0e1a00 | Heap ‘190000/00e01000 Checksux ‘eeee0000 | Murder of dirs 16 overlay .20037409[89e05984/22916/22,378 KO]Pde ern elsli Pie Te Ae anpart, 1K Kaspersky Academy KASPER}KY ( Resource Analysis The Resource Sesion (rte) ofthe PE fle containg nd types of ‘sources bedded te te "|p SUSPICIOUS RESOURCES ARE: Publisher information (Version info} — PE ExplorerEI Kaspersky Academy import Analysis a Kernets2.al ‘Advapi92.al Users2. Gdiszai tata WSock32.all and We2_ 32. Wininet.att CryptoaPh dl ‘Core functionality (memory, files, and hardware) ‘Advanced functionality (service ‘manager, registry) User-intertace components (buttons, scrolibars) Displaying and manipulating gtaphies Interface to the Windows kernel Low-level network activity High-level network activity Cryptography functions Imports are functions used by one program which are actually stored in 2 different program, such as code libraries that contain functionality ‘common to mar roots: Hiow walker ny programs: (CFF Explorer Dependency KASPER{KYS| 1B Kaspersky Academy oe Compiler and Protection Signature Detection ‘Compiler and protection signature dotection is based ‘on the same principal as antivirus signature detection intonation asour pRoTEcrON! [Comes wae HELP ANAT IN [-* Searching for a tool for removing protection + Searching for a tool for decomplling [C aaeviog ong EP 4 Additional Information about program structure and embedded artifacts SE sGyr0018: sss eID Protection ID Exeinfo Kaspensiyai Kaspersky Academy Packer detection Executable file packing can reduce the size of the executable file and hide its functionality! Section 1 Section 2 Section N Kajpensicys You can determine packer type using the Protection ID, PEID, DIE. Ifthe packer is widely used, itis possibie to find the automatic unpacking tools ELGALIWM Header (modified) Section with compressed data Loader 1H Kaspersky Academy (Packer detection Executable fle packing can reduce the size of the executable file and hide its functionally from static analysis! Ca tp. eayra n EBE tate Prine: amas KaSpeRsiys You can determine packer type using the Protection 1, PEID, DIE. Ifthe packer is widely usod, Its possible to find the automatic unpacking tools. aaa WTA er fe Srv cnt a iti ae ak mona: ican” "Game ameces [OQ] Cae} Ob en Sip fs joven Ce} CH ies: onto GIL) come OE) ages ema tinim Ce] [SERRE Titre: pans noon sant) (xe ]| inna iota lie) Coi Kaspersky Academy KASPERSKY PDB Path & Debug Strings EP is program database fil, a special symbol te, tat contains all tho Identiiors and names used in the source code | file function, lass, and variable names. |_« PDB path is inserted to the executable file by ‘8 compiler, when "Debug" build is selected Otten used in the attribution of malware ‘Sample to specific threat actor or group Sopp gal aeitiy contdee pan acinar D.shATTACK\AC all COMPLETION) Releaseitest pdb the project: ‘Jahack\devispam\spamiobj\Rel ssetspem.pab ‘CAShamoon\ArabianGuifwiperreleaselwiper,pab ‘CAUsers\Syrian Malware\Desktop\my ratisorver \objDebug\E.pdb i Kaspersky Academy KASPERSKY PDB Path & Debug Strings re) ee 7 ote) Pe eee MCN rie? Perm re er ue t CaaS cee) Peer eres eee ae os CRC esKASPERSKY i Kaspersky Academy PDB Path & Debug Strings ery rome] ie KASPERIKYS | i Kaspersky ‘Academy ~YDB Path & Debug Strings 3ADI30: 09 00 60 00 00 88 00 08 | 00 20 00 rom rr err) oe 20 60 ry Shee) ot) mn aye a oc a ere eres arr) eae net ao eo 8 ome Tc veraeoe ene 4a ea ¥ 2 | a oa) st tee: . a eee) etre) DICD: 00 08 00 6 or 00 00 |Digital Signature Checking CODE SIGNING Is the process of digitally signing .cutables and scripts to confirm the software thor and guarantee that the code has not been altered or corrupted since it was signed by use of ‘ cryptographic hash a Toots: Sigeheck SignToo! Kaspensxvs