KE Kaspersky Academy KASPERSKY
TimeDateStamp
Count of sections s | achine rntel3a6 ff
Syrbol table 096ee900[20000000] ‘hs Apr 20.10:03:13 2017
Size of optional header 0860 | Magic optional header 0108
Linker version 09 | 05 version 5.02
Image version 09 | Susysten version 5.01
Entry point. Size of code 9003000
Size of init data Size of uninit date 00000000
size of image Size of header 00¢0100
Base of code Base of data ee02a00
Image base supsysteu Console
Section alignaent File alignrent 0600200
stack ‘0109000/02001000 | Heap ‘e100¢00/000e1000
Checksum Number of dirs 16
BP overiay ‘e2000ca6[ 2005A9A3/37161/ 362,909 KO) oO
1 Kaspersky Academy KASPERSKY
— a ——— E
‘Overlay Cc)
Overlay ~ data appended past ‘Count of sections 3 | Hachine intelse6 fg
teen cranes ate Symbol table e0990ee0[ 00008000] Thy Jan 01 03:00:60 1970
Size of optional header 0060 | Magic optional header 0108
1 Used the same way as the Linker version 11.00 | 05 version
resources additional wage version 2:00 | subsystem version
executables and needed data jg Entry point oaea8act | Size of code
(Gometimes encrypted) Size of init data 90600800 | Size of uninit data
Size of image 0036000 | Size of header |
Base of code 9002000 | Base of data
nage base ‘e0400000 | Subsysten
section aligesent 0002000 | File alignment
Stack e1eeeee/aa0e1a00 | Heap ‘190000/00e01000
Checksux ‘eeee0000 | Murder of dirs 16
overlay .20037409[89e05984/22916/22,378 KO]Pde ern elsli Pie Te
Ae anpart,
1K Kaspersky Academy KASPER}KY
( Resource Analysis
The Resource Sesion (rte) ofthe PE fle containg
nd types of
‘sources bedded te te
"|p SUSPICIOUS RESOURCES ARE:
Publisher information (Version info}
—
PE ExplorerEI Kaspersky Academy
import Analysis
a
Kernets2.al
‘Advapi92.al
Users2.
Gdiszai
tata
WSock32.all and
We2_ 32.
Wininet.att
CryptoaPh dl
‘Core functionality (memory,
files, and hardware)
‘Advanced functionality (service
‘manager, registry)
User-intertace components
(buttons, scrolibars)
Displaying and manipulating
gtaphies
Interface to the Windows kernel
Low-level network activity
High-level network activity
Cryptography functions
Imports are functions used by one
program which are actually stored in
2 different program, such as code
libraries that contain functionality
‘common to mar
roots:
Hiow
walker
ny programs:
(CFF Explorer
Dependency
KASPER{KYS|
1B Kaspersky Academy
oe
Compiler and Protection Signature Detection
‘Compiler and protection signature dotection is based
‘on the same principal as antivirus signature detection
intonation asour pRoTEcrON!
[Comes wae HELP ANAT IN
[-* Searching for a tool for removing
protection
+ Searching for a tool for decomplling
[C aaeviog ong EP
4 Additional Information about program
structure and embedded artifacts
SE
sGyr0018:
sss
eID
Protection ID
Exeinfo
Kaspensiyai Kaspersky Academy
Packer detection
Executable file packing can reduce the size
of the executable file and hide its
functionality!
Section 1
Section 2
Section N
Kajpensicys
You can determine packer type using the Protection ID, PEID,
DIE. Ifthe packer is widely used, itis possibie to find the
automatic unpacking tools
ELGALIWM Header (modified)
Section with
compressed data
Loader
1H Kaspersky Academy
(Packer detection
Executable fle packing can reduce the size
of the executable file and hide its
functionally from static analysis!
Ca tp.
eayra n EBE
tate Prine: amas
KaSpeRsiys
You can determine packer type using the Protection
1, PEID, DIE. Ifthe packer is widely usod, Its
possible to find the automatic unpacking tools.
aaa WTA
er fe
Srv cnt a iti ae ak
mona: ican” "Game ameces [OQ] Cae}
Ob en Sip fs joven Ce} CH
ies: onto GIL) come OE)
ages ema tinim Ce]
[SERRE Titre: pans noon sant) (xe ]|
inna iota lie) Coi Kaspersky Academy KASPERSKY
PDB Path & Debug Strings
EP is program database fil, a special symbol te, tat
contains all tho Identiiors and names used in the source code
| file function, lass, and variable names.
|_« PDB path is inserted to the executable file by
‘8 compiler, when "Debug" build is selected
Otten used in the attribution of malware
‘Sample to specific threat actor or group
Sopp gal aeitiy contdee pan acinar D.shATTACK\AC all COMPLETION) Releaseitest pdb
the project: ‘Jahack\devispam\spamiobj\Rel
ssetspem.pab
‘CAShamoon\ArabianGuifwiperreleaselwiper,pab
‘CAUsers\Syrian Malware\Desktop\my
ratisorver \objDebug\E.pdb
i Kaspersky Academy
KASPERSKY
PDB Path & Debug Strings re)
ee 7
ote)
Pe eee MCN rie?
Perm re er ue t
CaaS cee)
Peer eres
eee ae os
CRC esKASPERSKY
i Kaspersky Academy
PDB Path & Debug Strings
ery
rome]
ie
KASPERIKYS |
i Kaspersky ‘Academy
~YDB Path & Debug Strings
3ADI30: 09 00 60 00 00 88 00 08 | 00 20 00 rom
rr err) oe 20 60 ry
Shee) ot) mn aye a
oc a ere eres arr) eae
net ao eo 8 ome Tc
veraeoe ene 4a ea ¥ 2 |
a oa) st
tee: . a eee) etre)
DICD: 00 08 00 6 or 00 00 |Digital Signature Checking
CODE SIGNING Is the process of digitally signing
.cutables and scripts to confirm the software
thor and guarantee that the code has not been
altered or corrupted since it was signed by use of
‘ cryptographic hash
a
Toots:
Sigeheck
SignToo!
Kaspensxvs