Learning Malware Analysis E-Book

Learning Malware Analysis

Copyright © 2018 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Gebin GeorgeAcquisition Editor: Shrilekha InaniContent Development Editor: Sharon RajTechnical Editor:Prashant ChaudhariCopy Editor:Safis EditingProject Coordinator: Virginia DiasProofreader: Safis EditingIndexer: Aishwarya GangawaneGraphics: Tom ScariaProduction Coordinator:  Nilesh Mohite

First published: June 2018

Production reference: 2200718

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78839-250-1

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

PacktPub.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks.

Contributors

About the author

Monnappa K A works for Cisco Systems as an information security investigator focusing on threat intelligence and the investigation of advanced cyber attacks. He is a member of the Black Hat review board, the creator of Limon Linux sandbox, the winner of the Volatility plugin contest 2016, and the co-founder of the Cysinfo cybersecurity research community. He has presented and conducted training sessions at various security conferences including Black Hat, FIRST, OPCDE, and DSCI. He regularly conducts training at the Black Hat Security Conference in USA, Asia, and Europe.

About the reviewers

Daniel Cuthbert is the Global Head of Security Research in Banco Santander. In his 20+ years' career on both the offensive and defensive side, he's seen the evolution of hacking from small groups of curious minds to the organized criminal networks and nation states we see today. He sits on the Black Hat Review Board and is the co-author of the OWASP Testing Guide (2003) and OWASP Application Security Verification Standard (ASVS). 

Dr. Michael Spreitzenbarth has been freelancing in the IT security sector for several years after finishing his diploma thesis with his major topic being mobile phone forensics. In 2013, he finished his PhD in the field of Android forensics and mobile malware analysis. Then, he started working at an internationally operating CERT and in an internal RED team. He deals daily with the security of mobile systems, forensic analysis of smartphones, and suspicious mobile applications, as well as the investigation of security-related incidents and simulating cybersecurity attacks.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Learning Malware Analysis

Dedication

Packt Upsell

Why subscribe?

PacktPub.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Introduction to Malware Analysis

1. What Is Malware?

2. What Is Malware Analysis?

3. Why Malware Analysis?

4. Types Of Malware Analysis

5. Setting Up The Lab Environment

5.1 Lab Requirements

5.2 Overview Of Lab Architecture

5.3 Setting Up And Configuring Linux VM

5.4 Setting Up And Configuring Windows VM

6. Malware Sources

Summary

Static Analysis

1. Determining the File Type

1.1 Identifying File Type Using Manual Method

1.2 Identifying File Type Using Tools

1.3 Determining File Type Using Python

2. Fingerprinting the Malware

2.1 Generating Cryptographic Hash Using Tools

2.2 Determining Cryptographic Hash in Python

3. Multiple Anti-Virus Scanning

3.1 Scanning the Suspect Binary with VirusTotal

3.2 Querying Hash Values Using VirusTotal Public API

4. Extracting Strings

4.1 String Extraction Using Tools

4.2 Decoding Obfuscated Strings Using FLOSS

5. Determining File Obfuscation

5.1 Packers and Cryptors

5.2 Detecting File Obfuscation Using Exeinfo PE

6. Inspecting PE Header Information

6.1 Inspecting File Dependencies and Imports

6.2 Inspecting Exports

6.3 Examining PE Section Table And Sections

6.4 Examining the Compilation Timestamp

6.5 Examining PE Resources

7. Comparing And Classifying The Malware

7.1 Classifying Malware Using Fuzzy Hashing

7.2 Classifying Malware Using Import Hash

7.3 Classifying Malware Using Section Hash

7.4 Classifying Malware Using YARA

7.4.1 Installing YARA

7.4.2 YARA Rule Basics

7.4.3 Running YARA

7.4.4 Applications of YARA

Summary

Dynamic Analysis

1. Lab Environment Overview

2. System And Network Monitoring

3. Dynamic Analysis (Monitoring) Tools

3.1 Process Inspection with Process Hacker

3.2 Determining System Interaction with Process Monitor

3.3 Logging System Activities Using Noriben

3.4 Capturing Network Traffic With Wireshark

3.5 Simulating Services with INetSim

4. Dynamic Analysis Steps

5. Putting it All Together: Analyzing a Malware Executable

5.1 Static Analysis of the Sample

5.2 Dynamic Analysis of the Sample

6. Dynamic-Link Library (DLL) Analysis

6.1 Why Attackers Use DLLs

6.2 Analyzing the DLL Using rundll32.exe

6.2.1 Working of rundll32.exe

6.2.2 Launching the DLL Using rundll32.exe

Example 1 – Analyzing a DLL With No Exports

Example 2 – Analyzing a DLL Containing Exports

Example 3 – Analyzing a DLL Accepting Export Arguments

6.3 Analyzing a DLL with Process Checks

Summary

Assembly Language and Disassembly Primer

1. Computer Basics

1.1 Memory

1.1.1 How Data Resides In Memory

1.2 CPU

1.2.1 Machine Language

1.3 Program Basics

1.3.1 Program Compilation

1.3.2 Program On Disk

1.3.3 Program In Memory

1.3.4 Program Disassembly (From Machine code To Assembly code)

2. CPU Registers

2.1 General-Purpose Registers

2.2 Instruction Pointer (EIP)

2.3 EFLAGS Register

3. Data Transfer Instructions

3.1 Moving a Constant Into Register

3.2 Moving Values From Register To Register

3.3 Moving Values From Memory To Registers

3.4 Moving Values From Registers To Memory

3.5 Disassembly Challenge

3.6 Disassembly Solution

4. Arithmetic Operations

4.1 Disassembly Challenge

4.2 Disassembly Solution

5. Bitwise Operations

6. Branching And Conditionals

6.1 Unconditional Jumps

6.2 Conditional Jumps

6.3 If Statement

6.4 If-Else Statement

6.5 If-Elseif-Else Statement

6.6 Disassembly Challenge

6.7 Disassembly Solution

7. Loops

7.1 Disassembly Challenge

7.2 Disassembly Solution

8. Functions

8.1 Stack

8.2 Calling Function

8.3 Returning From Function

8.4 Function Parameters And Return Values

9. Arrays And Strings

9.1 Disassembly Challenge

9.2 Disassembly Solution

9.3 Strings

9.3.1 String Instructions

9.3.2 Moving From Memory To Memory (movsx)

9.3.3 Repeat Instructions (rep)

9.3.4 Storing Value From Register to Memory (stosx)

9.3.5 Loading From Memory to Register (lodsx)

9.3.6 Scanning Memory (scasx)

9.3.7 Comparing Values in Memory (cmpsx)

10. Structures

11. x64 Architecture

11.1 Analyzing 32-bit Executable On 64-bit Windows

12. Additional Resources

Summary

Disassembly Using IDA

1. Code Analysis Tools

2. Static Code Analysis (Disassembly) Using IDA

2.1 Loading Binary in IDA

2.2 Exploring IDA Displays

2.2.1 Disassembly Window

2.2.2 Functions Window

2.2.3 Output Window

2.2.4 Hex View Window

2.2.5 Structures Window

2.2.6 Imports Window

2.2.7 Exports Window

2.2.8 Strings Window

2.2.9 Segments Window

2.3 Improving Disassembly Using IDA

2.3.1 Renaming Locations

2.3.2 Commenting in IDA

2.3.3 IDA Database

2.3.4 Formatting Operands

2.3.5 Navigating Locations

2.3.6 Cross-References

2.3.7 Listing All Cross-References

2.3.8 Proximity View And Graphs

3. Disassembling Windows API

3.1 Understanding Windows API

3.1.1 ANSI and Unicode API Functions

3.1.2 Extended API Functions

3.2 Windows API 32-Bit and 64-Bit Comparison

4. Patching Binary Using IDA

4.1 Patching Program Bytes

4.2 Patching Instructions

5. IDA Scripting and Plugins

5.1 Executing IDA Scripts

5.2 IDAPython

5.2.1 Checking The Presence Of CreateFile API

5.2.2 Code Cross-References to CreateFile Using IDAPython

5.3 IDA Plugins

Summary

Debugging Malicious Binaries

1. General Debugging Concepts

1.1 Launching And Attaching To Process

1.2 Controlling Process Execution

1.3 Interrupting a Program with Breakpoints

1.4 Tracing Program Execution

2. Debugging a Binary Using x64dbg

2.1 Launching a New Process in x64dbg

2.2 Attaching to an Existing Process Using x64dbg

2.3 x64dbg Debugger Interface

2.4 Controlling Process Execution Using x64dbg

2.5 Setting a Breakpoint in x64dbg

2.6 Debugging 32-bit Malware

2.7 Debugging 64-bit Malware

2.8 Debugging a Malicious DLL Using x64dbg

2.8.1 Using rundll32.exe to Debug the DLL in x64dbg

2.8.2 Debugging a DLL in a Specific Process

2.9 Tracing Execution in x64dbg

2.9.1 Instruction Tracing

2.9.2 Function Tracing

2.10 Patching in x64dbg

3. Debugging a Binary Using IDA

3.1 Launching a New Process in IDA

3.2 Attaching to an Existing Process Using IDA

3.3 IDA's Debugger Interface

3.4 Controlling Process Execution Using IDA

3.5 Setting a Breakpoint in IDA

3.6 Debugging Malware Executables

3.7 Debugging a Malicious DLL Using IDA

3.7.1 Debugging a DLL in a Specific Process

3.8 Tracing Execution Using IDA

3.9 Debugger Scripting Using IDAPython

3.9.1 Example – Determining Files Accessed by Malware

4. Debugging a .NET Application

Summary

Malware Functionalities and Persistence

1. Malware Functionalities

1.1 Downloader

1.2 Dropper

1.2.1 Reversing a 64-bit Dropper

1.3 Keylogger

1.3.1 Keylogger Using GetAsyncKeyState()

1.3.2 Keylogger Using SetWindowsHookEx()

1.4 Malware Replication Via Removable Media

1.5 Malware Command and Control (C2)

1.5.1 HTTP Command and Control

1.5.2 Custom Command and Control

1.6 PowerShell-Based Execution

1.6.1 PowerShell Command Basics

1.6.2 PowerShell Scripts And Execution Policy

1.6.2 Analyzing PowerShell Commands/Scripts

1.6.3 How Attackers Use PowerShell

2. Malware Persistence Methods

2.1 Run Registry Key

2.2 Scheduled Tasks

2.3 Startup Folder

2.4 Winlogon Registry Entries

2.5 Image File Execution Options

2.6 Accessibility Programs

2.7 AppInit_DLLs

2.8 DLL Search Order Hijacking

2.9 COM hijacking

2.10 Service

Summary

Code Injection and Hooking

1. Virtual Memory

1.1 Process Memory Components (User Space)

1.2 Kernel Memory Contents (Kernel Space)

2. User Mode And Kernel Mode

2.1 Windows API Call Flow

3. Code Injection Techniques

3.1 Remote DLL Injection

3.2 DLL Injection Using APC (APC Injection)

3.3 DLL Injection Using SetWindowsHookEx()

3.4 DLL Injection Using The Application Compatibility Shim

3.4.1 Creating A Shim

3.4.2 Shim Artifacts

3.4.3 How Attackers Use Shims

3.4.4 Analyzing The Shim Database

3.5 Remote Executable/Shellcode Injection

3.6 Hollow Process Injection (Process Hollowing)

4. Hooking Techniques

4.1 IAT Hooking

4.2 Inline Hooking (Inline Patching)

4.3 In-memory Patching Using Shim

5. Additional Resources

Summary

Malware Obfuscation Techniques

1. Simple Encoding

1.1 Caesar Cipher

1.1.1 Working Of Caesar Cipher

1.1.2 Decrypting Caesar Cipher In Python

1.2 Base64 Encoding

1.2.1 Translating Data To Base64

1.2.2 Encoding And Decoding Base64

1.2.3 Decoding Custom Base64

1.2.4 Identifying Base64

1.3 XOR Encoding

1.3.1 Single Byte XOR

1.3.2 Finding XOR Key Through Brute-Force

1.3.3 NULL Ignoring XOR Encoding

1.3.4 Multi-byte XOR Encoding

1.3.5 Identifying XOR Encoding

2. Malware Encryption

2.1 Identifying Crypto Signatures Using Signsrch

2.2 Detecting Crypto Constants Using FindCrypt2

2.3 Detecting Crypto Signatures Using YARA

2.4 Decrypting In Python

3. Custom Encoding/Encryption

4. Malware Unpacking

4.1 Manual Unpacking

4.1.1 Identifying The OEP

4.1.2 Dumping Process Memory With Scylla

4.1.3 Fixing The Import Table

4.2 Automated Unpacking

Summary

Hunting Malware Using Memory Forensics

1. Memory Forensics Steps

2. Memory Acquisition

2.1 Memory Acquisition Using DumpIt

3. Volatility Overview

3.1 Installing Volatility

3.1.1 Volatility Standalone Executable

3.1.2 Volatility Source Package

3.2 Using Volatility

4. Enumerating Processes

4.1 Process Overview

4.1.1 Examining the _EPROCESS Structure

4.1.2 Understanding ActiveProcessLinks

4.2 Listing Processes Using psscan

4.2.1 Direct Kernel Object Manipulation (DKOM)

4.2.2 Understanding Pool Tag Scanning

4.3 Determining Process Relationships

4.4 Process Listing Using psxview

5. Listing Process Handles

6. Listing DLLs

6.1 Detecting a Hidden DLL Using ldrmodules

7. Dumping an Executable and DLL

8. Listing Network Connections and Sockets

9. Inspecting Registry

10. Investigating Service

11. Extracting Command History

Summary

Detecting Advanced Malware Using Memory Forensics

1. Detecting Code Injection

1.1 Getting VAD Information

1.2 Detecting Injected Code Using VAD

1.3 Dumping The Process Memory Region

1.4 Detecting Injected Code Using malfind

2. Investigating Hollow Process Injection

2.1 Hollow Process Injection Steps

2.2 Detecting Hollow Process Injection

2.3 Hollow Process Injection Variations

3. Detecting API Hooks

4. Kernel Mode Rootkits

5. Listing Kernel Modules

5.1 Listing Kernel Modules Using driverscan

6. I/O Processing

6.1 The Role Of The Device Driver

6.2 The Role Of The I/O Manager

6.3 Communicating With The Device Driver

6.4 I/O Requests To Layered Drivers

7. Displaying Device Trees

8. Detecting Kernel Space Hooking

8.1 Detecting SSDT Hooking

8.2 Detecting IDT Hooking

8.3 Identifying Inline Kernel Hooks

8.4 Detecting IRP Function Hooks

9. Kernel Callbacks And Timers

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

The advancement of the computer and internet technology has changed our lives, and it has revolutionized the way the organizations conduct businesses. However, technology evolution and digitization has given rise to cybercriminal activities. The growing threat of cyberattacks on critical infrastructure, data centers, private/public, defence, energy, government, and financial sectors pose a unique challenge for everyone from an individual to large corporations. These cyberattacks make use of malicious software (also known as Malware ) for financial theft, espionage, sabotage, intellectual property theft, and political motives.

With adversaries becoming sophisticated and carrying out advanced malware attacks, detecting and responding to such intrusions is critical for cybersecurity professionals. Malware analysis has become a must-have skill for fighting advanced malware and targeted attacks. Malware analysis requires a well-balanced knowledge of many different skills and subjects. In other words, learning malware analysis demands time and requires patience.

This book teaches the concepts, tools, and techniques to understand the behavior and characteristics of Windows malware using malware analysis. This book starts by introducing you to basic concepts of malware analysis. It then gradually progresses deep into more advanced concepts of code analysis and memory forensics. To help you understand the concepts better, various real-world malware samples, infected memory images, and visual diagrams are used in the examples throughout the book. In addition to this, enough information is given to help you understand the required concepts, and wherever possible, references to additional resources are provided for further reading.

If you are new to the field of malware analysis, this book should help you get started, or if you are experienced in this field, this book will help enhance your knowledge further. Whether you are learning malware analysis to perform a forensic investigation, to respond to an incident, or for fun, this book enables you to accomplish your goals.

Who this book is for

If you're an incident responder, cybersecurity investigator, system administrator, malware analyst, forensic practitioner, student, or a curious security professional interested in learning or enhancing your malware analysis skills, then this book is for you.

What this book covers

Chapter 1, Introduction to Malware Analysis, introduces readers to the concept of malware analysis, types of malware analysis, and setting up an isolated malware analysis lab environment.

Chapter 2, Static Analysis, teaches the tools and techniques to extract metadata information from the malicious binary. It shows you how to compare and classify malware samples. You'll learn how to determine various aspects of the binary without executing it.

Chapter 3, Dynamic Analysis, teaches the tools and techniques to determine the behavior of the malware and its interaction with the system. You'll learn how to obtain the network and host-based indicators associated with the malware.

Chapter 4, Assembly Language and Disassembly Primer, gives a basic understanding of assembly language and teaches the necessary skills required to perform code analysis.

Chapter 5, Disassembly Using IDA, covers the features of IDA Pro Disassembler,  and you will learn how to use IDA Pro to perform static code analysis (Disassembly ).

Chapter 6, Debugging Malicious Binaries, teaches the technique of debugging a binary using x64dbg and IDA Pro debugger. You will learn how to use a debugger to control the execution of a program and to manipulate a program's behavior.

Chapter 7, Malware Functionalities and Persistence, describes various functionalities of malware using reverse engineering. It also covers various persistence methods used by the malicious programs.

Chapter 8, Code Injection and Hooking, teaches common code injection techniques used by the malicious programs to execute malicious code within the context of a legitimate process. It also describes the hooking techniques used by the malware to redirect control to the malicious code to monitor, block, or filter an API's output. You will learn how to analyze malicious programs that use code injection and hooking techniques.

Chapter 9, Malware Obfuscation Techniques, covers encoding, encryption, and packing techniques used by the malicious programs to conceal and hide information. It teaches different strategies to decode/decrypt the data and unpack the malicious binary.

Chapter 10, Hunting Malware Using Memory Forensics, teaches techniques to detect malicious components using memory forensics. You will learn various Volatility plugins to detect and identify forensic artifacts in memory.

Chapter 11, Detecting Advanced Malware Using Memory Forensics, teaches the stealth techniques used by advanced malware to hide from forensic tools. You will learn to investigate and detect user mode and kernel mode rootkit components.

To get the most out of this book

Knowledge of programming languages such as C and Python would be helpful (especially to understand the concepts covered in chapters 5, 6, 7, 8, and 9). If you have written a few lines of code and have a basic understanding of programming concepts, you’ll be able to get the most out of this book.

If you have no programming knowledge, you will still be able to get the basic malware analysis concepts covered in chapters 1, 2, and 3. However, you may find it slightly difficult to understand the concepts covered in the rest of the chapters. To get you to speed, sufficient information and additional resources are provided in each chapter. You may need to do some additional reading to fully understand the concepts.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/LearningMalwareAnalysis_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: used for code examples, folder names, filenames, registry key and values, file extensions, pathnames, dummy URLs, user input, function names, and Twitter handles. Here is an example: "Mount the downloaded WebStorm-10*.dmg disk image file as another disk in your system."

Any command-line input is highlighted in bold, and the example is as follows:

$

sudo inetsim

INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas HungenbergUsing log directory: /var/log/inetsim/Using data directory: /var/lib/inetsim/

When we wish to draw your attention to a particular part of code or output, the relevant lines or items are set in bold:

$

python vol.py -f tdl3.vmem --profile=WinXPSP3x86 ldrmodules -p 880

Volatility Foundation Volatility Framework 2.6Pid Process Base InLoad InInit InMem MappedPath--- ----------- -------- ----- ------- ----- ----------------------------880 svchost.exe 0x10000000

False False False \WINDOWS\system32\TDSSoiqh.dll

880 svchost.exe 0x01000000 True False True \WINDOWS\system32\svchost.exe880 svchost.exe 0x76d30000 True True True \WINDOWS\system32\wmi.dll880 svchost.exe 0x76f60000 True True True \WINDOWS\system32\wldap32.dll

Italics:  Used for a new term, an important word, or words, malware name, and keyboard combinations. Here is an example: press Ctrl + C to copy

Screen Text: Words in menus or dialog boxes appear in the text like this. Here is an example: Select System info from the Administration panel.

Get in touch

Feedback from our readers is always welcome.

General feedback: Email [email protected] and mention the book title in the subject of your message. If you have questions about any aspect of this book, please email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packtpub.com.

Introduction to Malware Analysis

The number of cyber attacks is undoubtedly on the rise, targeting government, military, public and private sectors. These cyber attacks focus on targeting individuals or organizations with an effort to extract valuable information. Sometimes, these cyber attacks are allegedly linked to cybercrime or state-sponsored groups, but may also be carried out by individual groups to achieve their goals. Most of these cyber attacks use malicious software (also called malware) to infect their targets. Knowledge, skills, and tools required to analyze malicious software are essential to detect, investigate and defend against such attacks.

In this chapter, you will learn the following topics:

What malware means and its role in the cyber-attacks

Malware analysis and its significance in digital forensics

Different types of malware analysis

Setting up the lab environment

Various sources to obtain malware samples

1. What Is Malware?

Malware is a code that performs malicious actions; it can take the form of an executable, script, code, or any other software. Attackers use malware to steal sensitive information, spy on the infected system, or take control of the system. It typically gets into your system without your consent and can be delivered via various communication channels such as email, web, or USB drives.

The following are some of the malicious actions performed by malware:

Disrupting computer operations

Stealing sensitive information, including personal, business, and financial data

Unauthorized access to the victim's system

Spying on the victims

Sending spam emails

Engaging in distributed-denial-of-service attacks (DDOS)

Locking up the files on the computer and holding them for ransom

Malware is a broad term that refers to different types of malicious programs such as trojans, viruses, worms, and rootkits. While performing malware analysis, you will often come across various types of malicious programs; some of these malicious programs are categorized based on their functionality and attack vectors as mentioned here:

Virus or Worm

: Malware that is capable of copying itself and spreading to other computers. A virus needs user intervention, whereas a worm can spread without user intervention.

Trojan

: Malware that disguises itself as a regular program to trick users to install it on their systems. Once installed, it can perform malicious actions such as stealing sensitive data, uploading files to the attacker's server, or monitoring webcams.

Backdoor / Remote Access Trojan (RAT)

: This is a type of

Trojan

that enables the attacker to gain access to and execute commands on the compromised system.

Adware

: Malware that presents unwanted advertisements (ads) to the user. They usually get delivered via free downloads and can forcibly install software on your system.

Botnet

: This is a group of computers infected with the same malware (called

bots

), waiting to receive instructions from the command-and-control server controlled by the attacker. The attacker can then issue a command to these bots, which can perform malicious activities such as DDOS attacks or sending spam emails.

Information stealer

: Malware designed to steal sensitive data such as banking credentials or typed keystrokes from the infected system. Some examples of these malicious programs include key loggers, spyware, sniffers, and form grabbers.

Ransomware

: Malware that holds the system for ransom by locking users out of their computer or by encrypting their files.

Rootkit

: Malware that provides the attacker with privileged access to the infected system and conceals its presence or the presence of other software.

Downloader or dropper

: Malware designed to download or install additional malware components.

Classifying malware based on their functionalities may not always be possible because a single malware can contain multiple functionalities, which may fall into a variety of categories mentioned previously. For example, malware can include a worm component that scans the network looking for vulnerable systems and can drop another malware component such as a backdoor or a ransomware upon successful exploitation.

Malware classification can also be undertaken based on the attacker's motive. For example, if the malware is used to steal personal, business, or proprietary information for profit, then the malware can be classified as crimeware or commodity malware. If the malware is used to target a particular organization or industry to steal information/gather intelligence for espionage, then it can be classified as targeted or espionage malware.

2. What Is Malware Analysis?

Malware analysis is the study of malware's behavior. The objective of malware analysis is to understand the working of malware and how to detect and eliminate it. It involves analyzing the suspect binary in a safe environment to identify its characteristics and functionalities so that better defenses can be built to protect an organization's network.

3. Why Malware Analysis?

The primary motive behind performing malware analysis is to extract information from the malware sample, which can help in responding to a malware incident. The goal of malware analysis is to determine the capability of malware, detect it, and contain it. It also helps in determining identifiable patterns that can be used to cure and prevent future infections. The following are some of the reasons why you will perform malware analysis:

To determine the nature and purpose of the malware. For example, it can help you determine whether malware is an information stealer, HTTP bot, spam bot, rootkit, keylogger, or RAT,

and so on

.

To gain an understanding of how the system was compromised and its impact.

To identify the network indicators associated with the malware, which can then be used to detect similar infections using network monitoring. For example, during your analysis, if you determine that a malware contacts a particular

domain/IP address

, then you can use this domain/IP address to create a signature and monitor the network traffic to identify all the hosts contacting that domain/IP address.

To extract host-based indicators such as filenames, and registry keys, which, in turn, can be used to determine similar infection using host-based monitoring. For instance, if you learn that a malware creates a registry key, you can use this registry key as an indicator to create a signature, or scan your network to identify the hosts that have the same registry key.

To determine the attacker's intention and motive. For instance, during your analysis, if you find that the malware is stealing banking credentials, then you can deduce that the motive of the attacker is monetary gain.

4. Types Of Malware Analysis

To understand the working and the characteristics of malware and to assess its impact on the system, you will often use different analysis techniques. The following is the classification of these analysis techniques:

Static analysis

: This is the process of analyzing a binary without executing it. It is easiest to perform and allows you to extract the metadata associated with the suspect binary. Static analysis might not reveal all the required information, but it can sometimes provide interesting information that helps in determining where to focus your subsequent analysis efforts.

Chapter 2

,

Static Analysis

, covers the tools and techniques to extract useful information from the malware binary using static analysis.

Dynamic analysis (Behavioral Analysis)

: This is the process of executing the suspect binary in an isolated environment and monitoring its behavior. This analysis technique is easy to perform and gives valuable insights into the activity of the binary during its execution. This analysis technique is useful but does not reveal all the functionalities of the hostile program.

Chapter 3

,

Dynamic Analysis

, covers the tools and techniques to determine the behavior of the malware using dynamic analysis.

Code analysis

: It is an advanced technique that focuses on analyzing the code to understand the inner workings of the binary. This technique reveals information that is not possible to determine just from static and dynamic analysis. Code analysis is further divided into

Static code analysis

and

Dynamic code analysis

.

Static code analysis

involves disassembling the suspect binary and looking at the code to understand the program's behavior, whereas

Dynamic code analysis 

involves debugging the suspect binary in a controlled manner to understand its functionality. Code analysis requires an understanding of the programming language and operating system concepts. The upcoming chapters (

Chapters 4 to 9

) will cover the knowledge, tools, and techniques required to perform code analysis.

Memory analysis (Memory forensics)

: This is the technique of analyzing the computer's RAM for forensic artifacts. It is typically a forensic technique, but integrating it into your malware analysis will assist in gaining an understanding of the malware's behavior after infection. Memory analysis is especially useful to determine the stealth and evasive capabilities of the malware. You will learn how to perform memory analysis in subsequent chapters (

Chapters 10 and 11

).

5. Setting Up The Lab Environment

Analysis of a hostile program requires a safe and secure lab environment, as you do not want to infect your system or the production system. A malware lab can be very simple or complex depending on the resources available to you (hardware, virtualization software, Windows license, and so on). This section will guide you to set up a simple personal lab on a single physical system consisting of virtual machines (VMs). If you wish to set up a similar lab environment, feel free to follow along or skip to the next section (Section 6: Malware Sources).

5.1 Lab Requirements

Before you begin setting up a lab, you need a few components: a physical system running a base operating system of Linux, Windows, or macOS X, and installed with virtualization software (such as VMware or VirtualBox). When analyzing the malware, you will be executing the malware on a Windows-based virtual machine (Windows VM). The advantage of using a virtual machine is that after you finish analyzing the malware, you can revert it to a clean state.

To create a safe lab environment, you should take the necessary precautions to avoid malware from escaping the virtualized environment and infecting your physical (host) system. The following are a few points to remember when setting up the virtualized lab:

Keep your virtualization software up to date. This is necessary because it might be possible for malware to exploit a vulnerability in the virtualization software, escape from the virtual environment, and infect your host system.

Install a fresh copy of the operating system inside the virtual machine (VM), and do not keep any sensitive information in the virtual machine.

While analyzing a malware, if you don't want the malware to reach out to the Internet, then you should consider using

host-only

network configuration mode or restrict your network traffic within your lab environment using simulated services.

Do not connect any removable media that might later be used on the physical machines,

such as USB drives

.

Since you will be analyzing Windows malware (typically Executable or DLL), it is recommended to choose a base operating system such as Linux or macOS X for your host machine instead of Windows. This is because, even if a Windows malware escapes from the virtual machine, it will still not be able to infect your host machine.

5.2 Overview Of Lab Architecture

The lab architecture I will be using throughout the book consists of a physical machine (called host machine) running Ubuntu Linux with instances of Linux virtual machine (Ubuntu Linux VM) and Windows virtual machine (Windows VM). These virtual machines will be configured to be part of the same network and use Host-only network configuration mode so that the malware is not allowed to contact the Internet and network traffic is contained in the isolated lab environment.

Windows VM is where the malware will be executed during analysis, and the Linux VM is used to monitor the network traffic and will be configured to simulate Internet services (DNS, HTTP, and so on) to provide an appropriate response when the malware requests for these services. For example, the Linux VM will be configured such that when the malware requests a service such as DNS, the Linux VM will provide the proper DNS response. Chapter 3, Dynamic Analysis, covers this concept in detail.

The following figure shows an example of a simple lab architecture, which I will use in this book. In this setup, the Linux VM will be preconfigured to IP address 192.168.1.100, and the IP address of the Windows VM will be set to 192.168.1.x (where x is any number from 1 to 254 except 100). The default gateway and the DNS of the Windows VM will be set to the IP address of the Linux VM (that is, 192.168.1.100) so that all the Windows network traffic is routed through the Linux VM. The upcoming section will guide you to set up the Linux VM and Windows VM to match with this setup.

It is also possible to set up a lab consisting of multiple VMs running different versions of Windows; this will allow you to analyze the malware specimen on various versions of Windows operating systems. An example configuration containing multiple Windows VMs will look similar to the one shown in the following diagram:

5.3 Setting Up And Configuring Linux VM

To set up the Linux VM, I will use Ubuntu 16.04.2 LTS Linux distribution (http://releases.ubuntu.com/16.04/). The reason I have chosen Ubuntu is that most of the tools covered in this book are either preinstalled or available through the apt-get package manager. The following is a step-by-step procedure to configure Ubuntu 16.04.2 LTS on VMware and VirtualBox. Feel free to follow the instructions given here depending on the virtualization software (either VMware or VirtualBox) installed on your system:

Download Ubuntu 16.04.2 LTS from

http://releases.ubuntu.com/16.04/

and install it in VMware Workstation/Fusion or VirtualBox. If you wish to install any other version of Ubuntu Linux, you are free to do so as long as you are comfortable installing packages and solving any dependency issues.

Install the

Virtualization Tools

on Ubuntu; this will allow Ubuntu's screen resolution to automatically adjust to match your monitor's geometry and provide additional enhancements, such as the ability to share clipboard content and to copy/paste or drag and drop files across your underlying

host machine

and the

Linux virtual machine

. To install virtualization tools on VMware Workstation or VMware Fusion, you can follow the procedure mentioned at 

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1022525

or watch the video at 

https://youtu.be/ueM1dCk3o58

. Once installed, reboot the system.

If you are using

VirtualBox

, you must install 

Guest Additions software

. To accomplish this, from the VirtualBox menu, select

Devices

|

Insert guest additions CD image

. T

his will bring up the

Guest Additions Dialog Window. T

hen click on

Run

to invoke the installer from the virtual CD. Authenticate with your password when prompted and reboot.

Once the Ubuntu operating system and the virtualization tools are installed, start the Ubuntu VM and install the following tools and packages.

Install

pip

; pip is a package management system used to install and manage packages written in Python. In this book, I will be running a few Python scripts; some of them rely on third-party libraries. To automate the installation of third-party packages, you need to install

pip

. Run the following command in the terminal to install and upgrade

pip

:

$ sudo apt-get update

$ sudo apt-get install python-pip

$ pip install --upgrade pip

The following are some of the tools and Python packages that will be used in this book. To install these tools and Python packages, run these commands in the terminal:

$ sudo apt-get install python-magic

$ sudo apt-get install upx

$ sudo pip install pefile

$ sudo apt-get install yara

$ sudo pip install yara-python

$ sudo apt-get install ssdeep

$ sudo apt-get install build-essential libffi-dev python python-dev \ libfuzzy-dev

$ sudo pip install ssdeep

$ sudo apt-get install wireshark

$ sudo apt-get install tshark

INetSim

(

http://www.inetsim.org/index.html

) is a powerful utility that allows simulating various Internet services (such as DNS, and HTTP) that malware frequently expects to interact with. Later, you will understand how to configure 

INetSim

to simulate services. To install INetSim, use the following commands. The use of INetSim will be covered in detail in

Chapter 3

,

Dynamic Analysis

. If you have difficulties installing INetSim, refer to the documentation (

http://www.inetsim.org/packages.html

):

$ sudo su

# echo "deb http://www.inetsim.org/debian/ binary/" > \ /etc/apt/sources.list.d/inetsim.list

# wget -O - http://www.inetsim.org/inetsim-archive-signing-key.asc | \ apt-key add -

# apt update

# apt-get install inetsim

You can now isolate Ubuntu VM within your lab by configuring the virtual appliance to use 

Host-only

network mode. On

VMware,

bring up the

Network Adapter Settings

and choose

Host-only mode

as shown in the

following 

Figure

. Save the settings and reboot

.

In VirtualBox, shut down Ubuntu VM and then bring up Settings. Select Network and change the adapter settings to Host-only Adapter as shown in the following diagram; click on OK.

Now we will assign a static IP address of

192.168.1.100

to the Ubuntu Linux VM. To do that, power on the Linux VM, open the terminal window, type the command

ifconfig

, and note down the interface name. In my case, the interface name is

ens33

. In your case, the interface name might be different. If it is different, you need to make changes to the following steps accordingly

.

Open the file 

/etc/network/interfaces

 using the

following 

command:

$ sudo gedit /etc/network/interfaces

Add the following entries at the end of the file (make sure you replace ens33 with the interface name on your system) and save it:

auto ens33iface ens33 inet staticaddress 192.168.1.100netmask 255.255.255.0

The /etc/network/interfaces file should now look like the one shown here. Newly added entries are highlighted here:

# interfaces(5) file used by ifup(8) and ifdown(8)auto loiface lo inet loopback

auto ens33

iface ens33 inet static

address 192.168.1.100

netmask 255.255.255.0

Then restart the Ubuntu Linux VM. At this point, the IP address of the Ubuntu VM should be set to 192.168.1.100. You can verify that by running the following command:

$

ifconfig

ens33 Link encap:Ethernet HWaddr 00:0c:29:a8:28:0d inet addr:

192.168.1.100

Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fea8:280d/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:21 errors:0 dropped:0 overruns:0 frame:0TX packets:49 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000 RX bytes:5187 (5.1 KB) TX bytes:5590 (5.5 KB)

The next step is to configure

INetSim

so that it can listen to and simulate all the services on the configured IP address

192.168.1.100

. By default, it listens on the local interface (

127.0.0.1

), which needs to be changed to

192.168.1.100

. To do that, open the configuration file located at 

/etc/inetsim/inetsim.conf

using the following command:

$

sudo gedit /etc/inetsim/inetsim.conf

Go to the service_bind_address section in the configuration file and add the entry shown here:

service_bind_address 192.168.1.100

The added entry (highlighted) in the configuration file should look like this:

# service_bind_address## IP address to bind services to## Syntax: service_bind_address <IP address>## Default: 127.0.0.1##service_bind_address 10.10.10.1

service_bind_address 192.168.1.100

By default, INetSim's DNS server will resolve all the domain names to 127.0.0.1. Instead of that, we want the domain name to resolve to 192.168.1.100 (the IP address of Linux VM). To do that, go to the dns_default_ip section in the configuration file and add an entry as shown here:

dns_default_ip 192.168.1.100

The added entry (highlighted in the following code) in the configuration file should look like this:

# dns_default_ip## Default IP address to return with DNS replies## Syntax: dns_default_ip <IP address>## Default: 127.0.0.1##dns_default_ip 10.10.10.1

dns_default_ip 192.168.1.100

Once the configuration changes are done, Save the configuration file and launch the INetSim main program. Verify that all the services are running and also check whether the inetsim is listening on 192.168.1.100, as highlighted in the following code. You can stop the service by pressing CTRL+C:

$

sudo inetsim

INetSim 1.2.6 (2016-08-29) by Matthias Eckert & Thomas HungenbergUsing log directory: /var/log/inetsim/Using data directory: /var/lib/inetsim/Using report directory: /var/log/inetsim/report/Using configuration file: /etc/inetsim/inetsim.conf=== INetSim main process started (PID 2640) ===Session ID: 2640Listening on:

192.168.1.100

Real Date/Time: 2017-07-08 07:26:02Fake Date/Time: 2017-07-08 07:26:02 (Delta: 0 seconds) Forking services... * irc_6667_tcp - started (PID 2652) * ntp_123_udp - started (PID 2653) * ident_113_tcp - started (PID 2655) * time_37_tcp - started (PID 2657) * daytime_13_tcp - started (PID 2659) * discard_9_tcp - started (PID 2663) * echo_7_tcp - started (PID 2661) * dns_53_tcp_udp - started (PID 2642) [..........REMOVED.............] * http_80_tcp - started (PID 2643) * https_443_tcp - started (PID 2644) done.Simulation running.

At some point, you need the ability to transfer files between the host and the virtual machine. To enable that on

VMware

, power off the virtual machine and bring up the

Settings

. Select

Options

|

Guest Isolation

and check both

Enable drag and drop

and

Enable copy and paste

. 

Save

the settings.

On Virtualbox, while the virtual machine is powered off, bring up Settings | General | Advanced and make sure that both Shared Clipboard and Drag 'n' Drop are set to Bidirectional. Click on OK.

At this point, the Linux VM is configured to use

Host-only

mode, and INetSim is set up to simulate all the services. The last step is to take a snapshot (clean snapshot) and give it a name of your choice so that you can revert it back to the clean state when required. To take a snapshot on 

VMware workstation

, click on

VM

|

Snapshot

|

Take Snapshot

. On

Virtualbox

, the same can be done by clicking on

Machine

|

Take Snapshot

.

5.4 Setting Up And Configuring Windows VM

Before setting up the Windows VM, you first need to install a Windows operating system (Windows 7, Window 8, and so on) of your choice in the virtualization software (such as VMware or VirtualBox). Once you have Windows installed, follow these steps:

Download Python from

https://www.python.org/downloads/

. Be sure to download

Python 2.7.x

(such as 2.7.13); most of the scripts used in this book are written to run on the Python 2.7 version and may not run correctly on Python 3. After you've downloaded the file, run the installer. Make sure you check the option to install

pip

and

Add python.exe to Path

, as shown in the following screenshot. Installing pip will make it easier to install any third-party Python libraries, and adding Python to the path will make it easier to run Python from any location.

Configure your Windows VM to run in

Host-only

network configuration mode. To do that in

VMware

or

VirtualBox

, bring up the

Network Settings

and choose the

Host-only mode

; save the settings and reboot

(t

his step is similar to the one covered in the

Setting Up and Configuring Linux VM

section).

Configure the IP address of the Windows VM to

192.168.1.x

(choose any IP address except

192.168.1.100

because the Linux VM is set to use that IP) and set up your

Default gateway

and the

DNS server

to the IP address of Linux VM (that is, 

192.168.1.100

), as shown in the following screenshot

.

This configuration is required so that when we execute the hostile program on the Windows VM, all of the network traffic will be routed through the Linux VM.

Power on both the

Linux VM

and the

Window VM

, and make sure they can communicate with each other. You can check for the connectivity by running the ping command, as shown in this screenshot:

Windows Defender Service needs to be disabled on your Windows VM as it may interfere when you are executing the malware sample. To do that, press the 

Windows key + R

to open the Run menu, enter

gpedit.msc

, and hit

Enter

to launch the

Local Group Policy Editor

. In the left-hand pane of

Local Group Policy Editor

, navigate to

Computer Configuration

|

Administrative Templates

|

Windows Components

|

Windows Defender

. In the right-hand pane, double-click on the

Turn off Windows Defender policy

to edit it; then select

Enabled

and click on

OK

:

To be able to transfer files (drag and drop) and to copy clipboard content between the host machine and the Windows VM, follow the instructions as mentioned in S

tep 7 of

 the 

Setting Up and Configuring Linux VM

section

.

Take a clean snapshot so that you can revert to the pristine/clean state after every analysis. The procedure to take a snapshot was covered in

Step 10 of

the

Setting Up and Configuring Linux VM

section

.

At this point, your lab environment should be ready. The Linux and Windows VMs in your clean snapshot should be in Host-only network mode and should be able to communicate with each other. Throughout this book, I will be covering various malware analysis tools; if you wish to use those tools, you can copy them to the clean snapshot on the virtual machines. To keep your clean snapshot up to date, just transfer/install those tools on the virtual machines and take a new clean snapshot.

6. Malware Sources

Once you have a lab set up, you will need malware samples for performing analysis. In this book, I have used various malware samples in the examples, since these samples are from real attacks, I have decided not to distribute them as there may be legal issues distributing such samples with the book. You can find them (or similar samples) by searching various malware repositories. The following are some of the sources from where you can get malware samples for your analysis. Some of these sources allow you to download malware samples for free (or after free registration), and some require you to contact the owner to set up an account, after which you will be able to obtain the samples:

Hybrid Analysis

:

https://www.hybrid-analysis.com/

KernelMode.info

:

http://www.kernelmode.info/forum/viewforum.php?f=16

VirusBay

:

https://beta.virusbay.io/

Contagio malware dump

:

http://contagiodump.blogspot.com/

AVCaesar

: 

https://avcaesar.malware.lu/

Malwr

:

https://malwr.com/

VirusShare

:

https://virusshare.com/

theZoo

:

http://thezoo.morirt.com/

You can find links to various other malware sources in Lenny Zeltser's blog post https://zeltser.com/malware-sample-sources/.

If none of the aforementioned methods work for you and you wish to get the malware samples used in this book, please feel free to contact the author.

Summary

Setting up an isolated lab environment is crucial before analyzing malicious programs. While performing malware analysis, you will usually run the hostile code to observe its behavior, so having an isolated lab environment will prevent the accidental spreading of malicious code to your system or production systems on your network. In the next chapter, you will learn about the tools and techniques to extract valuable information from the malware specimen using Static Analysis.

Static Analysis

 Static analysis is the technique of analyzing the suspect file without executing it. It is an initial analysis method that involves extracting useful information from the suspect binary to make an informed decision on how to classify or analyze it and where to focus your subsequent analysis efforts. This chapter covers various tools and techniques to extract valuable information from the suspect binary.

In this chapter, you will learn the following:

Identifying the malware's target architecture

Fingerprinting the malware

Scanning the suspect binary with anti-virus engines

Extracting strings, functions, and metadata associated with the file

Identifying the obfuscation techniques used to thwart analysis

Classifying and comparing the malware samples

These techniques can reveal different information about the file. It is not required to follow all these techniques, and they need not be followed in the order presented. The choice of techniques to use depends on your goal and the context surrounding the suspect file.

1. Determining the File Type

During your analysis, determining the file type of a suspect binary will help you identify the malware's target operating system (Windows, Linux, and so on) and architecture (32-bit or 64-bit platforms). For example, if the suspect binary has a file type of Portable Executable (PE), which is the file format for Windows executable files (.exe, .dll, .sys, .drv, .com, .ocx, and so on), then you can deduce that the file is designed to target the Windows operating system.

Most Windows-based malware are executable files ending with extensions such as .exe, .dll, .sys, and so on. But relying on file extensions alone is not recommended. File extension is not the sole indicator of file type. Attackers use different tricks to hide their file by modifying the file extension and changing its appearance to trick users into executing it. Instead of relying on file extension, File signature can be used to determine the file type.

A file signature is a unique sequence of bytes that is written to the file's header. Different files have different signatures, which can be used to identify the type of file. The Windows executable files, also called PE files (such as the files ending with .exe, .dll, .com, .drv, .sys, and so on), have a file signature of MZ or hexadecimal characters 4D 5A in the first two bytes of the file.

1.1 Identifying File Type Using Manual Method

The manual method of determining the file type is to look for the file signature by opening it in a hex editor. A hex editor is a tool that allows an examiner to inspect each byte of the file; most hex editors provide many functionalities that help in the analysis of a file. The following screenshot shows the file signature of MZ in the first two bytes when an executable file is opened with the HxD hex editor  (https://mh-nexus.de/en/hxd/):

On Linux systems, to look for the file signature, the xxd command can be used, which generates a hex dump of the file as shown here:

$

xxd -g 1 log.exe | more

0000000:

4d 5a

90 00 03 00 00 00 04 00 00 00 ff ff 00 00

MZ

..............0000010: b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 [email protected]: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................0000030: 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 ................

1.2 Identifying File Type Using Tools

The other convenient method of determining the file type is to use file identification tools. On Linux systems, this can be achieved using the file utility. In the following example, the file command was run on two different files. From the output, it can be seen that even though the first file does not have any extension, it is detected as a 32-bit executable file (PE32) and the second file is a 64-bit (PE32+) executable:

$

file mini

mini:

PE32

executable (GUI) Intel 80386, for MS Windows$

file notepad.exe

notepad.exe:

PE32+

executable (GUI) x86-64, for MS Windows

On Windows, CFF Explorer, part of Explorer Suite (http://www.ntcore.com/exsuite.php), can be used to determine the file type; it is not just limited to determining file type. It is also a great tool for inspecting executable files (both 32-bit and 64-bit) and allows you to examine the PE internal structure, modify fields, and extract resources.

1.3 Determining File Type Using Python

In Python, the python-magic