Automating Basic Static Malware Analysis

Aim: Create a PowerShell script that takes a suspected malicious file as input and generates a report on the files after applying the techniques outlined in the first 2 chapters of the book Practical Malware Analysis.

Step 1 - Basic Static Analysis

Unlike PMA, I will not be submitting to VirusTotal. In general it is not a good idea to upload straight to VT in case the file you are uploading contains identifying or sensitive information about your organization. However, we can add some checks for sensitive information like your organizations domains, staff names, IPs etc to this script so that after confirming it won’t identify you the malicious file can then be safely uploaded to VT.

With that in mind, the first step will be to create some hashes of the submitted file, this can be done using the below commands:

Get-FileHash also supports SHA1, SHA384, and SHA512 but I only care about MD5 and SHA256 currently.

Step 2 is running strings on the file, exe’s can be ran from within PowerShell like so: & ‘exe.exe’ -arg argument
In practice this looks like this:

There are other steps that could be added later like doing some checking for packing or listing linked libraries & functions, but at this point I would like to add some checks for organization specific strings e.g. domains, IPs, staff names etc. Before I move on to that my current code with both steps and some argument handling looks like this:

--More to Come--