Week 26 – Static Analysis Fundamentals

Week 26: Building a complete static analysis workflow for safe, offline malware inspection.

Overview What you will accomplish

This week focuses on static malware analysis — extracting information from a sample without executing it. You will prepare your Windows 11 analysis workstation with a full suite of tools, establish a structured workflow, and perform your first full static analysis pass on a benign test sample.

Install and configure PE analysis tools (PE‑bear, DIE, HxD).
Set up string extraction workflows using REMnux FLOSS.
Install YARA and CAPA for rule‑based and capability‑based detection.
Create a structured workspace for samples and artifacts.
Perform a complete static analysis workflow on a test sample.
Document findings and prepare for dynamic analysis in Week 27.

1. Prepare the Static Analysis Environment (Tools, Configuration, and Workspace Setup)

This activity prepares your Windows 11 analysis workstation for static malware analysis. You will install PE analysis tools, disassemblers, packer detectors, string extraction utilities, hash calculators, and file inspection frameworks. You will also configure a structured workspace for organizing samples, metadata, and analysis artifacts. This environment will be used throughout Weeks 26–28.

Create a dedicated static analysis directory structure
Open PowerShell:

mkdir C:\Malware-Analysis
mkdir C:\Malware-Analysis\Samples
mkdir C:\Malware-Analysis\Unpacked
mkdir C:\Malware-Analysis\Strings
mkdir C:\Malware-Analysis\Metadata
mkdir C:\Malware-Analysis\Screenshots
mkdir C:\Malware-Analysis\Reports

Install PE‑bear for PE structure inspection
Download: PE‑bear Releases
Extract to:
```
C:\Tools\PE-bear
```
Install Detect It Easy (DIE)
Download: Detect It Easy
Extract to:
```
C:\Tools\DIE
```
Install HxD Hex Editor
Download: HxD Hex Editor
Install to:
```
C:\Tools\HxD
```

Prepare FLOSS on REMnux for string extraction
On REMnux:

floss --version
mkdir ~/floss-input
mkdir ~/floss-output

Install hashing tools

Install-Module -Name Get-FileHash -Force

Install x64dbg
Download: x64dbg
Extract to:
```
C:\Tools\x64dbg
```
Install YARA
Download: YARA Releases
Extract to:
```
C:\Tools\YARA
```
Install CAPA
Download: CAPA Releases
Extract to:
```
C:\Tools\capa
```

Configure Defender exclusions

Add-MpPreference -ExclusionPath "C:\Malware-Analysis"
Add-MpPreference -ExclusionPath "C:\Tools"

Disable SmartScreen and reputation checks
Navigate:

Windows Security → App & Browser Control → Reputation-based protection

Disable all toggles.

Validate the toolchain using a benign sample

curl -o C:\Malware-Analysis\Samples\test.exe https://github.com/hasherezade/pe-bear-releases/raw/master/test-files/hello.exe

Test with:

PE‑bear
DIE
HxD
Get-FileHash
capa
yara

Create a clean snapshot

VM → Snapshots → Take Snapshot
Name: windows11-static-analysis-ready

2. Perform Initial Static Analysis on a Sample (Hashes, Metadata, PE Structure, Strings, YARA, CAPA)

This activity walks you through a complete static analysis workflow on a benign test sample. You will extract metadata, compute hashes, inspect the PE structure, analyze strings, detect packers, and identify capabilities using CAPA and YARA. This establishes the workflow you will use for real malware in Week 27.

Select the sample for analysis
Use the benign test sample from Activity 1:
```
C:\Malware-Analysis\Samples\test.exe
```

Compute cryptographic hashes

Get-FileHash C:\Malware-Analysis\Samples\test.exe -Algorithm MD5
Get-FileHash C:\Malware-Analysis\Samples\test.exe -Algorithm SHA1
Get-FileHash C:\Malware-Analysis\Samples\test.exe -Algorithm SHA256

Save results to:

C:\Malware-Analysis\Metadata\test-hashes.txt

Extract file metadata
Use PowerShell:

(Get-Item C:\Malware-Analysis\Samples\test.exe).VersionInfo

Save output to:

C:\Malware-Analysis\Metadata\test-metadata.txt

Inspect PE structure using PE‑bear
Open:
```
C:\Tools\PE-bear\pe-bear.exe
```
Examine:
- DOS header
- NT headers
- Section table
- Imports
- Exports
- Resources
Export findings:
```
C:\Malware-Analysis\Reports\test-pe-structure.txt
```
Detect packers using Detect It Easy (DIE)
Open:
```
C:\Tools\DIE\die.exe
```
Check:
- Packer signatures
- Compiler identification
- Entropy levels
Save results:
```
C:\Malware-Analysis\Reports\test-die.txt
```

Extract raw strings using FLOSS (REMnux)
Copy sample to REMnux:

scp test.exe remnux@10.30.0.10:~/floss-input/

Run FLOSS:

floss ~/floss-input/test.exe > ~/floss-output/test-strings.txt

Copy back to Windows:

scp remnux@10.30.0.10:~/floss-output/test-strings.txt C:\Malware-Analysis\Strings\

Analyze strings manually
Open:
```
C:\Malware-Analysis\Strings\test-strings.txt
```
Look for:
- URLs
- Registry paths
- File paths
- Suspicious API names
- Embedded commands

Run CAPA for capability detection

C:\Tools\capa\capa.exe C:\Malware-Analysis\Samples\test.exe

Save output:

C:\Malware-Analysis\Reports\test-capa.txt

Run YARA rules
Example rule:

rule test_sample {
  strings:
    $a = "hello"
  condition:
    $a
}

Run:

C:\Tools\YARA\yara64.exe test.yar C:\Malware-Analysis\Samples\test.exe

Save results:

C:\Malware-Analysis\Reports\test-yara.txt

Document findings
Create:
```
C:\Malware-Analysis\Reports\test-static-analysis-summary.txt
```
Include:
- Hashes
- Metadata
- PE structure notes
- Packer detection
- Strings of interest
- CAPA capabilities
- YARA matches

3. Build a Repeatable Static Analysis Workflow (Step‑by‑Step Procedure)

This activity defines a structured, repeatable workflow for static analysis. You will follow this exact sequence for every malware sample in Weeks 27–28. The goal is to eliminate guesswork and ensure consistent, high‑quality analysis.

Step 1 — Create a new sample folder
For each new sample:

mkdir C:\Malware-Analysis\Samples\sample001
mkdir C:\Malware-Analysis\Metadata\sample001
mkdir C:\Malware-Analysis\Strings\sample001
mkdir C:\Malware-Analysis\Reports\sample001

Step 2 — Compute hashes

Get-FileHash sample001.exe -Algorithm SHA256 | Out-File sample001\metadata\hashes.txt
Get-FileHash sample001.exe -Algorithm MD5    | Out-File -Append sample001\metadata\hashes.txt

Step 3 — Extract metadata

(Get-Item sample001.exe).VersionInfo | Out-File sample001\metadata\metadata.txt

Step 4 — Inspect PE structure
Use PE‑bear to examine:
- Headers
- Sections
- Imports
- Exports
- Resources
Save notes to:
```
sample001\reports\pe-structure.txt
```
Step 5 — Detect packers
Use Detect It Easy (DIE) to check:
- Packer signatures
- Entropy
- Compiler
Save results:
```
sample001\reports\die.txt
```

Step 6 — Extract strings using FLOSS

scp sample001.exe remnux@10.30.0.10:~/floss-input/
floss ~/floss-input/sample001.exe > ~/floss-output/sample001-strings.txt
scp remnux@10.30.0.10:~/floss-output/sample001-strings.txt C:\Malware-Analysis\Strings\sample001\

Step 7 — Analyze strings
Look for:
- URLs
- Registry keys
- File paths
- Commands
- Suspicious API calls

Step 8 — Run CAPA

capa.exe sample001.exe > sample001\reports\capa.txt

Step 9 — Run YARA rules

yara64.exe rules.yar sample001.exe > sample001\reports\yara.txt

Step 10 — Write a summary report
Include:
- Hashes
- Metadata
- PE structure
- Packer detection
- Strings of interest
- Capabilities (CAPA)
- YARA matches
Save to:
```
sample001\reports\static-summary.txt
```

4. Identify Indicators of Compromise (IOCs) from Static Analysis

This activity teaches you how to extract actionable Indicators of Compromise (IOCs) from your static analysis results. These IOCs will be used in Week 27 for dynamic analysis and in Week 28 for threat hunting and detection engineering.

Extract file‑based IOCs
From your static analysis:
- SHA256 hash
- File size
- File name
- Compiler timestamp
Save to:
```
sample001\reports\iocs-file.txt
```
Extract string‑based IOCs
Look for:
- Domains
- IP addresses
- Registry keys
- File paths
- Commands
Save to:
```
sample001\reports\iocs-strings.txt
```
Extract import‑based IOCs
From PE‑bear:
- Suspicious API calls (e.g., VirtualAlloc, WriteProcessMemory)
- Networking APIs (WinInet, WinHTTP)
- Persistence APIs (RegSetValueEx)
Save to:
```
sample001\reports\iocs-imports.txt
```
Extract capability‑based IOCs
From CAPA:
- Persistence mechanisms
- Network communication
- Process injection
- File modification
Save to:
```
sample001\reports\iocs-capabilities.txt
```
Compile a master IOC list
Combine all IOC files into:
```
sample001\reports\iocs-master.txt
```

5. Build a Static Analysis Report Template (Reusable for All Samples)

This activity creates a reusable static analysis report template. You will use this template for every sample in Weeks 27–28 to ensure consistent documentation.

Create the template file

C:\Malware-Analysis\Reports\static-analysis-template.txt

Add report sections

=== Static Analysis Report ===

Sample Name:
SHA256:
MD5:
File Size:
Compile Timestamp:

--- Metadata ---
[Add metadata here]

--- PE Structure ---
[Add PE structure notes]

--- Packers / Entropy ---
[Add DIE results]

--- Strings ---
[Add string findings]

--- CAPA Capabilities ---
[Add CAPA results]

--- YARA Matches ---
[Add YARA results]

--- IOCs ---
[Add IOC list]

--- Summary ---
[Add summary]

Save and reuse for all samples
Copy the template for each new sample:

copy static-analysis-template.txt sample001\reports\sample001-static.txt

6. Validate Static Analysis Environment & Prepare for Week 27

This final activity validates your entire static analysis workflow and prepares your environment for dynamic analysis in Week 27.

Validate toolchain functionality
Confirm:
- PE‑bear opens samples
- DIE detects packers
- HxD loads binaries
- FLOSS extracts strings
- CAPA identifies capabilities
- YARA rules run successfully

Validate REMnux connectivity

ping 10.30.0.10
scp test.exe remnux@10.30.0.10:~/floss-input/

Validate Windows isolation

ping 8.8.8.8   # should fail
curl http://example.com  # should fail

Create final Week 26 snapshots

VM → Snapshots → Take Snapshot
Name: windows11-week26-complete

◀️ Back to Week 25 | Next: Week 27 – Dynamic Analysis ▶️