This project documents the static and dynamic analysis of a Windows executable (malware.exe), suspected to be a variant of the SpyEye banking trojan. The analysis was conducted within an isolated Ubuntu Linux virtual machine environment.
This repository contains both the detailed analysis report and the raw output files generated during the investigation, located within the Analysis_Files directory.
Analysis Goals:
- Perform static analysis using file format information, string extraction, header parsing, and disassembly to understand the malware's structure, potential capabilities, and indicators of compromise.
- Attempt dynamic analysis within the Linux VM to observe runtime behaviour, acknowledging the limitations of the non-native OS environment.
- Document findings, challenges encountered (like the OS mismatch), and potential remediation steps based on the analysis performed.
Malware_Analysis_Report.md: The main detailed analysis report.Analysis_Files/: Parent directory containing the raw analysis output.static_analysis/: Contains raw output files from static analysis tools (e.g., PE header details, strings, disassembly excerpts, file hashes).dynamic_before_analysis/: Contains system state snapshots (e.g., process lists, network sockets, disk usage) captured before executing the malware sample in the VM.dynamic_after_analysis/: Contains system state snapshots and monitoring logs (e.g., process lists, network sockets, file system changes viainotifywait) captured after attempting to execute the malware sample in the VM.
- Static Analysis: Successfully identified the file as a 32-bit Windows PE executable compiled in March 2010. Analysis revealed capabilities related to file system manipulation, process interaction, memory operations, and resource handling. A key finding was the use of dynamic API resolution (via hashing) to obfuscate Windows API calls. The file did not appear packed with common packers like UPX. (Raw static analysis data available in the
Analysis_Files/static_analysis/folder). - Dynamic Analysis (Linux VM): Executing the Windows binary on Linux yielded limited relevant behavioural data, primarily showing minor temporary file activity. (Comparison data available in
Analysis_Files/dynamic_before_analysis/andAnalysis_Files/dynamic_after_analysis/folders). - Challenges & Learning: The OS mismatch served as a practical lesson in environment preparation for malware analysis and emphasized the importance of robust static analysis techniques when dynamic observation is hindered.
The complete analysis methodology, detailed findings, IOCs, and remediation plan are documented in: