Title
Create new category
Edit page index title
Edit category
Edit link
Executable Analysis (PE)
Executable analysis is a crucial aspect of cybersecurity software, involving the in-depth examination of executable files to uncover concealed malicious code and extract relevant TTPs.
We approach Portable Executable (PE) file analysis from various angles, employing deep structure analysis, adaptive threat analysis, and up-to-date threat intelligence. This comprehensive approach ensures robust protection against modern cyber threats, providing peace of mind in today’s digital landscape. Key features include:
Generic and specific packer unpacking,
Intelligent full binary disassembly,
Certificate analysis & validation,
Detection of compiler, linker, packer used,
150+ dedicated threat indicators,
Wide-spread usage of MITRE TTPs,
Malware configuration extraction.
Our three main feature categories are detailed in the tables below:
On the following link you can find a sample showcasing most of the features shown below:
Feature | Description | |
|---|---|---|
Unpacking | Malware is often packed to make it more difficult to analyze. The unpacking feature uses a variety of techniques to unpack malware, including targeted unpackers and generic solutions. Targeted unpackers are designed to unpack specific types of malware, while generic solutions can unpack a wider range of malware. | |
Malware configuration extraction | The malware configuration extraction feature extracts the configuration of malware files. This information can include the malware's command and control server, its target systems, and its payload. The configuration information can be used to understand how the malware works and how it can be neutralized. | |
Automated tagging | The automated tagging feature automatically tags malware files with signatures, behavior patterns, and similarity search. Signatures are patterns of bytes that are unique to a particular malware family. Behavior patterns are the actions that a malware file performs. Similarity search is used to find malware files that are similar to each other. The tagged information can be used to classify malware and identify new threats. |
On the following link you can find a sample showcasing most of the features shown below:
(Head to the Analysis overview -> Unknown Tab -> Detected cryptographic algorithms indicator)
Constants Analysis | |
|---|---|
String Identification | This feature enables the identification and highlighting of potentially suspicious or critical strings within a software program, including both ASCII and UTF16 encoded strings. It aids in pinpointing data that may be indicative of malicious activities. |
Cryptographic Constant Detection | The system has the capability to identify and flag constants commonly utilized in cryptographic functions. By detecting these constants, it helps in recognizing potential cryptographic operations within the code. |
On the following link you can find a sample showcasing most of the features shown below:
Compilation Analysis | |
|---|---|
Packer and Protector Detection | This functionality is designed to identify the usage of third-party packing and protection tools within software applications. This is essential in uncovering attempts to obscure code, thereby enhancing transparency and security analysis. |
.NET Obfuscator Detection | This feature is dedicated to detecting the presence of obfuscation techniques employed in .NET applications. It assists in revealing attempts to conceal code logic and intent, aiding security experts in thorough code examination. |
Compiler, Linker, and Framework Identification | This tool is adept at identifying the specific compilers, linkers, and development frameworks that were utilized during the compilation of the analyzed program. This information helps in understanding the software's origin and dependencies. |
Parsing PE Compiler Metadata | By parsing the "RICH" headers within Portable Executable (PE) files, this feature provides valuable insights into the compilation process. It assists analysts in gaining a deeper understanding of the software's development history and evolution. |
On the following link you can find a sample showcasing most of the features shown below:
(Head to the Extended details -> Certificates and open the various certificates)
Signature and Hash Calculations | |
|---|---|
.NET GUID Calculation | This capability involves the calculation of .NET Globally Unique Identifiers (GUIDs) and their correlation to Module Versions and Type Library Identifiers (TypeLib Id). It facilitates the tracking of versioning and compatibility aspects within .NET assemblies. |
Digital Certificate Calculation and Verification | This feature is responsible for the computation and validation of digital certificates, including Authentihash and Authenticode signatures. It ensures the authenticity and integrity of software components, offering robust security assessment. |
Digital Certificate Status | This feature rigorously evaluates digital certificates by checking their revocation status, assessing their validity, and monitoring expiration dates. It ensures the integrity and trustworthiness of certificates, reducing the risk of compromised software execution and enhancing overall security. |
Entropy and Hash Generation | The system can calculate a variety of entropy and hash values for different elements of the Portable Executable (PE) file, encompassing resources and sections. This multi-faceted hashing capability enhances the granularity of security analysis. |
Fuzzy Hash Calculation | Fuzzy hashing techniques such as imphash, ssdeep, and the proprietary Fsiofuzzyhash are employed to generate unique hash values. These fuzzy hashes aid in identifying similarities and differences between software binaries, enhancing threat detection and classification. |
On the following links you can find a samples showcasing most of the features shown below:
PDB: https://www.filescan.io/uploads/64f7d05467511af1a1b51180...
Version Info: https://www.filescan.io/uploads/65098ef832ffdb7a7a0b9e95...
SFX: https://www.filescan.io/uploads/6508ffe02d5fc006cad6b3af...
Disassembly: https://www.filescan.io/uploads/6509858d988a26b6d96e912b...
Extraction: https://www.filescan.io/uploads/65071846b448abc35b2d17e8...
PE File Analysis | |
|---|---|
Categorization of PE Libraries and Imported Functions | This feature provides a comprehensive categorization of PE libraries and their imported functions while simultaneously offering the capability to blacklist specific libraries and functions. This categorization and control mechanism enhance security by allowing the fine-tuning of software behavior and mitigating potential risks associated with untrusted components. |
Parsing PDB Information | This functionality involves parsing and extracting information from Program Database (PDB) files associated with PE executables. PDB files are essential for debugging and reverse engineering. By parsing PDB information, security analysts gain valuable insights into the structure and evolution of the software, aiding in vulnerability assessment and code analysis. |
Parsing Version Information of the PE | Parsing version information embedded within the PE file provides critical contextual data about the software's build, origin, and compatibility. This information is crucial for determining the software's legitimacy and assessing its trustworthiness, making it an essential aspect of security analysis. |
Parsing and Detecting TLS Callbacks | This feature is designed to identify and analyze Thread Local Storage (TLS) callbacks within PE files. TLS callbacks are often utilized as an anti-debugging mechanism by malicious software. Detecting these callbacks is essential for security experts to understand and counteract evasion tactics employed by potential threats. |
Parsing Self-Extracting Installer Metadata | Self-extracting installers (SFX) are executable archives that can unpack their contents when executed. This feature not only identifies the presence of SFX but also extracts relevant metadata. Supporting both 7z and RAR formats ensures comprehensive coverage, enhancing security analysts' ability to scrutinize and validate the integrity of such archives. |
Intelligent Disassembly of PE Files: | This intelligent disassembly process prioritizes the analysis of significant code blocks while efficiently dismissing less relevant sections. This approach optimizes performance without compromising detection accuracy, allowing for rapid and effective assessment of PE files. |
Extraction of Embedded Files | The system offers heuristic detection for embedded files within PE executables, including PEs, resources, and certificates, among others. This capability allows for the extraction and analysis of potentially concealed or encrypted content, contributing to a more comprehensive security evaluation. |
Extraction of Files from Installers | While currently supporting only the MSI format, this feature facilitates the extraction of files from installer packages. MSI files are commonly used for software installation, and this functionality allows for the examination of their contents, helping security analysts identify potential vulnerabilities or malicious components during the installation process. |
On the following link you can find a sample showcasing most of the features shown below:
Whitelisting | |
|---|---|
Digital Certificate Whitelisting | This functionality empowers users to create and manage a whitelist of trusted digital certificates. By incorporating digital certificate whitelisting, the system allows for the identification and validation of software components signed by trusted entities. |
Custom Hash Whitelisting | Users have the capability to establish a custom hash-based whitelist, enabling the recognition and validation of files with specific hash values. Custom hash whitelisting provides a flexible and tailored approach to verifying the integrity of files, enabling the exclusion of known good files from security scrutiny. |
Integrated Whitelists Support | The system seamlessly integrates with pre-existing whitelists, allowing organizations to leverage their established trust repositories. This integration ensures continuity and minimizes disruptions while enhancing the security posture by extending trust to approved software and components. |
National Software Reference Library (NSRL) Support | This feature facilitates integration with the National Software Reference Library (NSRL), a comprehensive repository of known software and file signatures. By supporting the NSRL, the system streamlines the identification and validation of files that match known and legitimate software components. This significantly reduces the risk of false positives in security assessments and accelerates the verification process for widely recognized software. |
On the following link you can find a sample showcasing most of the features shown below:
(Check the Visualization image on the linked page and you can also head to the Indicators of Compromise subpage to find the related UUIDs)
Others | |
|---|---|
Identify and Map UUIDs | This feature identifies and links Universally Unique Identifiers (UUIDs) to known associated files and metadata. It simplifies the process of recognizing and establishing connections between UUIDs and their relevant elements, facilitating efficient tracking and analysis. |
Visualize PE Data | This feature offers visualizations of Portable Executable (PE) data using BytePlot and entropy-based representations. It provides intuitive graphical insights into the structure and characteristics of PE files, aiding in the rapid identification of patterns, anomalies, and potential security concerns. |
Decompile .NET Files: | This feature includes the capability to decompile .NET files, converting compiled code into human-readable source code. It simplifies the analysis and comprehension of software behavior. |
On the following link you can find a sample showcasing most of the features shown below:
Feature | Description |
|---|---|
ML-Based Similarity Search (300+ Features) | This feature employs Machine Learning (ML) techniques to conduct a similarity search using over 300 distinct features. It enables the identification of similarities and patterns within data, facilitating effective threat detection and classification. |
Integration with Open Source Intelligence Vendors | The system seamlessly integrates with various open-source intelligence vendors, including MetaDefender Cloud and VirusTotal. This integration enhances threat intelligence by leveraging external resources and data, augmenting the breadth and depth of security analysis. |
Malware Family Detection Based on MISP Galaxy Keywords | This feature employs MISP Galaxy keywords to detect specific malware families. By associating threats with known categories and attributes, it enhances the accuracy of malware identification and enables targeted response strategies. |
Auto-Updating YARA Rules for OSINT Detection | The system continuously updates YARA rules to provide an additional layer of Open Source Intelligence (OSINT) detection. This dynamic rule management ensures that the system remains current and effective in identifying emerging threats and vulnerabilities. |
See the "Technical Datasheet" for a complete list of features: https://docs.opswat.com/filescan/datasheet/technical-datasheet