0

How can I see which files, ports, URLs, etc that are used by a suspicious Windows executable.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
Melina Golez
  • 13
  • 2
  • What you really need to answer is how savvy do you want to go with it? Do you want to dig deep and reverse engineer executables manually? or do you want to rely on automated analysis? Ofcourse, automated analysis will be defeated by polymorphism, metamorphism and and so on. If you want to rely on automated then use things such as http://camas.comodo.com/ and Process Monitor from Microsoft Technet and so on. If you're going to dig deep then PEiD, IDA PRO, LordPE and HookShark. If you expand your question then I'd happy give you a better suited answer rather than a brief answer. – Paul Oct 01 '15 at 12:28

2 Answers2

1

This depends on how savvy the programmer of the malicious binary decides to be.

If it's a simple binary I would suggest first downloading Strings for Windows. It's a version of the Linux programs of the same name. It runs through and prints out all strings in a binary. If the binary isn't encoded or packed this should give you what you want to know. Once installed:

  1. Bring up a command prompt: WindowsKey + r, type cmd and hit ENTER
  2. cd <directory/of/binary>
  3. strings <binary_name>.exe

A lot of output will be printed to the screen. You can use strings <binary_name>.exe > output.txt to write it to a file.

If the binary is packed or encoded the easiest way to analyze a Windows binary for these things is a tool called PE Insider or CFF Explorer. PE Insider allows you to quickly look at the Portable Executable's headers, performs quick decompilation, and simple analysis. CFF Explorer allows you to decode and unpack other resources within the binary.

The links provided should give you enough resources on how to use those tools. For more information on malware analysis you can checkout How to Analyze a Piece of Malware, and Topics to Know When Analyzing Malware.

Community
  • 1
RoraΖ
  • 12,347
  • 4
  • 51
  • 83
0

You can start by submiting your file to virustotal or to Cucko Sandbox

It will provide you some informations on your malicious file which can be interesting.

For example, with a search on the hash of the file, you can find people who has already reverse the same file.

Sorcha
  • 595
  • 2
  • 5