Static Analysis Flow

Auto Analysis w CAPA

Decompiler Anlalysis & Patching

3. Static Analysis

Based on the initial Triage and behavioural analysis, assuming there is no anti-reversing applied - you should know by now what the program attempts to do and what type of file you're dealing with.

Static analysis allows you to get more intimate with the program, learn more about the execution flow and the addresses of specific functions, that perform interesting operations. It may also allow you to uncover hidden features of the program that are not obvious on basic detonation.

This stage also comes into play when anti-reversing techniques are applied (which curtail the impact of behavioural analysis). You may be required to analyse and patch the program in order to obtain full execution. For a reference sheet to assembly see: 1 - Assembly_ref and for a reference to interesting Windows API functions, see 2 - WinAPI_ref

Questions to ask
What modules are executed (and in what order)?
What does the program aim to do?
Have you identified any interesting addresses (e.g. address at which an interesting function call is made.. something that can be viewed in a debugger)
Have you identified any potential anti-debugging features? Can this quickly be patched while performing static analysis?
Is the program likely to be malicious? What type of malwr? dropper? stager? Does it have shellcode? etc.
CAPA

Mandiant's CAPA: https://github.com/mandiant/capa This tool performs automated static analysis on the target file. It makes references to the MITRE Framework based on its analysis and findings

CAPA.exe <filename> -vv

3.1

Auto (Quick) Static Analysis

3.2

Manual Analysis (PE)

Cutter

https://cutter.re/

Cutter's goal is to be an advanced FREE and open-source reverse-engineering platform while keeping the user experience at mind. Cutter is created by reverse engineers for reverse engineers.

Cutter has the following tabs: Strings | Imports | Disassmebly | Graph | Decompiler | HexDump and more

In cutter once you open a file, you can allow auto analysis.

You can find Cutter releases on github on the following link:

Key shortcuts:

Shortcut Function
Esc Seek to previous position
Space Switch to disassmebly or graph view
Ctrl/Cmd+MouseWheel Zoom
J Next instruction
K Previous instruction
T Follow True/Unconditional branch
F Follow False/Unconditional branch
X Find x-reference to item
Ghidra
Overview
  • Open-source software reverse engineering (SRE) framework from NSA.
  • Supports multi-architecture (x86/x64/ARM/MIPS/Dalvik).
  • Features disassembly, decompiler, graph views, scripting (Python/Jython), and automated analysis.
Workflow
  1. Start Project → File → New Project → Import binary → Analyze (enable advanced analysis options).
  2. Browse Functions → Symbol Tree → Functions list; rename entries for clarity.
  3. View Imports/IAT → Symbol Tree → Imports/External → double-click to navigate.
  4. Go to Address → Navigate → Go To (Ctrl+G), support hex addresses or labels.
  5. String Search → Search → For Strings or Ctrl+F in Listing view.
  6. Decompile to C-like Code → Select function → open Decompiler window → use pseudocode for logic.
  7. Graph Control Flow → Function Graph view; visualize branches and loops.
  8. Scripting & Automation → Write Python plugins for batch renaming, pattern searching, or custom analysis.
Tips & Tricks
  • Rename functions, variables, and parameters in pseudocode to improve reverse readability.
  • Use cross-references (XREFs) to trace calling patterns
  • Export decompiled logic to understand encryption routines, decode payloads, or trace control flow.
IDA Pro
Overview
  • Industry-standard disassembler + Hex-Rays Decompiler for C-like output.
  • Supports many architectures, powerful cross-references, graph view, scripting (IDAPython).
Workflow
  1. Load Binary → File → Open → auto-analysis starts.
  2. Functions & Cross-Refs → Functions window; use X to find callers.
  3. View Imports / IAT → Imports pane → double-click to see usage.
  4. Jump to Address → Press G (address or symbol); Esc/Ctrl+Enter for navigation history.
  5. String Search → Edit → Strings window; or “Search text” in hex view.
  6. Decompile to C → Hit F5 in Disasm to open pseudocode.
  7. Scripting → Use IDAPython to automate analysis—e.g. extract function summaries or patch logic.
Tips & Tricks
  • Use API names and renames in pseudocode to improve clarity
  • Annotate and comment assembly; propagate meaningful names to help pattern recognition
  • Automate analysis (string extraction, import logging) via scripts.

Tip: Finding Main()

String Reference

Search for known strings and then look at their references to find the relevant sections of the program to analyse

Module Call Reference

Search for the modules and then look at their references to find the relevant sections of the program to analyse

Follow the PE Entrypoint

Go to: MainCRTStarup() and go to the bottom of the execution flow. Work backwards to find main()
references:
https://www.youtube.com/watch?v=tWSa1L5L394

SCDBG

If during analysis, whether static or dynamic, you have obtained any shellcode, you can use scdbg.exe to try to determine what that shellcode does. This tool decompiles shellcode and presents winapi function that it attempts to run as well as their arguments.

Note: The shellcode should be in its raw hex format as a .bin file. e.g.

This may require you to carve out the shellcode and format it so that it contains the raw hex, and have it save as a bin file. Once you have your bin file, run the following command:

scdbg.exe /f \<shellcode.bin> -s -1

3.3

dnSpy – .NET Decompiler & Debugger
Overview
  • .NET assembly explorer, decompiler (C# output), and interactive debugger.
  • Ideal for analyzing .NET malware or managed code.
Workflow
  1. Open Assembly → File → Open .exe or .dll → tree view with namespaces, classes, methods.
  2. Navigate Code → Expand types → double-click to view decompiled C#.
  3. Inspect Behavior → Search for keywords like URL, encryption, HTTPClient, etc.
  4. Debug → Attach to process or open in debugger to step through code, set breakpoints.
  5. Dump Memory/File → Extract payloads or pristine DLLs mid-execution.
  6. Modify & Rebuild → Edit methods, rebuild assembly, rerun for behavior changes.
Tips & Tricks
  • Rename methods and classes to reflect functionality (e.g. Decrypt, Upload).
  • Use debug breakpoints to intercept decryption or C2 communication.
  • Bypass obfuscation by replacing confusing code with cleaner logic and observe results.
JADX / dex2jar (Android Reverse Engineering)
Overview
  • dex2jar: Converts .dex files to .jar.
  • JADX: Decompiles .dex directly to Java; also support for .apk.
Workflow
  1. Extract APK → Unzip .apk.
  2. Convert/Dex → Jar → Run dex2jar to get .jar.
  3. View in JADX / JD-GUI → Open .jar in GUI to view Java code.
  4. Search for Strings/Methods → Look for URLs, reflection, native calls.
  5. Analyze Flow → Trace code entry points like onCreate, run, etc.
Tips & Tricks
  • Use JADX’s navigator to jump between classes, methods.
  • Identify obfuscation (e.g. ProGuard) and rename classes for clarity.
  • Combine with Android Studio APK Analyzer for manifest and resource insights.

Shellcode Analysis

3.4

Manual Analysis: .Net PE

3.5

Android apk

Shellcode Analysis (if applicable)

Other Artifact Analysis

3.6

Other Artifact Analysis

JavaScript Debfuscation
Powershell Deobfusction
Generic Content Decoding
Batch File Analysis
Macro VB Analysis
Table Of Contents
3. Static Analysis
CAPA
Auto (Quick) Static Analysis
Manual Analysis (PE)
Cutter
Ghidra
Overview
Workflow
Tips & Tricks
IDA Pro
Overview
Workflow
Tips & Tricks
Tip: Finding Main()
SCDBG
dnSpy – .NET Decompiler & Debugger
Overview
Workflow
Tips & Tricks
JADX / dex2jar (Android Reverse Engineering)
Overview
Workflow
Tips & Tricks
Shellcode Analysis
Manual Analysis: .Net PE
Android apk
Other Artifact Analysis
JavaScript Debfuscation
Powershell Deobfusction
Generic Content Decoding
Batch File Analysis
Macro VB Analysis