Static Malware Analysis Project – qwas.exe | Task Assigned to Pak Cyber Wing

Introduction









In 2024, I was assigned a project by Pak Cyber Wing to perform a static malware analysis on a suspicious Windows executable sample (qwas.exe). The purpose of this task was to evaluate malware behavior, detect Indicators of Compromise (IOCs), and test detection capabilities, especially when the malware is bundled with open-source software.

This project allowed me to gain hands-on experience in professional malware analysis and create a report that reflects SOC-style investigation techniques.

Objective

The main goals of this project were:

  1. Perform static analysis on a suspicious Windows executable without running it.

  2. Extract strings, network indicators, and embedded messages.

  3. Identify potential threat behavior such as email spam, ransomware, or extortion.

  4. Document the findings in a professional malware analysis report suitable for cybersecurity portfolios.

Tools & Techniques Used

  • Strings Extraction Tools – To identify suspicious text in the binary

  • PE Analysis Techniques – To examine Windows API calls and executable structure

  • Static IOC Identification – Extracted potential IPs, domains, URLs, and cryptocurrency addresses

  • Graphical Representation – Created communication overview graph to visualize malware connections

  • MITRE ATT&CK Mapping – Mapped behavior to real-world attack techniques

  • Risk Assessment Table – Rated threats as Critical, High, or Medium

Steps I Performed

  1. Initial Examination

    • Checked file type, name (qwas.exe), and file hashes (MD5, SHA1, SHA256).

    • Verified it was a Windows Portable Executable (PE) file.

  2. Strings & Artifact Extraction

    • Identified suspicious strings related to:

      • Network APIs (InternetOpenUrlA, InternetReadFile)

      • SMTP commands (EHLO, MAIL FROM, RCPT TO)

      • Embedded ransom message and Bitcoin wallet

  3. Indicators of Compromise (IOC) Analysis

    • Contacted IPs, domains, and URLs were extracted:

      • icanhazip.com → public IP lookup

      • mail.ru → possible mail infrastructure

      • binance.com, bitrefill.com, crypto.com, kucoin.com → cryptocurrency services

  4. Behavioral Mapping

    • Network communication patterns and potential malicious behaviors were mapped in a graph for visualization.

    • Identified key behaviors: IP collection, email-based attacks, extortion messaging, and anti-analysis mechanisms.

  5. MITRE ATT&CK Mapping & Risk Assessment

    • Mapped malware tactics and techniques (e.g., T1059, T1071.001, T1490)

    • Created risk table categorizing financial impact, network security, system integrity, and detection evasion

  6. Report Creation

    • Compiled findings in a SOC-style malware analysis report including executive summary, IOC, behavior analysis, MITRE mapping, risk table, and communication graph.

Key Findings

  • Malware is capable of sending extortion emails and targeting cryptocurrency wallets.

  • Embedded sextortion message shows a direct financial threat.

  • Uses network APIs and SMTP commands, showing potential for spam campaigns.

  • Contains anti-debugging functions to evade analysis.

Conclusion

Through this project, I was able to perform professional static malware analysis, identify IOCs, map malware behavior, and create a comprehensive report suitable for portfolios or SOC submissions.

This project enhanced my skills in malware analysis, threat intelligence, and cybersecurity reporting, and demonstrated practical application of static analysis techniques on real-world samples.



📥 Download the full Static Malware Analysis Report: qwas.exe  

https://drive.google.com/file/d/1Z7wqGr8LLDPHerHUO6KYw8UKe9FfzGIv/view?usp=drive_link

Price:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Pages