PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. PEiD
  4. ImpREC

Sample:

  1. Lab18-05.exe SHA256: 1936dec547377977d07b5f0bc75de537a6771ac5ed37190bb2e74e16a564b69d

VirusTotal:

  • Detection Rate: 33/57
  • Analyzed on 2016-03-22
  • Compilation Date: 2004-01-23 23:39:42
  • View report here

Unpacking

Virus total & PEiD detects that the malware is packed with UPack.

upack.PNG
Figure 1. UPACK

Loading the malware in IDA Pro we can see that it’s import table is almost empty. This is another indicator of a packed binary. LoadLibraryA and GetProcAddress are typically used to rebuild the malware’s import table in the unpacking routine.

Figure 2. Imports
Figure 2. Imports

Usually for unpacking a technique that I would use is to break at GetProcAddress. Typically after the import table is rebuilt the unpacking routine will then jump to the OEP of the binary.

Figure 3. Breaking at GetProcAddress
Figure 3. Breaking at GetProcAddress

Soon after the last GetProcAddress was called, a jmp instruction was executed. We reached the OEP of the malware as seen below.

Figure 4. OEP found
Figure 4. OEP found

Next, we would begin dumping out the debugged process using ollydump plugin in ollydbg. However, when we tried to execute the binary… the application would crash! I could only think of 2 reasons why the dumped binary is behaving in this manner.

  1. Wrong OEP
  2. Corrupted PE Header

In our case here it is the later… We could fire up the ImpREC tool to fix the IAT as seen below and we would find ourselves with a healthy running malware.

Figure 5. Fixing IAT using ImpREC
Figure 5. Fixing IAT using ImpREC

 

Cheers

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-04.exe SHA256: b8a5d54e5b8ae63d8f59bb3b1c8782e76154093fea83708ae657184c922eee0e

VirusTotal:

  • Detection Rate: 30/56
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-10-18 18:46:44
  • View report here

Unpacking

Virus total detects that the malware is packed with ASPack.

aspack
Figure 1. ASPack

Yet another pushad operation spotted. Let’s try the same approach we did previously.

Hardware breakpoint on esp after pushad executed.

pushad.PNG
Figure 2. PUSHAD

the program will break on POPAD… Step till return is called

popad.PNG
Figure 3. POPAD

Unpacked codes? Reanalyzed it.

unpacked
Figure 4. unpacked codes
reanalyzed
Figure 5. Reanalyzed codes

Dump out the process

ollydump.PNG
Figure 6. Dump
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-03.exe SHA256: b756a02776b6b33394b255ba99f4cc0379cccbe080f36fd80034a5a6e2ffaa3e

VirusTotal:

  • Detection Rate: 27/55
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-04-30 12:26:40
  • View report here

Unpacking

  1. Run the program using ollydbg.
  2. break after pushad
pushad
Figure 1. PUSHAD

3. set breakpoint (hardware on access) on esp

breakpoint
Figure 2. Hardware breakpoint

4. Run the program, the program will break at POPAD

pop
Figure 3. POPAD

5. Step till return and you will see the following unpacked code in raw form

unpacked_1
Figure 4. unpacked code

6. Ctrl-A to reanalyze the code

analyzed
Figure 5. Reanalyzed code

7. Dump the process

dump
Figure 6. Dump
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-03)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab18-02.exe SHA256: 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4f050f0aec

VirusTotal:

  • Detection Rate: 46/56
  • Analyzed on 2016-03-22
  • Compilation Date: –
  • View report here

Unpacking

Virustotal and PEID both suggests that the malware is packed using FSG.

fsg
Figure 1. FSG

For this malware, I did not see any tail jump signature. However after analyzing the sections in the binary, I observed a global variable that is being referenced in the code.

section
Figure 2. dword_401090

So i put a breakpoint @00409010 which is the address that the eip jumps to. Press Ctrl-A to reanalyze the code in ollydbg.

401090
Figure 3. 401090 Reanalyzed

Now dump out the memory and you will get the unpacked version. If you were to analyze the disassembled code, you will realise that LoadLibraryA is being called to fix the IAT of the unpack malware. Once the libraries are fixed, the malware should jump to the unpacked code. Tracing it from LoadLibraryA is an alternate way to reach the jump instruction to 0x401090.

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)

PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-01)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab18-01.exe SHA256: 2ac6635a26049d354c0c46243f6451e6594b130745a08c5a99e96a64fbbbec0f

VirusTotal:

  • Detection Rate: 40/55
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-02-27 17:54:15
  • View report here

Unpacking

Cerbero Profiler identified a UPX section.

section
Figure 1. UPX

IDA Pro shows limited functions and imports, which highly suggest that the binary is packed.

ida
Figure 2. IDA Pro

Here we are looking for a tail jump. Next we set a breakpoint in ollydbg @0x00409f43.

Step into the jump and dump out the memory.

dump
Figure 4. Dump memory

Tata… unpacked & the good news is we do not need to fix IAT for this case =)

unpacked
Figure 5. Unpacked

The other easy way to unpack is via upx tool… however it seems like the malware author took some measures to prevent unpacking of this malware via this method.

ohoh
Figure 6. UPX -d fail
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-01)