PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-01)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab18-01.exe SHA256: 2ac6635a26049d354c0c46243f6451e6594b130745a08c5a99e96a64fbbbec0f

VirusTotal:

  • Detection Rate: 40/55
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-02-27 17:54:15
  • View report here

Unpacking

Cerbero Profiler identified a UPX section.

section
Figure 1. UPX

IDA Pro shows limited functions and imports, which highly suggest that the binary is packed.

ida
Figure 2. IDA Pro

Here we are looking for a tail jump. Next we set a breakpoint in ollydbg @0x00409f43.

Step into the jump and dump out the memory.

dump
Figure 4. Dump memory

Tata… unpacked & the good news is we do not need to fix IAT for this case =)

unpacked
Figure 5. Unpacked

The other easy way to unpack is via upx tool… however it seems like the malware author took some measures to prevent unpacking of this malware via this method.

ohoh
Figure 6. UPX -d fail
Advertisements
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s