PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. Cerbero Profiler

Sample:

  1. Lab18-02.exe SHA256: 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4f050f0aec

VirusTotal:

  • Detection Rate: 46/56
  • Analyzed on 2016-03-22
  • Compilation Date: –
  • View report here

Unpacking

Virustotal and PEID both suggests that the malware is packed using FSG.

fsg
Figure 1. FSG

For this malware, I did not see any tail jump signature. However after analyzing the sections in the binary, I observed a global variable that is being referenced in the code.

section
Figure 2. dword_401090

So i put a breakpoint @00409010 which is the address that the eip jumps to. Press Ctrl-A to reanalyze the code in ollydbg.

401090
Figure 3. 401090 Reanalyzed

Now dump out the memory and you will get the unpacked version. If you were to analyze the disassembled code, you will realise that LoadLibraryA is being called to fix the IAT of the unpack malware. Once the libraries are fixed, the malware should jump to the unpacked code. Tracing it from LoadLibraryA is an alternate way to reach the jump instruction to 0x401090.

Advertisements
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s