- IDA Pro
- Cerbero Profiler
- Lab18-02.exe SHA256: 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4f050f0aec
- Detection Rate: 46/56
- Analyzed on 2016-03-22
Compilation Date: –
- View report here
Virustotal and PEID both suggests that the malware is packed using FSG.
For this malware, I did not see any tail jump signature. However after analyzing the sections in the binary, I observed a global variable that is being referenced in the code.
So i put a breakpoint @00409010 which is the address that the eip jumps to. Press Ctrl-A to reanalyze the code in ollydbg.
Now dump out the memory and you will get the unpacked version. If you were to analyze the disassembled code, you will realise that LoadLibraryA is being called to fix the IAT of the unpack malware. Once the libraries are fixed, the malware should jump to the unpacked code. Tracing it from LoadLibraryA is an alternate way to reach the jump instruction to 0x401090.