PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

Tools Used

  1. IDA Pro
  2. OllyDbg

Sample:

  1. Lab18-04.exe SHA256: b8a5d54e5b8ae63d8f59bb3b1c8782e76154093fea83708ae657184c922eee0e

VirusTotal:

  • Detection Rate: 30/56
  • Analyzed on 2016-03-22
  • Compilation Date: 2011-10-18 18:46:44
  • View report here

Unpacking

Virus total detects that the malware is packed with ASPack.

aspack
Figure 1. ASPack

Yet another pushad operation spotted. Let’s try the same approach we did previously.

Hardware breakpoint on esp after pushad executed.

pushad.PNG
Figure 2. PUSHAD

the program will break on POPAD… Step till return is called

popad.PNG
Figure 3. POPAD

Unpacked codes? Reanalyzed it.

unpacked
Figure 4. unpacked codes
reanalyzed
Figure 5. Reanalyzed codes

Dump out the process

ollydump.PNG
Figure 6. Dump
Advertisements
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-04)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s