Tools Used
- IDA Pro
- OllyDbg
- PEiD
- ImpREC
Sample:
- Lab18-05.exe SHA256: 1936dec547377977d07b5f0bc75de537a6771ac5ed37190bb2e74e16a564b69d
VirusTotal:
- Detection Rate: 33/57
- Analyzed on 2016-03-22
-
Compilation Date: 2004-01-23 23:39:42
- View report here
Unpacking
Virus total & PEiD detects that the malware is packed with UPack.
Loading the malware in IDA Pro we can see that it’s import table is almost empty. This is another indicator of a packed binary. LoadLibraryA and GetProcAddress are typically used to rebuild the malware’s import table in the unpacking routine.
Usually for unpacking a technique that I would use is to break at GetProcAddress. Typically after the import table is rebuilt the unpacking routine will then jump to the OEP of the binary.
Soon after the last GetProcAddress was called, a jmp instruction was executed. We reached the OEP of the malware as seen below.
Next, we would begin dumping out the debugged process using ollydump plugin in ollydbg. However, when we tried to execute the binary… the application would crash! I could only think of 2 reasons why the dumped binary is behaving in this manner.
- Wrong OEP
- Corrupted PE Header
In our case here it is the later… We could fire up the ImpREC tool to fix the IAT as seen below and we would find ourselves with a healthy running malware.
Cheers