- IDA Pro
- Lab18-05.exe SHA256: 1936dec547377977d07b5f0bc75de537a6771ac5ed37190bb2e74e16a564b69d
- Detection Rate: 33/57
- Analyzed on 2016-03-22
Compilation Date: 2004-01-23 23:39:42
- View report here
Virus total & PEiD detects that the malware is packed with UPack.
Loading the malware in IDA Pro we can see that it’s import table is almost empty. This is another indicator of a packed binary. LoadLibraryA and GetProcAddress are typically used to rebuild the malware’s import table in the unpacking routine.
Usually for unpacking a technique that I would use is to break at GetProcAddress. Typically after the import table is rebuilt the unpacking routine will then jump to the OEP of the binary.
Soon after the last GetProcAddress was called, a jmp instruction was executed. We reached the OEP of the malware as seen below.
Next, we would begin dumping out the debugged process using ollydump plugin in ollydbg. However, when we tried to execute the binary… the application would crash! I could only think of 2 reasons why the dumped binary is behaving in this manner.
- Wrong OEP
- Corrupted PE Header
In our case here it is the later… We could fire up the ImpREC tool to fix the IAT as seen below and we would find ourselves with a healthy running malware.