PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

Tools Used

  1. IDA Pro
  2. OllyDbg
  3. PEiD
  4. ImpREC

Sample:

  1. Lab18-05.exe SHA256: 1936dec547377977d07b5f0bc75de537a6771ac5ed37190bb2e74e16a564b69d

VirusTotal:

  • Detection Rate: 33/57
  • Analyzed on 2016-03-22
  • Compilation Date: 2004-01-23 23:39:42
  • View report here

Unpacking

Virus total & PEiD detects that the malware is packed with UPack.

upack.PNG
Figure 1. UPACK

Loading the malware in IDA Pro we can see that it’s import table is almost empty. This is another indicator of a packed binary. LoadLibraryA and GetProcAddress are typically used to rebuild the malware’s import table in the unpacking routine.

Figure 2. Imports
Figure 2. Imports

Usually for unpacking a technique that I would use is to break at GetProcAddress. Typically after the import table is rebuilt the unpacking routine will then jump to the OEP of the binary.

Figure 3. Breaking at GetProcAddress
Figure 3. Breaking at GetProcAddress

Soon after the last GetProcAddress was called, a jmp instruction was executed. We reached the OEP of the malware as seen below.

Figure 4. OEP found
Figure 4. OEP found

Next, we would begin dumping out the debugged process using ollydump plugin in ollydbg. However, when we tried to execute the binary… the application would crash! I could only think of 2 reasons why the dumped binary is behaving in this manner.

  1. Wrong OEP
  2. Corrupted PE Header

In our case here it is the later… We could fire up the ImpREC tool to fix the IAT as seen below and we would find ourselves with a healthy running malware.

Figure 5. Fixing IAT using ImpREC
Figure 5. Fixing IAT using ImpREC

 

Cheers

Advertisements
PRACTICAL MALWARE ANALYSIS: PACKERS & UNPACKING(LAB 18-05)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s