søndag 7. oktober 2012

Manual Unpack malware

It's been a while since i first activated my honeypot and i have received  a number of binaries which all derived from a few different botnets. I have identified three active botnets and 2 botnets which are either shutdown or removed. One botnet is more active than the others, it changes both the malware, domainname and ports the C&C. All the botnets found was IRC based botnets.

I decided to do some analysis on one random file, to learn more about how to unpack obfuscated malware - and eventually do static analysis on the file to learn more about its behavior.

Analysis

When i used the 'file'-utility i saw that the file was UPX compressed, but when i used an automatic UPX decompresser the file got corrupt and couldnt execute. To learn abit more of the malware sample i used Virustotal to see if it's a known malware. 41 Antivirus companies has marked this file as a virus, as we can see in the picture below.





I opened the sample in Ollydbg v-2.01 beta2 and learned that it will unpack and find me an possible entry point upon loading the file. The entrypoint found is 0x004141F0.
All i had to do was dump full memory with LordPE and rebuild the IAT and fix the OEP with ImpREC.

So i chose the process in LordPE and right-click it to chose Dump Full before we open the process in ImpREC. In ImpRec all we do is change OEP to the wanted value, click IAT Autosearch, get imports and fix dump. Now we have a fully functional unpacked sample. 





When i tried to run strings on the new executable i found that it is packed with a second packer - likely a protector / encrypter. I found the section .text and so on as you will see in the picture below. This is a good sign that it is packed yet again.

When i opened the file in OllyDBG it tried to go through the same procedure as before to try to unpack it but this time it executed the sample instead of stopping at the OEP, thus i just opened the original sample and reversed it from there.

I placed a few breakpoints on some common functions used by heap packers.
VirtualAlloc + VirtualAllocEX and WriteProcessMemory. If one have trouble with unpacking a sample one could also try some other functions.
For instance CreateProcess, OpenProcess, CreateRemoteThread and ... more?



Okay, when done i can execute the malware in order to step through and look for the packed content.
After stepping through the program a couple of times with F9 the program will break at WriteProcessMemory and have the value 00B70000 in ECX. This is where the unpacked sample is located. Then it is really just to right-click in the dump window and save the executable.



I did a quick search on VirusTotal on the unpacked sample.


Now i can continue with static analysis of the unpacked sample, but the goal of this blog-post are reached. As we can see below the sample is unpacked and contain readable strings.



Ingen kommentarer:

Legg inn en kommentar