Practical Malware Analysis - Lab 18

Your goal for the labs in this chapter is simply to unpack the code for further analysis. For each lab, you should try to unpack the code so that other static analysis techniques can be used. While you may be able to find an automated unpacker that will work with some of these labs, automated unpackers won’t help you learn the skills you need when you encounter custom packers. Also, once you master unpacking, you may be able to manually unpack a file in less time than it takes to find, download, and use an automated unpacker. Each lab is a packed version of a lab from a previous chapter. Your task in each case is to unpack the lab and identify the chapter in which it appeared. The files are Lab18-01.exe through Lab18-05.exe.

Lab 18-1

Openning it in exeinfo we see it is packed with UPX so we could unpack it with

UPX -d file.exe
../_images/1q115.png

but i will unpack it manually, Open it in IDA we get this

../_images/1q28.png

It has very few libraries (as it is packed) with one standing out urlmon and since it is using VirtualAlloc we can use it for hardware read breakpoint for the place in memory it will write the malware to

../_images/1q57.png

the urlmon is used in a packed section

../_images/1q65.png

The graph view of the unpacking stub is dreadful, i will look for the tail jumps

../_images/1q38.png

Something interesting a jump for location over 0x8000 away, also before it some weird instructions (like cmp esp,eax), so this is likely our tail jump opening in x32dbg to test it

../_images/1q47.png

The unpacking stub started with pushad, looking at the stack see interesting memory address setting another hardware read breakpoint there (first on the stack click read memory in dump then in dump set the breakpoint)

../_images/1q76.png

We arrive near out suspected tail jump

../_images/1q93.png

and here is the memory dump,(notice at stack there is MZ which is the start of exe file)

../_images/1q85.png

opening scylla plugin in x32dbg then type memory that will be jumped to as our OEP and then click on IAT Autosearch (to autosearch for IAT import address table)

../_images/1q104.png

clicking yes, it was successful

../_images/1q116.png

Then click Get imports then clicking Dump

../_images/1q123.png

we find our malware functional with full imports

../_images/1q131.png

the malware is the same as Lab14-01.exe

../_images/1q142.png

Lab 18-2

Running the malware in peid we see it is packed with FSG 1.0

../_images/1q152.png

looking at imports

../_images/1q162.png

since i didnt notice a tail jump, i will follow the getprocadress breakpoint technique, setting bp at getprocadress in x32dbg then work backwards to find the OEP (as that function is used for getting addresses of the libraries that will be used), i also set another breakpoint at this pushed memory address

../_images/2q120.png ../_images/2q210.png

We hit the hardware read breakpoint

../_images/2q37.png

suspecting this maybe our OEP but no it failed to IAT auto search

../_images/2q47.png

Looks like this isn’t the memory we want, so keep running till we find our break at getprocadress

../_images/2q56.png

Reading the around code we find some pushed data (with MZ the start of exe file) then calling an address suspecting that may be our OEP

../_images/2q1111.png

we find our Lab07-02.exe but with wrong entry point

../_images/2q126.png

Using ollydbg, we can easily just find OEP by section hop trace over, then dump debugged process

../_images/2q143.png

and we get the same exe

../_images/2q152.png

Lab 18-3

In peid it is packed using PECompact

../_images/3q118.png

Imports the libraries i will break GetProcAddress and VirtualAlloc

../_images/3q27.png

opening it in x32dbg, at the start we see pushad

../_images/3q45.png

In the stack, i set bp at 18FF7C at the stack, and 7EFDE000, 76F43368 in memory

../_images/3q35.png

our bp at 18FF7C is hit (with popad)

../_images/3q119.png

Hitting we step over we get this which is likely our OEP (as retn pops what is on stack then jumps to it)

../_images/3q123.png

we can dump it with scylla but Imports failed to get it

../_images/3q134.png

Going over breakpoint GetProcAddress we can get the imports, found also its place in memory

../_images/3q74.png

and we get the Lab09-02.exe

../_images/3q104.png

Lab 18-4

exeinfo shows it is packed with Aspack v2.12

../_images/4q22.png

imports shows quite important information

../_images/4q12.png

I set bp at GetProcAddress as usual, we get hit before entrypoint

../_images/4q32.png

and here it is preparing imports for the packed malware

../_images/4q42.png

and we can see where it is getting its data from the stack

../_images/4q62.png

Then we hit our entrypoint with pushad

../_images/4q72.png

so i set hardware breakpoint on that unusual memory in the stack when it is popped

../_images/4q8.png

we get a hit

../_images/4q9.png

Stepping over we see our tail jump

../_images/4q10.png

Trying scylla here with the jump address but fail

../_images/4q111.png

Viewing it in memory (we could dump it from here)

../_images/4q13.png

Stepping over the retn so we go to our tail jump then try scylla

../_images/4q14.png

dumped, we see the same exe as Lab09-01.exe

../_images/4q15.png

Lab 18-5

DIE shows it is packed with UPACK

../_images/5q11.png

PStudio shows zero imports

../_images/5q21.png

We hit the entrypoint with a few pushes

../_images/5q31.png

adding hardware breakpoint at those stack addresses (waiting for pop for the unpacking stub to finish)

../_images/5q41.png ../_images/5q51.png

we hit one of breakpoints

../_images/5q61.png

Stepping over we see Something interesting pushing ebx then calling ebp

../_images/5q7.png

Looking at ebx

../_images/5q8.png

calling scylla on that address

../_images/5q9.png

but we get incomplete exe so returning to x32 for next breakpoint

../_images/5q10.png

calling scylla for that memory address

../_images/5q111.png

it is the same as Lab07-01.exe

../_images/5q12.png