Malware Journey Day 10
Steps to unpacking
Load in PEStudio
We look at PEStudio to look for indicators of it being packed. A good example of something being packed is if the strings are either encrypted
I was curious what untrain.pdb was. Googling it led to nothing. Apart from that, it is pretty obvious to tell that all of these values are mostly encrypted with some sort of packer. Looking at the other sections we see there are no exports. This tells me its most certainly a dll and not any executable.
Moving onto x32dbg!!
As per the standard. Set bp on CreateProcessInternalW,VirtualAlloc,VirtualProtect, and IsDebuggerPresent.
From previous unpackings, if I run into IsDebuggerPresent, just setting the return register to 0 solves the simple issue.
Anyways, hitting the first breakpoint, VirtualAlloc
Now that I hit this function, it would be nice to know what it does. Fortunately I coded a very short sipnet of code yesterday on how this works. For a malware executable I would assume it reserves x amount of bytes of space. What goes in this space will be figured out when I dump it into dump1
To me this is obviously shellcode, its easy to recognize due to the short jump its making. Though it seems to be encrypted as well.
This executable seems to have more than 1 virtualAlloc function. Lets repeat. Looks like I exited the cycle of virtualAlloc functions.
In the red portion circled I see a MZ header. This is part of the beginning of a PE file!
Moving on, I see an instruction for virtualAlloc is moving an instruction to EAX. so could be worth while to dump
Ah. Theres sections, this tells me it could be the executable.
Unfortunately a look at the memory map confirms its just our packed dll
After going through more instructions I stumbled upon this.
Can possibly be an unmapped executable. I checked the memory map and no issue of it being just the dll. Time to dump it and check PEStudio.
Looks a lot cleaner in PEStudio.
I needed assistance with this.
This highlighted string is popular with zloader.
