Malware Journey Day 17

All credit goes to

https://exploitreversing.files.wordpress.com/2023/03/mas_7.pdf

This blog is for me, I need to get a solid triage process to unpack other samples.

Lets start with a Dridex loader

From Malware Bazaar report I find it is using WriteProcessMemory and AdjustPrivledgeToken win APIs

1st Command

malwoverview.py -b 1 -B 87e2dad373f75f5c0a200821523aebe45f6f4103b51fb0155ed2bf060ec50b04 -o 0

WriteProcessMemory is usually used for injection

I use PEBear first to inspect the libraries

Interestly enough I dont see WriteProcessMemory anywhere in Kernel32.dll

My second thought is maybe the dll is packed.

But memory section maps and disk section maps are aligned

It appears an easy way to unpack this sample is through malwoverview.py and follow the unpac.me link

It appears here I have the file unpacked. Lets download the largest sample.

I see lots more functions as well. LoadLibraryA tells me this is a process injection possibly.

Unsure what mshtmled.dll is

When running this process, I will keep an eye out for IE or other office documents.

Next it is time for capa.exe

capa.exe .mas7.bin

— — -

malwoverview.py -b 7 -B 87e2dad373f75f5c0a200821523aebe45f6f4103b51fb0155ed2bf060ec50b04 -o 0

Placing my sample in HxD I can confirm I see multiple sections which is a good indication of an unpacked sample

Towards more of the writeup I was following the sub routinue naming became difficult to follow since I was dealing with a different sample. Stopping the blog here for now and going to complete the reading