need help to unpack .NET malware

October 16, 2016

I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck.

I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload.

So is there any .NET debugger allowing me to pause on System API like VirtualAlloc?

I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right?

Attached is the malware. This malware is packed multi times.

dump-unpacked-cleaned.exe

Edited October 16, 2016 by gundamfj

October 16, 2016

Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky.

I can't download the file to check, but that's my guess.

Quote

I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right?

Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++.

October 17, 2016

10 hours ago, hyper-v said:

Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky.

I can't download the file to check, but that's my guess.

Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++.

I know Locky is written in C or C++. Sorry, I should have pointed out the attachment is just a dropper.

pls download the dropper from here: http://www.megafileupload.com/g8cj/dump-unpacked-cleaned.exe

String is cleaned by de4dot, so the filename contains 'cleaned'.

And I am using dnspy, it seems that I couldn't make breakpoint on system API.

October 17, 2016

#1 - Always provide the original file. The semi-unpacked shit is.. well, shit.
#2 - Since this is .NET shell around x86 binary, it's almost certainly using one of the RunPE techniques. Search this board or google for "unpacking runpe" and you'll get lots of suggestions on how to approach it.

October 17, 2016

For any curious guys in thie forum, below is the original malware:

http://www.megafileupload.com/g8qB/f582ba7a3c5aa07d_app.exe

current progress:

I try to pause on every VirtualAlloc and observe size of allocated memory. But sadly is, every allocated memory has a rounded size, like 1000, 2000, 20000..... Any advice to narrow down to some specific VirtualAlloc calls?

Edited October 17, 2016 by gundamfj

October 17, 2016

I found that it is a malware, really I dont know its name, but after a lot of debugging I found the nice stuff

The scan result is shown here: https://nodistribute.com/result/4eitrpMVURF3xoHI6aL7

Edited October 17, 2016 by Etor Madiv

October 18, 2016

8 hours ago, Etor Madiv said:

I found that it is a malware, really I dont know its name, but after a lot of debugging I found the nice stuff

The scan result is shown here: https://nodistribute.com/result/4eitrpMVURF3xoHI6aL7

Do you successfully unpack all layers and get the final payload? Do you unpack ConfuserEx 1.0 manually?

Edited October 18, 2016 by gundamfj

October 18, 2016

current progress:

exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps.

The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent?

October 18, 2016

3 hours ago, gundamfj said:

current progress:

exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps.

The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent?

Because it is loaded in memory, they have the same resource, so I dumped the original assembly resources, and added them to the deobfuscated one

October 18, 2016

@Etor Madiv already explained a lot, all thumbs up!

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger".

October 18, 2016

51 minutes ago, kao said:

@Etor Madiv already explained a lot, all thumbs up!

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger".

MegaDumper failed to dump it, do you know any other good tools that will succeed to do the same thing ?

And it is harder to use ollydbg, since of the use of unsafe code.

October 18, 2016

..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. I can't find any ready-made tutorial for such basic task, though.

But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place.

October 18, 2016

9 minutes ago, kao said:

..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. I can't find any ready-made tutorial for such basic task, though.

But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place.

October 18, 2016

1 hour ago, kao said:

@Etor Madiv already explained a lot, all thumbs up!

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger".

This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable...

Edited October 18, 2016 by gundamfj

October 18, 2016

32 minutes ago, gundamfj said:

This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable...

If you want to go for Locky, your best bet is to grab dem bad boys from here:

http://malc0de.com/database/

and hope that one of them is Locky

or just take a look in malwr database!

October 18, 2016

I have a Locky sample but I dont know if it is allowed to upload malware here or not .

October 18, 2016

13 minutes ago, Etor Madiv said:

I have a Locky sample but I dont know if it is allowed to upload malware here or not .

Pls write private message to me. You could use service like http://www.megafileupload.com/

October 19, 2016

After I requested to do a tutorial, this is a tutorial explaining how to unpack the sample. I hope that it will be useful.

Sign In

need help to unpack .NET malware

Recommended Posts

gundamfj

hyper-v

gundamfj

kao

gundamfj

Etor Madiv

gundamfj

gundamfj

Etor Madiv

kao

Etor Madiv

kao

Etor Madiv

gundamfj

0xNOP

Etor Madiv

gundamfj

Etor Madiv

Create an account or sign in to comment

Create an account

Sign in

Community

Search