gundamfj Posted October 16, 2016 Share Posted October 16, 2016 (edited) I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck. I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload. So is there any .NET debugger allowing me to pause on System API like VirtualAlloc? I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right? Attached is the malware. This malware is packed multi times. dump-unpacked-cleaned.exe Edited October 16, 2016 by gundamfj Link to comment Share on other sites More sharing options...
hyper-v Posted October 16, 2016 Share Posted October 16, 2016 Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky. I can't download the file to check, but that's my guess. Quote I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right? Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++. Link to comment Share on other sites More sharing options...
gundamfj Posted October 17, 2016 Author Share Posted October 17, 2016 10 hours ago, hyper-v said: Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky. I can't download the file to check, but that's my guess. Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++. I know Locky is written in C or C++. Sorry, I should have pointed out the attachment is just a dropper. pls download the dropper from here: http://www.megafileupload.com/g8cj/dump-unpacked-cleaned.exe String is cleaned by de4dot, so the filename contains 'cleaned'. And I am using dnspy, it seems that I couldn't make breakpoint on system API. Link to comment Share on other sites More sharing options...
kao Posted October 17, 2016 Share Posted October 17, 2016 #1 - Always provide the original file. The semi-unpacked shit is.. well, shit. #2 - Since this is .NET shell around x86 binary, it's almost certainly using one of the RunPE techniques. Search this board or google for "unpacking runpe" and you'll get lots of suggestions on how to approach it. 1 Link to comment Share on other sites More sharing options...
gundamfj Posted October 17, 2016 Author Share Posted October 17, 2016 (edited) For any curious guys in thie forum, below is the original malware: http://www.megafileupload.com/g8qB/f582ba7a3c5aa07d_app.exe current progress: I try to pause on every VirtualAlloc and observe size of allocated memory. But sadly is, every allocated memory has a rounded size, like 1000, 2000, 20000..... Any advice to narrow down to some specific VirtualAlloc calls? Edited October 17, 2016 by gundamfj Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 17, 2016 Share Posted October 17, 2016 (edited) I found that it is a malware, really I dont know its name, but after a lot of debugging I found the nice stuff The scan result is shown here: https://nodistribute.com/result/4eitrpMVURF3xoHI6aL7 Edited October 17, 2016 by Etor Madiv Link to comment Share on other sites More sharing options...
gundamfj Posted October 18, 2016 Author Share Posted October 18, 2016 (edited) 8 hours ago, Etor Madiv said: I found that it is a malware, really I dont know its name, but after a lot of debugging I found the nice stuff The scan result is shown here: https://nodistribute.com/result/4eitrpMVURF3xoHI6aL7 Do you successfully unpack all layers and get the final payload? Do you unpack ConfuserEx 1.0 manually? Edited October 18, 2016 by gundamfj 1 Link to comment Share on other sites More sharing options...
gundamfj Posted October 18, 2016 Author Share Posted October 18, 2016 current progress: exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps. The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent? Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 18, 2016 Share Posted October 18, 2016 3 hours ago, gundamfj said: current progress: exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps. The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent? Because it is loaded in memory, they have the same resource, so I dumped the original assembly resources, and added them to the deobfuscated one Link to comment Share on other sites More sharing options...
kao Posted October 18, 2016 Share Posted October 18, 2016 @Etor Madiv already explained a lot, all thumbs up! You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool. Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". 1 Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 18, 2016 Share Posted October 18, 2016 51 minutes ago, kao said: @Etor Madiv already explained a lot, all thumbs up! You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool. Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". MegaDumper failed to dump it, do you know any other good tools that will succeed to do the same thing ? And it is harder to use ollydbg, since of the use of unsafe code. Link to comment Share on other sites More sharing options...
kao Posted October 18, 2016 Share Posted October 18, 2016 ..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. I can't find any ready-made tutorial for such basic task, though. But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place. 2 Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 18, 2016 Share Posted October 18, 2016 9 minutes ago, kao said: ..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. I can't find any ready-made tutorial for such basic task, though. But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place. Link to comment Share on other sites More sharing options...
gundamfj Posted October 18, 2016 Author Share Posted October 18, 2016 (edited) 1 hour ago, kao said: @Etor Madiv already explained a lot, all thumbs up! You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool. Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable... Edited October 18, 2016 by gundamfj Link to comment Share on other sites More sharing options...
0xNOP Posted October 18, 2016 Share Posted October 18, 2016 32 minutes ago, gundamfj said: This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable... If you want to go for Locky, your best bet is to grab dem bad boys from here: http://malc0de.com/database/ and hope that one of them is Locky or just take a look in malwr database! Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 18, 2016 Share Posted October 18, 2016 I have a Locky sample but I dont know if it is allowed to upload malware here or not . Link to comment Share on other sites More sharing options...
gundamfj Posted October 18, 2016 Author Share Posted October 18, 2016 13 minutes ago, Etor Madiv said: I have a Locky sample but I dont know if it is allowed to upload malware here or not . Pls write private message to me. You could use service like http://www.megafileupload.com/ 1 Link to comment Share on other sites More sharing options...
Etor Madiv Posted October 19, 2016 Share Posted October 19, 2016 After I requested to do a tutorial, this is a tutorial explaining how to unpack the sample. I hope that it will be useful. 3 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now