Jump to content
Tuts 4 You

need help to unpack .NET malware


gundamfj

Recommended Posts

I have this malware(possibly Locky variant), which is packed by an unknown packer(de4dot -d). It looks like it's packed by customized ConfuserEx, but I am not 100% sure(newbie). I have tried using tools like NoFuserEx, de4dot, UnconfuserEx, without any luck.

I have this idea: maybe I could pause on some memory management API, e.g. VirtualAlloc and monitor the memory region's size  it allocates. If the memory region is enough large to hold the malware actual payload, keep an eye on it, maybe I could finally get the payload.

So is there any .NET debugger allowing me to pause on System API like VirtualAlloc?

I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right? 

Attached is the malware. This malware is packed multi times.

dump-unpacked-cleaned.exe

Edited by gundamfj
Link to comment

Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky.

I can't download the file to check, but that's my guess.

Quote

I know I could use debugger like Olly, but if I open this malware with Olly, I am debugging the .NET framework, right? 

Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++.

Link to comment
10 hours ago, hyper-v said:

Locky is not written in .NET, it's written in C++. You are either analyzing a dropper, or are analyzing some sample which is not Locky.

I can't download the file to check, but that's my guess.

Yeah. Try opening the file in some decompiler like dnSpy. If it decompiles it's .NET, if it doesn't then it might be C/C++.

I know Locky is written in C or C++. Sorry, I should have pointed out the attachment is just a dropper.

pls download the dropper from here: http://www.megafileupload.com/g8cj/dump-unpacked-cleaned.exe

String is cleaned by de4dot, so the filename contains 'cleaned'.

And I am using dnspy, it seems that I couldn't make breakpoint on system API.

Link to comment

#1 - Always provide the original file. The semi-unpacked shit is.. well, shit.
#2 - Since this is .NET shell around x86 binary, it's almost certainly using one of the RunPE techniques. Search this board or google for "unpacking runpe" and you'll get lots of suggestions on how to approach it.

  • Like 1
Link to comment

For any curious guys in thie forum, below is the original malware:

http://www.megafileupload.com/g8qB/f582ba7a3c5aa07d_app.exe

current progress:

I try to pause on every VirtualAlloc and observe size of allocated memory. But sadly is, every allocated memory has a rounded size, like 1000, 2000, 20000.....  Any advice to narrow down to some specific VirtualAlloc calls?

Edited by gundamfj
Link to comment

current progress:

exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps.

The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent?

Link to comment
3 hours ago, gundamfj said:

current progress:

exception encountered in semi-unpacked sample(no resource). It seems that I did something wrong in previous steps.

The original sample uses xoring to unpack the first layer. But weird is, the unpacked result from the first layer doesn't contain any resource.... And I dont see any long enough array to contain code-like data. Is it usual? Or is there any technique allowing unpack result to use resource from its parent?

Because it is loaded in memory, they have the same resource, so I dumped the original assembly resources, and added them to the deobfuscated one

Link to comment

@Etor Madiv already explained a lot, all thumbs up! :)

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". 

  • Like 1
Link to comment
51 minutes ago, kao said:

@Etor Madiv already explained a lot, all thumbs up! :)

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". 

MegaDumper failed to dump it, do you know any other good tools that will succeed to do the same thing ?

And it is harder to use ollydbg, since of the use of unsafe code.

Link to comment

..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. ;) I can't find any ready-made tutorial for such basic task, though.

But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place.

  • Like 2
Link to comment
9 minutes ago, kao said:

..and that's why I didn't say "use Megadumper" but suggested Olly + native dumper. ;) I can't find any ready-made tutorial for such basic task, though.

But if someone doesn't know how to use Olly, he/she shouldn't be playing with malware in the first place.

:D 

Link to comment
1 hour ago, kao said:

@Etor Madiv already explained a lot, all thumbs up! :)

You don't need to unpack ConfuserEx, or do "a lot of debugging". I think that the easiest way to defeat this "protection" would be to run the application inside virtual machine, and then find "MZ" header of unpacked binary in the memory. Takes just a few minutes with Olly and some memory dumping plugin/tool.

Oh, and based on the strings inside unpacked malware, it's called "iSpy Keylogger". 

This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable...

Edited by gundamfj
Link to comment
32 minutes ago, gundamfj said:

This is bad news for me.... I would like to analyze Locky. I have to say those malware signatures(for the unpacked malware) aren't reliable...

If you want to go for Locky, your best bet is to grab dem bad boys from here:

http://malc0de.com/database/

and hope that one of them is Locky

or just take a look in malwr database! :D

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...