Jump to content
Tuts 4 You

Unpack unknown malware packed using Safengine Shielden v2.3.9.0

Etor Madiv

Recommended Posts

I found a malware sample (1) that is packed using Safengine Shielden v2.3.9.0, I'm not able to debug it because it is detecting that it is under debugging, after that I tried ScyllaHide plugin for Olly2 but it is still detected.

The packer reads the files: KernelBase.dll, kernel32.dll, user32.dll, msvcrt.dll, ... and puts them in a random Memory locations, replaces some addresses, so it will be able to use its own copy of those DLL files instead of the original ones, and make debugging more harder (no symbols will be availabe to identify system functions).

Dynamically running the file, I'm able to identify that the file drops a .bat in a randomly created folder in %temp%, and I created a tool (2) to deobfuscated similar .bat files.

How this sample can be unpacked ?

Is there any useful method to approach this kind of packers ?

(1) Malware sample

(2) SimpleBatchDeobfuscator.zip

Link to comment
Share on other sites

  • 3 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...