Gameel Ali

Gameel Ali

Malware analysis & Reverse engineering

Packed Malware Identification 0x02

4 minute read

Introducation

In this article, I will write about PE analysis and how to extract more information from more tool to best practice, do static analysis for the packed sample well, also i write about resources analysis in packed sample.

sample

We can donload the sample from here

Tools

  1. pestudio
  2. Detect it Easy (DiE)
  3. Resource hacker

PE File Analysis

In this section , I will use four tool to analysis PE file in a sample, I open the sample in DiE and click sections Button to see the next image

We see that there are three section UPX0 , UPX1 , .rsrc , in UPX0 we can see interesting information that has a Virtual size of 0X014000 bytes, also we can see that the raw size is zero, and we Conclude that nothing in this section so the Entropy value is zero

The Virtual size and raw size seem logical in UPX1 but we can see that Entropy is 7.92 which is too high, so DiE detect classify this section as packed. The next stage I will use posted for our extraction information from a sample so let us fire a sample in pestudio and go to Indicators.

there are indicators that refer toUPX information, also there are two-section, one of them is Writable and another section is Executable, the indicator is referred to as malicious code in a sample

I will move to Sections to Check them as are different than we saw in DiE, this is a reason to use a different tool to check a sample so you must practice with many tools, each tool will provide information to understand static analysis of a sample

In UPX0, the Virtual size and Raw size are suspicious in this section and if we see at the end of the image, you can see that this section is marked as Writable , executable , self-modifying and virtualized .

In the UPX1 section, we can see that the virtual size and raw sizeare normal and the EntryPoint is pointing to UPX1 which is an indicator to start the process of unpacking, also is marked as executable , writable and self-modifying .

now, I will go Imported libraries to check the libraries in this sample.

we the seven libraries Kernel32.dll , advapi32.dll , comctl32.dll ,gdi32.dll , oleaut32.dll , shell32.dll , user32.dll that are being imported

  • Kernel32.dll -> exposes to applications most of the Win32 base APIs, such as memory management, input/output (I/O) operations, process and thread creation, and synchronization functions.
  • advapi32.dll -> provides security calls and functions for manipulating the Windows Registry.
  • comctl32.dll -> implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views. It calls functions from both USER32.DLL and GDI32.DLL to create and manage the windows for these UI elements, place various graphic elements within them, and collect user input.
  • shell32.dll -> describes how to determine which version of the Shell DLLs your application is running on and how to target your application for a specific version.
  • user32.dll -> implements the Windows USER component that creates and manipulates the standard elements of the Windows user interface.
  • oleaut32.dll -> it’s a library used in Microsoft for OLE technologies

let us do the final step from Imported symbols

we see LoadLibraryA , GetProcAddress , VitrualProcted that are not strings but are function imported by the sample, 8 functions in this sample and now we have to go information about a sample

Resourse Analysis

I fire the sample in Resource Hacker and then check icons of the sample

but i can not extract more information from this sample but if you see the following tab in anthor sample

  • Version Info tab to see all information about Version, such as the name of company , file description , file Version original , file name , product details , product version details . this is place that most strings come from it, all information about the sample is suspicious to our client.
  • Manifest tab to see that sample will run with the security context acess token of the user/process parent that invoked or executed the program and also means that sample does not require a high privilege user to run the program

Reference

  • https://en.wikipedia.org/wiki/Microsoft_Windows_library_files#KERNEL32.DLL
  • https://docs.microsoft.com/en-us/windows/win32/shell/versions