In this part, we will play with code in
X32dbg debugger to unpack Emotet malware and arrive to original entry point (OEP). So you should read the first part to understand this part.
MD : CA06ACD3E1CAB1691A7670A5F23BAEF4
we will load binary of Emotet malware to
32dbg and press
F9 to arrive to EntreyPoint and set break point on
Jump ecx instruction and we can see the results in the next figure
From the previous figure, we set break point on Jump ecx instruction. So we can do the next steps.
- Run the debugger by pressing F9 to execute the code till Jump ecx instruction
- And press F7 to execute code one step So we can see the steps in the next figure
By doing the previous steps, we can jump to another function. So we will examine it and get some information about instructions. After examining function we can identify some suspicious instruction in the end of function. So we can see the first instructions of function and suspicious end of the function in the next figure.
From the previous figure, we can see the end of the function and the three suspicious instructions.
mov edx,dword ptr ds:[41C1B4] ---> we will set Bp here push edx ret
So, we will do the following steps to see what instructions do.
- Set BP on the instruction
mov edx , dword ptr ds:[41C1B4]
- Run debugger by pressing F9
from the previous figure we can see the value of
dword ptr ds:[41C1B4]
- follow the value of
dword ptr ds:[41C1B4]in dump to see what is. we can see that this possible unpacked section.
- press F7
- and again follow the value of
dword ptr ds:[41C1B4]
from the previous figure we can see that value of
dword ptr ds:[41C1B4] allocates a new region of memory from previous VirtualAlloc (if you see it in IDA Pro in the frist part).
push edx ---> edx = the value of dword ptr ds:[41C1B4] ret ---> return address of the new unpacked section
and we can see the resluts in the next figure
from the figure, we can see that function return address to another function. So, we will examine the function to extract the important calls and instruction and we can see the results in the next figure
From the previous figure, we can see first instructions of function,
call 22F730 is called many times and the end of the function. So, we should examine
call 22F730 to see what does and why it is called many times.
When examining call 22F830 we can identify obfuscation technique called stack string to hide the malicious strings or malicious APIs and handle the operation of reverse engineering and i will work in the frist part of function and we can see the resluts in the next figure
From the previous figure, we can see that malware author obfuscate
LoadLibraryEx API to trick you and use it to load the module like
we will see the second part of stack strings in the next figure
from the previous figure, we can see that malware author obfuscate
kernal32.dll and push
kernal32.dll as parameters to
call 22FE10 and we can execute the code and understand it to arrive to
call 22FF70 and press
F7 to check it and we can see the results in the next figure
Call with VirtualAlloc
when we enter in the function by pressing
F7 and execute the code till
Call ebx we can identify that malware call
VirtualAlloc API to allocate region of memory and unpack itself on this region
form the previous figure, we can see that malware call
VirtualAlloc and we can see the parameters that API take them
LPVOID VirtualAlloc( LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect );
- lpAddress :- The starting address of the region to allocate
- dwSize :- The size of the region
- flAllocationType :- The type of memory allocation and region of memory take permission (read, write, execute)
- flProtect :- The memory protection for the region of pages to be allocated
So we will press F7 to t execute the API (VirtualAlloc) and follow the
EAXregister in the dump and we can see that the
VirtualAllocsuccess to allocate memory region in memory
After some instructions, we can see that
call 22FBC0 write the unpacked malware in the region of memory and we can see the resluts in the next figure
We will continue to execute code by pressing
F8 and we face loop which is used to copy the section in the memory region like as
we will set and we will execute code till return of function and we can we the resluts in the next figure.
And press F8 to reach OEP and we finish unpacking malware, wait me to dump unpacked malware and extract it and we can see the resluts in the next figure
And press F8 to reach OEP and we finish unpacking malware, wait me to dump unpacked malware and extract it.