Gameel Ali

Gameel Ali

Malware analysis & Reverse engineering

Packed Malware Identification 0x01

3 minute read

Introducation

I am happy to write about unpacking malware, unpacking malware is very important concept that any malware analyst must deal with it to extract the malicious code from packed malware, performs his analysis and in this article I will discuss unpacking malware with many tools to deal with a lot of tools in analysis packed malware.

sample

We can donload the sample from here

Tools

  1. Exeinfo PE
  2. pestudio
  3. Detect it Easy (DiE)

Packed Indentify

In this section, I will learn how to identify packed malware, so I will load the sample in Exeinfo PE tool and see the results.

  1. we see that the sample does something with upx
  2. UPX (Ultimate Packer for Executables) is an open source executable packer supporting a number of file formats from different operating systems

In this time I will load the sample in pestudio, which amazing tool that used by malware analyst in static analysis,it has many options that helps malware analyst to do initial analysis well, when we open sample in pestudio we see in main window the property signature with the UPX and this is another indicator, this indicator tells us that a sample do something with UPX

In the last tool which called Detect it Easy (DiE), I will load a sample on it and we can see the results.

  1. the sample is being using the packer which UPX
  2. the compiler is called Borland Delphi
  3. the linker is called Turbo linker

If you click in this button >, You will get the same previous details

now you can click close in order to back main window, click on Signatures to show the signature that used by DiE to detect that the sample is packed with UPX.

let us close the window to do the last step that is checking the entropy

DiE show that section (1) [UPX1] is packed as it has high entropy 6.84995 which is an important indicator that section is packed or compressed and at the top of the window we see the file is packed in the rate of 95%

Srings Extractions

in this section i will learn to extract strings from packed malware using Bintext but in this time I will use pestudio to extract strings from a sample so let us load sample in pestudio and from main window go to stings.

Some of the most important strings are UPX0, UPX1 , VirtualProtect, Kernel32.Dll , SHfileoperation , From the extracted stings, we can determine the following

  1. The sample is importing four libraries Kernel32.dll , User32.dll , Shell32.dll , comctl32.dll
  2. From those libraries the sample points to 4 functions
    • GetProcAddress → Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
    • LoadLibrary → Loads the specified module into the address space of the calling process. Note: other modules may be loaded too.
    • VirtualProtect → Changes the protection on a region of committed pages in the virtual address space of the calling process.

3.DECRYPT FILE.TEXT, is indicator that sample is encrypt file (ransomware) and few strings that tell us we deal with ransomware

For limit previous information above could mean that this sample is packed, uses LoadLibrary to go and load a library that sample needs it to call some function from it, after the library is loaded, the GetProcAddress is being called as the sample will need call functions from a library. The VirtualProtect is used to change the memory region, for example the region of memory is read and write changes to be read and execute to executed the code from it.