I am happy to write about unpacking malware, unpacking malware is very important concept that any malware analyst must deal with it to extract the malicious code from packed malware, performs his analysis and in this article I will discuss unpacking malware with many tools to deal with a lot of tools in analysis packed malware.
We can donload the sample from here
- Exeinfo PE
- Detect it Easy (DiE)
In this section, I will learn how to identify packed malware, so I will load the sample in
Exeinfo PE tool and see the results.
- we see that the sample does something with
- UPX (Ultimate Packer for Executables) is an open source executable packer supporting a number of file formats from different operating systems
In this time I will load the sample in
pestudio, which amazing tool that used by malware analyst in static analysis,it has many options that helps malware analyst to do initial
analysis well, when we open sample in
pestudio we see in main window the property
signature with the
UPX and this is another indicator, this indicator tells us that a sample do something
In the last tool which called Detect it Easy (DiE), I will load a sample on it and we can see the results.
- the sample is being using the packer which
- the compiler is called
- the linker is called
If you click in this button
>, You will get the same previous details
now you can click close in order to back main window, click on
Signatures to show the
signature that used by
DiE to detect that the sample is packed with
let us close the window to do the last step that is checking the entropy
DiE show that section (1) [UPX1] is packed as it has high entropy
6.84995 which is an important indicator that section is
compressed and at the top of the window we see the file is packed in the rate of
in this section i will learn to extract strings from packed malware using
Bintext but in this time I will use pestudio to extract strings from a sample so let us load sample in pestudio and from main window go to stings.
Some of the most important strings are
SHfileoperation , From the extracted stings, we can determine the following
- The sample is importing four libraries
- From those libraries the sample points to 4 functions
GetProcAddress→ Retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).
LoadLibrary→ Loads the specified module into the address space of the calling process. Note: other modules may be loaded too.
VirtualProtect→ Changes the protection on a region of committed pages in the virtual address space of the calling process.
DECRYPT FILE.TEXT, is indicator that sample is encrypt file (ransomware) and few strings that tell us we deal with
For limit previous information above could mean that this sample is packed, uses LoadLibrary to go and load a library that sample needs it to call some function from it, after the library is loaded, the GetProcAddress is being called as the sample will need call functions from a library. The VirtualProtect is used to change the memory region, for example the region of memory is read and write changes to be read and execute to executed the code from it.