Packed Malware Identification 0x03
Introducation
I am so happy to write this article that describes the process of unpacking Maze sample and we know from part1 and part2 that this sample is packed.now I will write about unpacking the Maze ransomware sample with two way the first way is unpacking the sample with GUI and the second way isunpacking with CLI.First.
sample
We can donload the sample from here
Tools
unpacking
unpacking in GUI
I will fire the sample in CFF Explorer and got to Section Headers tab.
In the previous image, we see both UPX0 and UPX1 . Now I will move to UPX Utility , which we can found at the end of the list of tab
to unpacking the Maze ransomware sample I will enable Check if the Portable Executable is already Packed and click on the button Unpack
you must confirm that you check checks if the PE sample is already packed or not and click on the Unpacking button and you can see the results after clicking the button which can be an indicator that the sample was unpacking successfully.
Now I will go to the Section Headers tab and you can see the details after unpacking the Maze ransomware sample.
go to File -> Save the sample as Maze_dump.exe, now I will go to the next way to unpacking the same sample with a different technique.
unpacking with CLI
now I will use the CLI to unpack malware as we are dealing with a sample packed with UPX , you can copy the UPX tool in the same directory of the sample to make the process of unpacking easier and run the upx.exe in order to see the help tool menu which can help you.
From help menu i will use the -d switch and also I will the -o switch so I do not modify the sample itself by using these switches as I create a copy of the results which name UnpackedMaz.exe
I finish my article today waite me in the next article.