Packed Malware Identification 0x03

2 minute read


I am so happy to write this article that describes the process of unpacking Maze sample and we know from part1 and part2 that this sample is I will write about unpacking the Maze ransomware sample with two way the first way is unpacking the sample with GUI and the second way isunpacking with CLI.First.


We can donload the sample from here


  1. CFF Explorer
  2. Upx Tool


unpacking in GUI

I will fire the sample in CFF Explorer and got to Section Headers tab.

In the previous image, we see both UPX0 and UPX1 . Now I will move to UPX Utility , which we can found at the end of the list of tab

to unpacking the Maze ransomware sample I will enable Check if the Portable Executable is already Packed and click on the button Unpack

you must confirm that you check checks if the PE sample is already packed or not and click on the Unpacking button and you can see the results after clicking the button which can be an indicator that the sample was unpacking successfully.

Now I will go to the Section Headers tab and you can see the details after unpacking the Maze ransomware sample.

go to File -> Save the sample as Maze_dump.exe, now I will go to the next way to unpacking the same sample with a different technique.

unpacking with CLI

now I will use the CLI to unpack malware as we are dealing with a sample packed with UPX , you can copy the UPX tool in the same directory of the sample to make the process of unpacking easier and run the upx.exe in order to see the help tool menu which can help you.

From help menu i will use the -d switch and also I will the -o switch so I do not modify the sample itself by using these switches as I create a copy of the results which name UnpackedMaz.exe

I finish my article today waite me in the next article.