I am so happy to write this article that describes the process of unpacking Maze sample and we know from part1 and part2 that this sample is packed.now I will write about unpacking the Maze ransomware sample with two way the first way is unpacking the sample with GUI and the second way isunpacking with CLI.First.
We can donload the sample from here
unpacking in GUI
I will fire the sample in
CFF Explorer and got to
Section Headers tab.
In the previous image, we see both
UPX1 . Now I will move to
UPX Utility , which we can found at the end of the list of tab
to unpacking the
Maze ransomware sample I will enable
Check if the Portable Executable is already Packed and click on the button
you must confirm that you check
checks if the PE sample is already packed or not and click on the
Unpacking button and you can see the results after clicking the button which can be an indicator that the sample was unpacking successfully.
Now I will go to the Section Headers tab and you can see the details after unpacking the Maze ransomware sample.
Save the sample as Maze_dump.exe, now I will go to the next way to unpacking the same sample with a different technique.
unpacking with CLI
now I will use the
CLI to unpack malware as we are dealing with a sample packed with
UPX , you can copy the UPX tool in the same directory of the sample to make the process of unpacking easier and run the
upx.exe in order to see the help tool menu which can help you.
From help menu i will use the
-d switch and also I will the
-o switch so I do not modify the sample itself by using these switches as I create a copy of the results which name
I finish my article today waite me in the next article.