Fast Malware Unpacking With CryptDecrypt and RtlDecompressBuffer
iSpeech.org
Open Analysis Live! We demonstrate a quick trick to unpack malware that uses CryptDecrypt or RtlDecompressBuffer. Packers that rely on these APIs can be unpacked in less than a minute with a few simple breakpoints!
IDA memdump script:
https://gist.github.com/herrcore/d023f3ab01b2091af3667d8d3f66e6db
Original packed sample:
https://www.hybrid-analysis.com/sample/e70e429aa051017432921f4cdf2b8492c5cff9465ffdc3aabad2a865ecd2b326?environmentId=100
Unpacked payload:
https://www.hybrid-analysis.com/sample/7f7aa6396545cddf404f53c5bc437d98187050f9920596bbf14282f16cf60732?environmentId=100
The unpacked payload actually contains two packed payloads itself. If you want to try and unpack them as an exercise at home can you identify what these payloads are? Let us know in the comments below!
A great place to get new samples to practice:
http://www.malware-traffic-analysis.net/2017/index.html
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
https://twitter.com/herrcore
https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
2017-11-17 17:00:01
source
Gloss