Unpacking Process Injection Malware With IDA PRO (Part 1)
iSpeech
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.
Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4
We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.
Original sample:
https://www.virustotal.com/en/file/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4/analysis/
Patched sample:
https://www.virustotal.com/en/file/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081/analysis/1486627142/
Stage #1 unpacked:
https://www.virustotal.com/en/file/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4/analysis/1486627158/
Stage #2 unpacked:
https://www.virustotal.com/en/file/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5/analysis/1486627173/
Final payload:
https://www.virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/1486627182/
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
https://twitter.com/herrcore
https://twitter.com/seanmw
As always check out our tools, tutorials and more content over at http://www.openanalysis.net/.
2017-11-12 20:29:49
source
Gloss