OALabs | Unpacking Process Injection Malware With IDA PRO (Part 1) @OALABS | Uploaded 6 years ago | Updated 2 hours ago
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4
We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.
Original sample:
virustotal.com/en/file/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4/analysis
Patched sample:
virustotal.com/en/file/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081/analysis/1486627142
Stage #1 unpacked:
virustotal.com/en/file/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4/analysis/1486627158
Stage #2 unpacked:
virustotal.com/en/file/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5/analysis/1486627173
Final payload:
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/1486627182
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials and more content over at http://www.openanalysis.net/.
Open Analysis Live! This is a re-post from our old site. We walk though the steps needed to unpack process injection using IDA Pro. In this first part we identify and circumvent an anti-analysis trick and use a hook on NtWriteVirtualMemory to dump the unpacked binary.
-----
OALABS DISCORD
discord.gg/6h5Bh5AMDU
OALABS PATREON
patreon.com/oalabs
OALABS TIP JAR
ko-fi.com/oalabs
OALABS GITHUB
github.com/OALabs
UNPACME - AUTOMATED MALWARE UNPACKING
unpac.me/#
-----
Unpacking SHA256 8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4
We explain the issue preventing this from running in the sandbox and with a debugger and dive into CreateFile with dwShareMode = 0x0.
Original sample:
virustotal.com/en/file/8af6a0ad98f53063e6f730828a59621dac2aa575cd1a618723b0ad7823ef3ec4/analysis
Patched sample:
virustotal.com/en/file/59bba7a104592a31e6ccd062da8d2e1b226de19e5c4ea2d4416b328068bb7081/analysis/1486627142
Stage #1 unpacked:
virustotal.com/en/file/7d3b38d67d15e79799fe614d57520c6de81d260ce8701ca16e7d64b7c80732f4/analysis/1486627158
Stage #2 unpacked:
virustotal.com/en/file/cc59ecd59719f464a6d0e69c895c742334d40f50c41d59b5eaa51ba7c561b2b5/analysis/1486627173
Final payload:
virustotal.com/en/file/275f927f5cc809ebba57c6e766c550d2d27b1841708459a876c6f5a99201ecb6/analysis/1486627182
We are always looking for feedback, what did you like, what do you want to see more of, what do you want to see us analyze next? Let us know on twitter:
twitter.com/herrcore
twitter.com/seanmw
As always check out our tools, tutorials and more content over at http://www.openanalysis.net/.