Monday 1 July 2013

Zero Access [Unpacking]

Objective: 
- To unpack this variant of Zero Access and retrieve the underlying payload for analysis.

Source: 
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1713&sid=cd3cc5cbadd7a7c0f917c0929b8df486

Hash:
2EFE003B8969FA946F194333152F334C

VirusTotal:
https://www.virustotal.com/en/file/8be9b39f78064d454e90b7fead8d51e8e4749e880f1e00b0fd843227b7677bd1/analysis/


Set Breakpoints at Memory Allocations
  • [A] break when memory is allocated for the payload > this will help us determine the size of the payload.
  • [B] step to the ret > this will help to determine the starting address where the payload will be written to.
  • [C] break after the payload is written to memory and unpacked > dump the unpacked payload.

So we set break points at the LocalAlloc and LocalFree functions and analyze the memory allocations, the address space of those allocations and the contents that were written to those allocations as the malware continued to execute.

@the second LocalAlloc, note the parameters of the call [SIZE = 1E604]:


@the return of the second LocalAlloc, Note the value of EAX [START ADDRESS = 0x16ADE8], the address space 0x16ADE8 is still vacant.

 


@the first LocalFree call, the encrypted payload bytes have been written to 0x16ADE8:

 

@the third LocalAlloc call, the payload bytes are decrypted! Time to take a dump.

 

And dumping the exe.

 
 9645CD309A01211C8DB323EBFCC44C6B

No comments:

Post a Comment