Skip navigation.
Home

Trouble Unpacking

|

I recently ran across some malware on a site and am trying to figure out how it works. I've been trying to unpack the original file I downloaded, but haven't been having much success. The original executable deletes itself and creates another executable in C:\WINDOWS\system32. Attempts to disassemble it with IDA, ollydbg, and PE Browse all don't work. I've put what dumpbin has to say at the bottom of the post. I figure it's packed somehow. Any tips? I've uploaded the file, you can find it here:

http://www.offensivecomputing.net/?q=ocsearch&ocq=2d7a7bceac89a0ae7c6edcbf62252bc5

Dumpbin output:

Copyright (C) Microsoft Corp 1992-1998. All rights reserved.


Dump of file Setup_422.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (i386)
               9 number of sections
        460405EF time date stamp Fri Mar 23 09:53:03 2007
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10E characteristics
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic #
           11.10 linker version
            8000 size of code
           32000 size of initialized data
            1000 size of uninitialized data
            7EBE RVA of entry point
            1000 base of code
            C000 base of data
          400000 image base
            1000 section alignment
             200 file alignment
            4.00 operating system version
            0.00 image version
            4.00 subsystem version
               0 Win32 version
          3D5000 size of image
             400 size of headers
               0 checksum
               2 subsystem (Windows GUI)
               0 DLL characteristics
          400000 size of stack reserve
            7000 size of stack commit
          300000 size of heap reserve
            9000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
          3CE000 [     316] RVA [size] of Import Directory
          3D2000 [    2DC3] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Special Directory
          3D1000 [      18] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
               0 [       0] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of Reserved Directory
               0 [       0] RVA [size] of Reserved Directory


SECTION HEADER #1
   .CODE name
    7F06 virtual size
    1000 virtual address
    8000 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #2
    DATA name
    226D virtual size
    9000 virtual address
    2400 size of raw data
    8400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #3
   .init name
    19BC virtual size
    C000 virtual address
    1A00 size of raw data
    A800 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #4
  .edata name
    409A virtual size
    E000 virtual address
    4200 size of raw data
    C200 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C20000C0 flags
         Initialized Data
         Uninitialized Data
         Discardable
         Read Write

SECTION HEADER #5
    .bss name
  3BAC0E virtual size
   13000 virtual address
   20E00 size of raw data
   10400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C10000C0 flags
         Initialized Data
         Uninitialized Data
         Extended relocations
         Read Write

SECTION HEADER #6
  .idata name
    1C05 virtual size
  3CE000 virtual address
    1E00 size of raw data
   31200 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #7
    .tls name
      45 virtual size
  3D0000 virtual address
     200 size of raw data
   33000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
D40000C0 flags
         Initialized Data
         Uninitialized Data
         Not Cached
         Shared
         Read Write

SECTION HEADER #8
  .rdata name
     A18 virtual size
  3D1000 virtual address
     C00 size of raw data
   33200 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

SECTION HEADER #9
  .bdata name
    2DC3 virtual size
  3D2000 virtual address
    2E00 size of raw data
   33E00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         Read Only

  Summary

        8000 .CODE
        3000 .bdata
      3BB000 .bss
        5000 .edata
        2000 .idata
        2000 .init
        1000 .rdata
        1000 .tls
        3000 DATA

Unpacking this file (2d7a7bce...)

Empty TLS; exec starts at the entrypoint, as usual...

2 tricks:
- first many '00 00' -> add b[eax], al
this is to entice the analyst thinking it's just slack space, never executed. it is; eax is initially set to a value that will not trigger an exception when being pointed and written to. so just load the file in olly, and step. there are many 0s, but instructions appear occasionally, building an address on the stack, then ret'ing to it: 40FDE0 ret to 400678
- after a while in olly, the decryption loop appears (at 4100CB). It's located in section .edata, which IDA seems to hide by default (hence you won't see it in the listing). just rename it, reload the file, you'll see it in IDA. The stub decrypted goes from 41010E to 41090B. It's the real 'unpacker' routine.
Then jump to entrypoint; real EP at 41CF38.

The file self-deletes (ShellExecute with cmd /c del ...). Tries to download a file from 91.121.34.216 (rescuesysupdate.com?), most likely a fake AV.

Disassembling with IDA

I don't work much with malware, but this one looks interesting.

To disassemble the 00 00 bytes with IDA you have to:
1. Options -> General
2. Analysis Tab -> Processor Specific analysis options
3. [x] Disassemble Zero opcode instructions

And then normally start to disassemble.
Put a hardware bpt on execute at 0x41010E to get started.

HTH,
Elias

Thanks!

Those are some great tips. I was stuck on that for a while :)

Kind of late but wanted to

Kind of late but wanted to add that you can select "Manual load" in IDA (first screen); this way IDA will ask you what sections to load (even the header).