I have decided to dump the allocated memory before each stage of decryption + the revealed payload (new PE file). Visual analysis may help in discovering the algorithm by which the data is packed. The decrypting procedure is heavily obfuscated, but by having memory dumps made before and after each stage of decryption, we can try to get some hints of what is going on by comparing the changes. Finally, we see the shellcode to be executed (loading the payload by the RunPE technique).īelow is the encrypted payload on the left and its decrypted version on the right: Next, we see an encrypted payload (independent PE file). At the beginning, we can see a list of functions to be loaded. The above content consists of the same elements in the same order. This is how the content unpacked to the allocated memory looks for each respective samples (after the stage 1 decryption): This same shellcode is responsible for decrypting the actual payload-this is now stage 2 decryption-and loading it into memory. After this, some of the shellcode is revealed. Unpacking usually includes two stages: Some encrypted content is copied from the original image then stage 1 decryption is applied. Let’s set a breakpoint at VirtualAlloc/VirtualAllocEx and follow execution to see what is written into this newly allocated memory. It all happens with the shellcode that is first unpacked into allocated memory. We can guess that all of the samples use the RunPE technique to overwrite the image of the original file with the payload. However, it now executes code that was not present before (the code images have been overwritten). After some time, execution comes back to the memory space of the original image. They unpack something into this memory and redirect execution there. Then, they call a function to allocate memory (VirtualAlloc or VirtualAllocEx). trying to read some random keys from the registry). At the beginning of execution, all of the samples make some meaningless API calls (i.e. Tracing the flow of execution, we notice similarities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |