Help Unpacking Sample

Forum for analysis and discussion about malware.

Help Unpacking Sample

Postby mlwrdreamer » Sat Mar 11, 2017 2:40 am

I have been trying to unpack this sample for some time and I'm stuck. Has some antidebug.
Any guidance on how to unpack it will be appreciated.
Link to VT and attached
https://www.virustotal.com/en/file/e0c7 ... /analysis/
You do not have the required permissions to view the files attached to this post.
mlwrdreamer
 
Posts: 1
Joined: Sat Mar 11, 2017 2:35 am
Reputation point: 0

Re: Help Unpacking Sample

Postby EP_X0FF » Wed Mar 15, 2017 4:15 am

It is run pe. Set break on CreateProcess. Once called set break on NtWriteProcessMemory and inspect any call next. After few system calls will be payload call trying to write buffer with decrypted executable. Dump this memory and extract PE from this dump.

This is generic technique for most of malware "crypters".

This sample identified by MS as TrojanDownloader:Win32/Talalpek.A and probably has win32k exploit on board.
Notice it attempt to get SHAREDINFO by both binary search and CsrClientConnectToServer call.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4744
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 560


Return to Malware

Who is online

Users browsing this forum: Google Feedfetcher and 5 guests