Malware authors use many of tricks to prevent analysis for security researchers and evade Antiviruses. One of the most technique used,it is a packer.
What is the packer?
It’s a software or tool for compressing programs or malware by obfuscating the content of executable file and generate a new executable file in packed structure.
Why is unpacking malware important?
Because you cannot analysis malware without unpacking and deobfuscating strings to be readable.
How to the unpack happen?
As we see in the image
OS create stub code with packed file
What is stub code ?
Stub code is responsible for unpacking packed sections, when you are running the file ,the address of unpack file exists in the stub code to unpack file. So at the end of the stub code we will see an unconditional jump (tail jump), that is meant after execute the stub code will jump to the address of unpacking file.
How to identify type of the packer?
There are many types of packers, so we need to know the type of packer to use suitable methods to unpack the file.
The tools we are will use it
1-Detect It Easy ,to identify type of the packer
2-x32dbg, it’s a debugger to apply the steps of unpacking
We will apply the steps of unpacking on MZP Ransomeware.
you can download this sample from this link :https://app.any.run/tasks/56248422-b327-4226-8a79-3155e24b999d/
Note :apply the steps of unpacking in safe environment such as Flare VM
What is the method will apply it to unpack MZP ransomware?
It’s an unconditional jump exists in the tail of stub code , it points to address of unpack the file.
ٍSteps to unpack MZP Ransomware using tail Jump
1-identify type of the packer
Open Detect It Easy tool, then drag and drop MZP ransomware to it.
As we see in the image, type of the packer is UPX.
2-Open MZP Ransomware in x32dbg tool, start execute from the OEP (0041E1f1) of stub code.Execute until reach to unconditional jump at the end of the stub code (tail jump).
Then press step over on jump instruction.
4- Now we are reaching to address 00411d54 and EIP Register =00411d54 (EIP register holds the address of next instruction
This address of unpack MZP ransomware.
5-So we need to set an EIP address as OEP to change OEP of stub code to OEP of unpack MZP ransomware.
open plugins menu from tab menu, press on OllyDump, press Get EIP as OEP button to change OEP to address of unpack MZP ransomware (00411d54). Then press Dump to save map ransomeware file with new OEP.
6- we need to rebuild IAT ( an IAT stores the addresses of particular library functions imported from DLLs
Open Scylla tool as in step 1 (we are using Scylla tool to rebuild IAT)
-Search for addresses as in step 2
-Import Libraries as in step 3
-fix dumb in this step to attach MZP_dump with the new IAT (after rebuild) as in step 4
-After fixing IAT, all operations were done to unpack Ransomware. Look at the name of MZP after dump and unpack(MZP_dump_SCY.exe) as in step 5
7-Open Detect It easy tool to ensure happen unpack for mzp ransomware, drag and drop mzp_dum_SCY.exe to the tool.
-after unpacking you can do static analysis by using IDA Pro tool
-Special case in MZP ransomware, after unpacking manually you cannot do dynamic analysis using a debugger because there is access violation, this is a type of anti debugging techniques.
-there are many tools to unpack automatic ,but manually unpack is reliable and will give you skill.
-you can apply these steps to any Packed file with UPX.