Malwares are usually packed with custom packers, which make static and dynamic analysis difficult. Some of the static analysis tools do not work on packed samples because packed is not in its real form, also its defeats anti-virus programs which work based on the kind of static signature detection. Packers usually compress or encrypt and when in runtime they are decrypted to the control flow that is being transferred to the original entry point.

Tools Required:

  • Ollydbg Debugger.
  • OllyDump plugin.
  • IMPREC import Fixer.

Filename: packed.exe
Before starting, we will dump the headers of exe which is packed.exe and we will then check out the structure of exe including the section headers. There is a tool known as dumpbin which is included as a part of windows sdk

dumpbin /all

Here is the ouput we get from dumpbin program

Microsoft (R) COFF/PE Dumper Version 8.00.50727.42
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file Sample

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES
             14C machine (x86)
               4 number of sections
        51BD9FFA time date stamp Sun Jun 16 16:52:34 2013
               0 file pointer to symbol table
               0 number of symbols
              E0 size of optional header
             10F characteristics
                   Relocations stripped
                   Executable
                   Line numbers stripped
                   Symbols stripped
                   32 bit word machine

OPTIONAL HEADER VALUES
             10B magic # (PE32)
            7.02 linker version
            4000 size of code
             200 size of initialized data
               0 size of uninitialized data
           22000 entry point (00422000)
            1000 base of code
            5000 base of data
          400000 image base (00400000 to 00424B75)
            1000 section alignment
             200 file alignment
            5.01 operating system version
            0.00 image version
            5.01 subsystem version
               0 Win32 version
           24B76 size of image
             400 size of headers
               0 checksum
               2 subsystem (Windows GUI)
               3 DLL characteristics
                   RESERVED - UNKNOWN
                   RESERVED - UNKNOWN
          100000 size of stack reserve
            1000 size of stack commit
          100000 size of heap reserve
            1000 size of heap commit
               0 loader flags
              10 number of directories
               0 [       0] RVA [size] of Export Directory
           24A94 [      E2] RVA [size] of Import Directory
            6000 [   1B92C] RVA [size] of Resource Directory
               0 [       0] RVA [size] of Exception Directory
               0 [       0] RVA [size] of Certificates Directory
               0 [       0] RVA [size] of Base Relocation Directory
               0 [       0] RVA [size] of Debug Directory
               0 [       0] RVA [size] of Architecture Directory
               0 [       0] RVA [size] of Global Pointer Directory
               0 [       0] RVA [size] of Thread Storage Directory
               0 [       0] RVA [size] of Load Configuration Directory
               0 [       0] RVA [size] of Bound Import Directory
               0 [       0] RVA [size] of Import Address Table Directory
            22BC [      40] RVA [size] of Delay Import Directory
               0 [       0] RVA [size] of COM Descriptor Directory
            5000 [      71] RVA [size] of Reserved Directory

SECTION HEADER #1
   .text name
    4000 virtual size
    1000 virtual address (00401000 to 00404FFF)
     800 size of raw data
     400 file pointer to raw data (00000400 to 00000BFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         Execute Read

SECTION HEADER #2
  .rdata name
     91E virtual size
    5000 virtual address (00405000 to 0040591D)
     200 size of raw data
     C00 file pointer to raw data (00000C00 to 00000DFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
80000040 flags
         Initialized Data
         Write Only

SECTION HEADER #3
    .RES name
   1BA00 virtual size
    6000 virtual address (00406000 to 004219FF)
   19200 size of raw data
     E00 file pointer to raw data (00000E00 to 00019FFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         Read Write

SECTION HEADER #4
  .RENOS name
    2B76 virtual size
   22000 virtual address (00422000 to 00424B75)
    2C00 size of raw data
   1A000 file pointer to raw data (0001A000 to 0001CBFF)
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
E0000040 flags
         Initialized Data
         Execute Read Write

  Summary

        3000 .RENOS
       1C000 .RES
        1000 .rdata
        4000 .text

There are three sections namely .RENOS .RES .RDATA and .text, which is enough to prove that it wasn’t made from a standard compiler and most probably is a packer or compressor.

The following is the output we get from debugger output at the entry point of the executable:

00422000 > 68 00204200      PUSH OFFSET Sample.<ModuleEntryPoint>
00422005   B8 80204200      MOV EAX,Sample.00422080
0042200A   FFD0             CALL EAX
0042200C   83C4 04          ADD ESP,4
0042200F   B8 67224000      MOV EAX,Sample.00402267
00422014   FFE0             JMP EAX
00422016   2200             AND AL,BYTE PTR DS:[EAX]

00422014 FFE0 JMP EAX We can see here that the compressor jumps to the original entry point of the executable. Before that a call is made to Sample.00422080 which is possibly the compression routine of the executable.

Now let’s try to look into the subroutine:

00422080   55               PUSH EBP
00422081   89E5             MOV EBP,ESP
00422083   57               PUSH EDI
00422084   56               PUSH ESI
00422085   53               PUSH EBX
00422086   83EC 2C          SUB ESP,2C
00422089   8B45 08          MOV EAX,DWORD PTR SS:[EBP+8]
0042208C   8078 7C 00       CMP BYTE PTR DS:[EAX+7C],0
00422090   0F85 64010000    JNZ Samplecc.004221FA
00422096   C745 E0 00000000 MOV DWORD PTR SS:[EBP-20],0
0042209D   8B40 6C          MOV EAX,DWORD PTR DS:[EAX+6C]
004220A0   8B08             MOV ECX,DWORD PTR DS:[EAX]
004220A2   394D E0          CMP DWORD PTR SS:[EBP-20],ECX
004220A5   8D58 04          LEA EBX,DWORD PTR DS:[EAX+4]
004220A8   894D E4          MOV DWORD PTR SS:[EBP-1C],ECX
004220AB   E9 8C000000      JMP Samplecc.0042213C
004220B0   8B4D 08          MOV ECX,DWORD PTR SS:[EBP+8]
004220B3   8D45 EC          LEA EAX,DWORD PTR SS:[EBP-14]
004220B6   8B51 20          MOV EDX,DWORD PTR DS:[ECX+20]
004220B9   894424 0C        MOV DWORD PTR SS:[ESP+C],EAX
004220BD   B8 04000000      MOV EAX,4
004220C2   894424 08        MOV DWORD PTR SS:[ESP+8],EAX
004220C6   8B43 08          MOV EAX,DWORD PTR DS:[EBX+8]
004220C9   894424 04        MOV DWORD PTR SS:[ESP+4],EAX
004220CD   8B03             MOV EAX,DWORD PTR DS:[EBX]
004220CF   8B79 70          MOV EDI,DWORD PTR DS:[ECX+70]
004220D2   01F8             ADD EAX,EDI
004220D4   890424           MOV DWORD PTR SS:[ESP],EAX
004220D7   FF12             CALL DWORD PTR DS:[EDX]
004220D9   8B55 08          MOV EDX,DWORD PTR SS:[EBP+8]
004220DC   8B03             MOV EAX,DWORD PTR DS:[EBX]

After analyzing the algorithm we have come to know as a LZMA compression algorithm,

which decompresses data at 0×00401000

JMP EAX is the place where we jump to when the original entry point is taken place:

00402267   . 60             PUSHAD
00402268   . F8             CLC
00402269   . 1BFF           SBB EDI,EDI
0040226B   . 8B35 6C504000  MOV ESI,DWORD PTR DS:[40506C]            ;  DBGHELP.ImageRvaToVa
00402271   . 68 5E534000    PUSH Samplecc.0040535E                   ; /pModule = ""
00402276   . 832C24 40      SUB DWORD PTR SS:[ESP],40                ; |
0040227A   . FF15 38504000  CALL DWORD PTR DS:[405038]               ; GetModuleHandleA
00402280   . 96             XCHG EAX,ESI
00402281   . 09F7           OR EDI,ESI
00402283   . 2BC7           SUB EAX,EDI
00402285   . B9 0000FFFF    MOV ECX,FFFF0000
0040228A   . F7D9           NEG ECX
0040228C   . 3BC1           CMP EAX,ECX
0040228E   . 76 1F          JBE SHORT Samplecc.004022AF
00402290   . 46             INC ESI
00402291   . 56             PUSH ESI
00402292   . 59             POP ECX
00402293   . 1349 3B        ADC ECX,DWORD PTR DS:[ECX+3B]
00402296   . 68 60000000    PUSH 60
0040229B   . 83E9 85        SUB ECX,-7B
0040229E   . 5B             POP EBX
0040229F   . 3B19           CMP EBX,DWORD PTR DS:[ECX]
004022A1   . 73 0C          JNB SHORT Samplecc.004022AF
004022A3   . 33F6           XOR ESI,ESI
004022A5   . 81EE 1E534000  SUB ESI,Samplecc.0040531E                ;  ASCII "DBGHELP.dll"
004022AB   . F7DE           NEG ESI
004022AD   .^EB A9          JMP SHORT Samplecc.00402258
004022AF   > B9 00040000    MOV ECX,400
004022B4   >-E2 FE          LOOPD SHORT Samplecc.004022B4
004022B6   . 61             POPAD
004022B7   . C3             RETN

The second phase of unpacking extracted binary code in a heap region.

Which is present here:

003C00C4   5D               POP EBP                                  ; 003C0694
003C00C5   5E               POP ESI
003C00C6   873424           XCHG DWORD PTR SS:[ESP],ESI
003C00C9   56               PUSH ESI
003C00CA   E8 31050000      CALL 003C0600
003C00CF   E8 6F050000      CALL 003C0643
003C00D4   8BF8             MOV EDI,EAX
003C00D6   6A 00            PUSH 0
003C00D8   6A 00            PUSH 0
003C00DA   FF75 6C          PUSH DWORD PTR SS:[EBP+6C]
003C00DD   57               PUSH EDI
003C00DE   FF55 28          CALL DWORD PTR SS:[EBP+28]
003C00E1   8B4D 70          MOV ECX,DWORD PTR SS:[EBP+70]
003C00E4   6A 00            PUSH 0
003C00E6   54               PUSH ESP

Decrypted bytes are copied into heap region here

003C0190   F3:AA            REP STOS BYTE PTR ES:[EDI]
003C0192   5F               POP EDI
003C0193   8BCB             MOV ECX,EBX
003C0195   F3:A4            REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
003C0197   FF55 0C          CALL DWORD PTR SS:[EBP+C]

Connection to c2c:

After unpacking, the following is where the information downloads and uploads the configuration to c2c verser

004035A0  |. FF75 AC        PUSH DWORD PTR SS:[EBP-54]               ; /<%s>
004035A3  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]                ; |<%s>
004035A6  |. FF75 B4        PUSH DWORD PTR SS:[EBP-4C]               ; |<%s>
004035A9  |. 68 00344000    PUSH 6fe5860a.00403400                   ; |Format = "GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

"
004035AE  |. FF75 BC        PUSH DWORD PTR SS:[EBP-44]               ; |s
004035B1  |. E8 8ED50000    CALL 6fe5860a.00410B44                   ; wsprintfA
004035B6  |. 83C4 14        ADD ESP,14
004035B9  |. EB 1B          JMP SHORT 6fe5860a.004035D6
004035BB  |> 68 BB474100    PUSH 6fe5860a.004147BB                   ; /<%s> = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)"
004035C0  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]                ; |<%s>
004035C3  |. FF75 B4        PUSH DWORD PTR SS:[EBP-4C]               ; |<%s>
004035C6  |. 68 00344000    PUSH 6fe5860a.00403400                   ; |Format = "GET %s HTTP/1.0
Host: %s
Accept-Language: en-US
Accept: */*
Accept-Encoding: identity, *;q=0
Connection: close
User-Agent: %s

"
004035CB  |. FF75 BC        PUSH DWORD PTR SS:[EBP-44]               ; |s
004035CE  |. E8 71D50000    CALL 6fe5860a.00410B44                   ; wsprintfA
004035D3  |. 83C4 14        ADD ESP,14
004035D6  |> 0FB745 D8      MOVZX EAX,WORD PTR SS:[EBP-28]
004035DA  |. 50             PUSH EAX
004035DB  |. 6A 00          PUSH 0
004035DD  |. FF75 FC        PUSH DWORD PTR SS:[EBP-4]
004035E0  |. E8 1EFAFFFF    CALL <Connect_to_c2c>

Inside connect_to_c2c we are able to locate call to send

00403087  /$ 55             PUSH EBP
00403088  |. 8BEC           MOV EBP,ESP
0040308A  |. 53             PUSH EBX
0040308B  |. 57             PUSH EDI
0040308C  |. 837D 10 00     CMP DWORD PTR SS:[EBP+10],0
00403090  |. 75 0B          JNZ SHORT 6fe5860a.0040309D
00403092  |. B8 01000000    MOV EAX,1
00403097  |. 5F             POP EDI
00403098  |. 5B             POP EBX
00403099  |. C9             LEAVE
0040309A  |. C2 0C00        RETN 0C
0040309D  |> 8B7D 0C        MOV EDI,DWORD PTR SS:[EBP+C]
004030A0  |. BB 00000000    MOV EBX,0
004030A5  |> 6A 00          /PUSH 0                                  ; /Flags = 0
004030A7  |. FF75 10        |PUSH DWORD PTR SS:[EBP+10]              ; |DataSize
004030AA  |. 57             |PUSH EDI                                ; |Data
004030AB  |. FF75 08        |PUSH DWORD PTR SS:[EBP+8]               ; |Socket
004030AE  |. E8 33DB0000    |CALL 6fe5860a.00410BE6                  ; send
004030B3  |. 85C0           |TEST EAX,EAX
004030B5  |. 7E 14          |JLE SHORT 6fe5860a.004030CB
004030B7  |. 03F8           |ADD EDI,EAX
004030B9  |. 2945 10        |SUB DWORD PTR SS:[EBP+10],EAX
004030BC  |. 837D 10 00     |CMP DWORD PTR SS:[EBP+10],0
004030C0  |. 75 07          |JNZ SHORT 6fe5860a.004030C9
004030C2  |. BB 01000000    |MOV EBX,1
004030C7  |. EB 02          |JMP SHORT 6fe5860a.004030CB
004030C9  |>^EB DA          JMP SHORT 6fe5860a.004030A5
004030CB  |> 8BC3           MOV EAX,EBX
004030CD  |. 5F             POP EDI
004030CE  |. 5B             POP EBX
004030CF  |. C9             LEAVE
004030D0  . C2 0C00        RETN 0C