Exetools

Exetools (https://forum.exetools.com/index.php)
-   Source Code (https://forum.exetools.com/forumdisplay.php?f=46)
-   -   Malware Sample analysis (https://forum.exetools.com/showthread.php?t=18659)

Aesculapius 02-12-2018 12:07

Malware Sample analysis
 
I took my time these last weekends to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and simply eliminate the sample from memory and disk (put back your wallpaper) and no harm done, but if you are not sure, then don't try except for the harmless payload and the source code.

Package:

https://mega.co.nz/#!EQgCEbYK!VssYEm...MngGxlsPFkKf7k

Stingered 02-12-2018 12:23

Quote:

Originally Posted by Aesculapius (Post 112222)
I took my time this weekend to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and eliminate the sample from memory but if you are not sure, then don't try except for the harmless payload and the source code.

Package:

https://mega.co.nz/#!EQgCEbYK!VssYEm...MngGxlsPFkKf7k

A write-up would be awesome if you're up to it. Would be a nice read, I'm certain.

foosaa 02-13-2018 19:35

Yep. I agree. A write-up will surely be very good!!


All times are GMT +8. The time now is 19:01.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX