View Single Post
Old 02-12-2018, 12:07
Aesculapius Aesculapius is offline
Join Date: Jun 2016
Location: USA
Posts: 121
Rept. Given: 0
Rept. Rcvd 39 Times in 25 Posts
Thanks Given: 17
Thanks Rcvd at 304 Times in 77 Posts
Aesculapius Reputation: 39
Malware Sample analysis

I took my time these last weekends to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and simply eliminate the sample from memory and disk (put back your wallpaper) and no harm done, but if you are not sure, then don't try except for the harmless payload and the source code.


Last edited by Aesculapius; 02-12-2018 at 22:19.
Reply With Quote
The Following 2 Users Say Thank You to Aesculapius For This Useful Post:
Stingered (02-12-2018), Zipdecode (02-26-2018)