Go Back   Exetools > General > Source Code


Thread Tools Display Modes
Prev Previous Post   Next Post Next
Old 02-12-2018, 12:07
Aesculapius Aesculapius is offline
Join Date: Jun 2016
Location: USA
Posts: 143
Rept. Given: 1
Rept. Rcvd 43 Times in 28 Posts
Thanks Given: 23
Thanks Rcvd at 453 Times in 118 Posts
Aesculapius Reputation: 43
Malware Sample analysis

I took my time these last weekends to evaluate a malware sample that was handed to me for that purpose. I took interest because it is packed with Shielden. Although I haven't finished the characterization because its complex and fully VMed, I've been able to unpack, de-virtualize, decompile, retrieve some of the resources, create the pseudocode and recreate the main payload.

The package contains the original sample, the compiled payload (some nasty stuff removed, like persistence in memory, blocking user tools, etc), some recovered resources, and the recreated main payload source code.

You can run the attenuated payload, which will only change the windows wallpaper, close any instance of regedit and task manager. It will do it only once and terminate itself because I modified it to do so. The real sample, will continue to change back the wallpaper if you try to set it to your default one, closing task manager and regedit every few seconds to block any termination attempts. It will also partially cripple ESET nod32 (which will eventually close itself).

The original sample also deploys several files which I'm still studying. All are VMed. Although no information is lost by running it I discourage you from doing so, unless you are versed in malware analysis and in a safe controlled environment.

The recreated main payload source code is probably not 100% accurate if compared with the original source code but I'm pretty confident it should be very alike.

Again, this is only for people that know what they are doing, if by any chance you get infected, then restart your PC in safe mode and simply eliminate the sample from memory and disk (put back your wallpaper) and no harm done, but if you are not sure, then don't try except for the harmless payload and the source code.



Last edited by Aesculapius; 02-12-2018 at 22:19.
Reply With Quote
The Following 2 Users Say Thank You to Aesculapius For This Useful Post:
Stingered (02-12-2018), Zipdecode (02-26-2018)

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Similar Threads
Thread Thread Starter Forum Replies Last Post
ahk malware analysis dion General Discussion 0 12-20-2021 08:50

All times are GMT +8. The time now is 23:29.

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2022 )