Now we can see the allocated address of the memory in the EAX register: 0x40B61B. Now the application is break at kernel32.VirtualAllocEx :Įxecute the binary until the next RET with Ctrl+F9. Right click on kernel32.dll -> View namesĪ lot of exception must be pass. So as usual, we add breakpoint on VirtualAlloc & VirtualAllocEx calls: In fact this malware volontary uses and traps exceptions to be unpacked. We are suprised by a lot of exception when we tried to debug the sample. We use yara to identify the binary: yara -r packer.yara binary doesn’t use a well-known packer. cat base64.dmp | base64 -d > file base64.outīase64.out: PE32 executable for MS Windows (GUI) Intel 80386 32-bit W1EPulAAAAIAAQAgAEAAAQABADQBAAAFAAAAAQAEACAgEAABAAQA6AIAAAEAEBAQAAEABAAoAQAAĪgAgIAAAAQAgAKgQAAADABAQAAABACAAaAQAAAMAUEEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAĪAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA TAEEAKYPc0oAAAAAAAAAAOAADwELAQYAAEIAAACUAAAAAAAAdE8AAAAQAAAAYAAAAABAAAAQAAAAĪgAABAAAAAAAAAAEAAAAAAAAAAAQAQAABAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAA LNnXBpQe2FuU1NcGlN3XB5Tg1waUNcgNlNzXBpRl0QCU3NcGlFJpY2jd1waUAAAAAAAAAABQRQAA ZGUuDQ0KJAAAAAAAAACZtmjHqtcGlN3XBpTd1waUpssKlNzXBpReywiU3NcGlDXIDJTW1waUNcgC With the strings command, we find somethink that looks like a base64. NETexecutableMicrosoft Facture147778.pdf. First binary yara -r packer.yara Facture147778.pdf\ \ \ \ \ \ \ \ \ \ \ \. scr, some users may thought that the file is really a. To trick the user, the attacker adds several space before the extension. Volatility in order to analyse memory dump.A debugger for dynamic analysis (in our case OllyDbg).We sent an email to the administrator and we do not have a feedback for the moment. We think that the Website “” was compromised and the attacker puts the malware on it. Of course we never bought something from Apple!!!!īut when we put our mouse on the link we can see the real link: We received an email with an invoice from Apple (in french).
0 kommentar(er)
