2.3 KiB
layout, permalink, title
| layout | permalink | title |
|---|---|---|
| default | /RE101/section5/ | Static Analysis |
Go Back to Reverse Engineering Malware 101
Section 5: Static Analysis
LAB 2
Possible Packer?
Notice in CFF explorer that there is UPX in the header.
When you open the executable in IDA, you will notice large section of non-disassembled code.
Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
Reopen the executable in IDA.
The next step is getting a sense as to what the program is doing. So far we can assume:
- This exe is connecting to the internet somehow
- This exe is using a string encryption function
- This exe might be spawning a shell
Navigate to the String window.
Here is an interesting string that we should start with:
Using the X key we can jump to the reference of that string in the assembly code.
This function is offset 00401340. Notice in that function is setting a registry key using Window API RegOpenKeyEx.
We should rename this function SetRegkey.
Jump up to the calling function using X on SetRegkey. Scroll up until you see some interesting API.
Notice it's calling InternetOpen which opens a HTTP session.
This function call has the following arguments:
HINTERNET InternetOpen(
_In_ LPCTSTR lpszAgent, //URL
_In_ DWORD dwAccessType,
_In_ LPCTSTR lpszProxyName,
_In_ LPCTSTR lpszProxyBypass,
_In_ DWORD dwFlags
);
