mirror of
https://github.com/aljazceru/securedorg.github.io.git
synced 2026-01-11 18:24:28 +01:00
49 lines
1.7 KiB
Markdown
49 lines
1.7 KiB
Markdown
---
|
|
layout: default
|
|
permalink: /RE101/section5/
|
|
title: Static Analysis
|
|
---
|
|
[Go Back to Reverse Engineering Malware 101](https://securedorg.github.io/RE101/)
|
|
|
|
# Section 5: Static Analysis #
|
|
|
|
## LAB 1
|
|
|
|
### Possible Packer?
|
|
Notice in CFF explorer that there is UPX in the header.
|
|
|
|
|
|
When you open the executable in IDA, you will notice large section of non-disassembled code.
|
|
|
|
|
|
Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked.
|
|
|
|
|
|
### Reopen the executable in IDA.
|
|
|
|
The next step is getting a sense as to what the program is doing.
|
|
So far we can assume:
|
|
* This exe is connecting to the internet somehow
|
|
* This exe is using a string encryption function
|
|
* This exe might be spawning a shell
|
|
|
|
---
|
|
|
|
Navigate to the **String** window.
|
|
|
|
Here is an interesting string that we should start with:
|
|
|
|
|
|
Using the **X** key we can jump to the reference of that string in the assembly code.
|
|
|
|
|
|
This function is offset **00401340**. Notice in that function is setting a registry key using Window API [RegOpenKeyEx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms724897%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396).
|
|
|
|
We should rename this function **SetRegkey**.
|
|
|
|
---
|
|
|
|
|
|
|
|
[Section 4 <- Back](https://securedorg.github.io/RE101/section4) | [Next -> Section 6](https://securedorg.github.io/RE101/section6)
|