aljaz/securedorg.github.io
1
0
Fork 0
mirror of https://github.com/aljazceru/securedorg.github.io.git synced 2026-01-07 16:24:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
f43ad5228a9f67ceae195b986f229bd905e9ec3d
securedorg.github.io/static.md
Amanda Rousseau f43ad5228a lab 2
2017-03-23 22:44:49 -07:00

1.7 KiB
Raw Blame History

layout, permalink, title
layout permalink title
default /RE101/section5/ Static Analysis

Go Back to Reverse Engineering Malware 101

Section 5: Static Analysis

LAB 2

Possible Packer?

Notice in CFF explorer that there is UPX in the header. alt text

When you open the executable in IDA, you will notice large section of non-disassembled code. alt text

Because UPX is a common packer, the unpacker is already built in to CFF Explorer. Unpack and save the file with a name that identifies it as unpacked. alt text

Reopen the executable in IDA.

The next step is getting a sense as to what the program is doing. So far we can assume:

  • This exe is connecting to the internet somehow
  • This exe is using a string encryption function
  • This exe might be spawning a shell

Navigate to the String window.

Here is an interesting string that we should start with: alt text

Using the X key we can jump to the reference of that string in the assembly code. alt text

This function is offset 00401340. Notice in that function is setting a registry key using Window API RegOpenKeyEx.

We should rename this function SetRegkey.

Section 4 <- Back | Next -> Section 6