Unpacking Malware: Dridex Dridex is a malware which has long been targeting the financial sector in attempts to steal user credentials and compromise individuals. It targets individuals by sending phishing emails with Microsoft Office-based attachments embedding malicious macros which download additional payload and attain the authors' objectives. Since the first-stage malware is typically packed by Dridex, we’ll uncover how to unpack it and continue with analysis of subsequent stages.
Acquiring the Malware Sample Here’s the hash of the malware sample we’ll be using for the unpacking:...
Chapter Eight and Nine focused on dynamic analysis of programs. Once the basics were out of the way in Chapter eight, we shifted focus to using OllyDbg to fulfil our dynamic analysis objectives. Let’s get to solving problems from this chapter!
Exercise 1 Hash Name b94af4a4d4af6eac81fc135abda1c40c Lab09-01.exe d6356b2c6f8d29f8626062b5aefb13b7fc744d54 Lab09-01.exe 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859 Lab09-01.exe Preface: Analyze the malware found in the file Lab09-01....
Chapter Seven focused on analyzing programs which are designed to run on the Windows operating system and make use of the Windows API exposed to developers to interact with the system, its kernel, and other resources available to the user.
Exercise 1 Hash Name c04fd8d9198095192e7d55345966da2e Lab07-01.exe 86ee262230cbf6f099b6086089da9eb9075b4521 Lab07-01.exe 0c98769e42b364711c478226ef199bfbba90db80175eb1b8cd565aa694c09852 Lab07-01.exe Analyze the malware found in the file Lab07-01....
Chapter Six focused on code constructs and how analysts can easily identify them when walking through the disassembly in IDA. Let’s take a look at the exercises now.
Exercise 1 Hash Name 6abde2f83015f066385d27cff6143c44 Lab06-01.exe 536e6f91d4515e30af7afd37f22c213fee152126 Lab06-01.exe fe30f280b1d0a5e9cef3324c2e8677f55a6202599d489170ece125f3cd843a03 Lab06-01.exe Question Number 1: What is the major code construct found in the only subroutine called by main? Let’s get to work....
Let’s dig into a (potentially) malicious document and see what indicators it navigates us to.
Hash Name 499b2d5a07fbcfbc8a6ec124c14efde7 ordain-08.21.doc fedbbc359e03b17bd7866a31283c3ff87cc693e4 ordain-08.21.doc 331742a3835a6634e1331be491a789f7e5ddcefc6a30b7965dbf970d214b36d4 ordain-08.21.doc Download: You can acquire this sample from MalwareBazaar
Initial Analysis Let’s first unzip the file with MalwareBazaar’s standard password: infected [PS: I’m going to rename the file for sanity’s sake]
Once done, we can check to see what file type we’re dealing with: file Ordain....