A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17355  by Buster_BSA
 Sun Dec 23, 2012 11:57 am
I have tried to dump the malware from this thread http://www.kernelmode.info/forum/viewto ... =21&t=2288 but the dumped binary does not contain the code.

I tried dumping with my own code and with this program http://code.google.com/p/mdmp/. None of them dumped correctly.

Why does it happen?

In this article http://blogs.avg.com/news-threats/anti- ... r-malware/ is said:

"The malicious code itself is protected by double packer layers. The top one is some custom cryptor which executes several anti emulation tricks such as calling rare API functions and decrypting the MPress packed executable to its own memory. After unpacking this inner MPress packer, we finally get the malicious code."

I guess I should be dumping other memory area, but how to notice that?
 #17356  by EP_X0FF
 Sun Dec 23, 2012 2:18 pm
What you want to dump? Usual process dumper rely on PE header information, such as base address and size of image. Base address of original image and size of original image.

There no strings inside because actual bot all build on hash using and call all required routines by their pointers instead of using Import table directly.

There is 3 layers in this dropper.

First - primitive crypter. To unpack it set break in debugger on VirtualAllocEx -> @ContainerAddress = kernel32!VirtualAllocEx (in my case it was 0x00B80000 region), trace after call with ERW flags, it will dexor (whatever) container in @ContainerAddress and then call second stage.

Second - MPRESS v2.18 running from @ContainerAddress. Unpacking MPRESS is somehow similar to unpacking previous one. Result = allocated memory region with ERW flags and decompressed payload. Next control goes to third layer.

Third - actual malware running from MPRESS allocated region (again different from the original imagebase). Here all AntiVM tricks being executed.

Itself this is Backdoor:Win32/Caphaw.D
In attach MPRESS binary extracted from 1st layer. Decompress it and you will have real malware.

Image

Use PETools or LordPe, they both can dump regions.
mdump, I dont know wtf is that honestly.
Attachments
pass: malware
(115.24 KiB) Downloaded 63 times
 #17372  by SmilingWolf
 Wed Dec 26, 2012 12:05 pm
Attached there is the semi-final stage. The first CALL EAX will take you to the real malware that I've been unable to dump because of the IAT redirection.
Attachments
pass: infected
(134.12 KiB) Downloaded 46 times
 #17417  by EP_X0FF
 Fri Dec 28, 2012 11:10 am
EP_X0FF wrote:Third - actual malware running from MPRESS allocated region (again different from the original imagebase). Here all AntiVM tricks being executed.

Itself this is Backdoor:Win32/Caphaw.D
In attach MPRESS binary extracted from 1st layer. Decompress it and you will have real malware.

Image

Unpacked mpress in attach.
https://www.virustotal.com/file/0a6e8fc ... /analysis/
Attachments
pass: malware
(119.25 KiB) Downloaded 56 times
 #17815  by frame4-mdpro
 Tue Jan 22, 2013 9:38 pm
skeptre wrote:Hi,

Is it possible to get more samples of the new variant for Shylock ?
There is already a sample uploaded in http://www.kernelmode.info/forum/viewto ... =21&t=2441 but wanted to check if there are more samples available.

Just have the MD5 of current sample to go by: 8fbeb78b06985c3188562e2f1b82d57d.

Thanks
Et voila :)
Attachments
Password: infected
(278.27 KiB) Downloaded 95 times
 #18452  by Horgh
 Wed Mar 06, 2013 5:42 pm
Backdoor:Win32/Caphaw.D aka Shylock