Unpacking Emotet / Geodo (Stage 1) Using x64dbg - Subscriber Request

  Рет қаралды 26,117

OALabs

OALabs

Күн бұрын

Пікірлер: 66
@OALABS
@OALABS 6 жыл бұрын
In the description of the video we mixed up the unpacked hash with the packed hash. That has been fixed now, but just to clarify: Packed sample sha256: c41cbad1ee87b9156c389962608cf25570ca176903b299cb3415f3fc3a23ebbe Unpacked stage1 sha256: c3f43896913c17f91c0d95924ac426e89928b8eef93da7dc107a7a0891c7a860 Both of these can be downloaded from malshare by signing up for a free account.
@strugglingforlifesodouble7046
@strugglingforlifesodouble7046 4 жыл бұрын
j u s t b a s e 64 d e c o d e this: IzQxOGZhNzQ5YSBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM0MThmYTc0OWE=
@strugglingforlifesodouble7046
@strugglingforlifesodouble7046 4 жыл бұрын
j u s t b a s e 64 d e c o d e this: IzdkNzdkN2RhOCBJIGhhdmUgYSBwcm9ibGVtIHVucGFja2luZyB0aGlzIHByb2dyYW0uIElmIHlvdSBjYW4gdW5wYWNrIHRoaXMgaSBjYW4gZ2l2ZSB5b3UgNTAgZG9sbGFycyEgSGVyZSB0aGUgcHJvZ3JhbTogaHR0cDovL3d3dy5tZWRpYWZpcmUuY29tL2ZpbGUvMjlzZm9uNXJuMWljdHkzL3RhcmdldC43ei9maWxlICM3ZDc3ZDdkYTg=
@EnduranceT
@EnduranceT 6 жыл бұрын
@OALabs, glad I asked, I would never have just figured all that out especially with the unmapping and mapping of the PE file. I was aware of the fact that the PE file gets mapped into memory, but not consciously thinking about it like you showed here in regards to dumping a file. This is the kinda stuff where I'd be like "wtf why are there zeroes here" and probably eventually give up. Also, thanks for the CreateProcessInternalW tip, I think you brought it up before but sounds like I really need that hammered into my head. Thank you so much for doing this video, this channel is is great. You guys deserve a 32 pack of beer at least.... Probably more like 50.
@OALABS
@OALABS 6 жыл бұрын
Glad you enjoyed the video! Thanks again for the neat sample to look at, you always have great questions and suggestions. We really appreciate the support! Thanks!
@ousarlxsfjsbvbg8588
@ousarlxsfjsbvbg8588 3 жыл бұрын
@@OALABS hey, I know it’s been three years but I have a dilemma. I’m trying to unpack a program which does not create a child process (as far as I can tell, at least). It’s a console application and conhost.exe always launches when the program is run, but I don’t think it’s the program creating that? I’m not sure. My question is, does the CreateProcess trick only work if the program creates a child process to load the unpacked code into? Whenever I try to set a breakpoint on CreateProcessW or CreateProcessInternalW, it never hits it, which leads me to believe it doesn’t use the function at all. Yet, I’m not sure what to think about the fact that it launches the console to display text and get input from the user, does that not count as a child process and would it not use CreateProcess in some form to launch conhost?
@LearnThenTeach
@LearnThenTeach 6 жыл бұрын
Amazing video! So information packed!
@EvilSapphireR
@EvilSapphireR 5 жыл бұрын
This is awesome stuff! Love that I'm understanding more and more with each view of your video. Please keep this up man!
@OALABS
@OALABS 5 жыл бұрын
Hey that's awesome to hear, thanks for the encouragement! We have some more in-depth reversing stuff planned for this year so stay tuned : )
@Ivzbel
@Ivzbel 6 жыл бұрын
I just found your channel and thank you very much for posting this great content! I hope too see alot more videos. Thanks again!
@andylockhart257
@andylockhart257 6 жыл бұрын
Just awesome! Can’t wait for the next one!
@AnuragGawande
@AnuragGawande 4 жыл бұрын
Superb video!! Thank you.
@vallabhchole
@vallabhchole 6 жыл бұрын
Please do video on latest emotet sample.on all stages.. Thanks
@kharbandaumang
@kharbandaumang 3 жыл бұрын
This was insane... I am new to malware analysis and it is just mind blowing !!! Just unpacking takes this much effort !!! I have got to do work hard!!! 😀😀😀
@OALABS
@OALABS 3 жыл бұрын
Thats why we built www.unpac.me/ : ))
@tea-noodle
@tea-noodle 5 жыл бұрын
I love this video, and I would love to see further analysis. I'm a junior malware analyst, and this gives me some great techniques to try in the future. I'm trying to validate a MWCP for emotet, and it would be great to see how to circumvent it's antidebug/antivirtualizaiton for peace of mind. Looking forward to future videos on this malware.
@OALABS
@OALABS 5 жыл бұрын
Thanks! Awesome to hear you enjoyed the tutorial. There is some amazing in-depth analysis of Emotet from our friend d00rt that you might enjoy here github.com/d00rt/emotet_research
@boomermayne
@boomermayne 3 жыл бұрын
Great video. Did you end up making a part 2 to this series @OALabs? I can't find it on your channel.
@OALABS
@OALABS 3 жыл бұрын
No this was for unpacking stage 1 of the malware. Stage 2 would be the modules and so much ash changed that I don't think it would be as applicable now. If emotet remains active now that it has returned we may look into making a updated version of this.
@boomermayne
@boomermayne 3 жыл бұрын
@@OALABS Got it, appreciate the response. Great content overall, I subscribed.
@nikhilyeole3796
@nikhilyeole3796 6 жыл бұрын
Hey, it is much helpful. waiting for stage2 of it
@qwertui_
@qwertui_ 4 жыл бұрын
Hey, thanks a lot for the videos ! Kinda late to ask this question but I can't get why would the malware need the executable flag on that memory section if it is executed in another process which it creates. Is it because it uses memory mapping or something ?
@OALABS
@OALABS 4 жыл бұрын
That is a really good question, and something that I should have explained better. So this packer actually unpacks and self-injects the payload PE. Then the injected payload makes the copy of the file and executes it (as a way to hide I guess). So when we break on CreateProcessInternalW we are looking for the self-injected PE, not a PE that is mapped into a new process. In other videos we cover packers where the PE is going to be written into a remote process and in those you will see we don't look for ERW sections since the payload doesn't need to be executable, as you correctly pointed out.
@Iamrkapoor
@Iamrkapoor 3 жыл бұрын
Thanks for this wonderful video @OALabs. great learning, I couldn't do hands on though. When i add the BP for CreateprocessInternalW() , and running it , it pauses at Entrypoint and then when I run it again, debugger shows Exception_access_violation. Could you please help how to fix this ?
@dave5623
@dave5623 6 жыл бұрын
I've tried following along as best as I can but I seem to hit an error when attempting to fix the imports using the pyiatrebuild.py tool. I set the section headers such that the raw addresses have the virtual address values, set the Image Base to match that from where I pulled it from memory, dumped that to disk, and then tried using the pyiatrebuild.py tool and set the --base_address argument to be the Image Base value (in decimal) and the --oep argument to be the Entry Point + Image Base (in decimal) but I get a stack trace indicating that imports have not been found, like this: c:\Users\user\Desktop>python PyIATRebuild-master\pyiatrebuild.py rebuild "bad - copy_00100000_aligned.bin" "bad - copy_00100000_aligned_fixed.bin" --pid 884 --b ase_address 1048576 --oep 1063170 WARNING: warning null reldesc Traceback (most recent call last): File "PyIATRebuild-master\pyiatrebuild.py", line 652, in main() File "PyIATRebuild-master\pyiatrebuild.py", line 644, in main new_pe_data = rebuild_iat(args.in_pid, pe_data, args.in_base_address, args.i n_oep) File "PyIATRebuild-master\pyiatrebuild.py", line 245, in rebuild_iat imp_table = reslove_iat_pointers(pid, iat_ptrs) File "PyIATRebuild-master\pyiatrebuild.py", line 169, in reslove_iat_pointers assert len(imp_table) != 0, "Unable to find imports in code!" AssertionError: Unable to find imports in code! At 8:30 you mention turning off relocations, but I don't think there was an explicit step shown where that happens. Any idea if I missed something?
@OALABS
@OALABS 6 жыл бұрын
Hmm, so that looks like winappdbg is unable to resolve the pointers to API names. Unfortunately that could mean a few different things... If you are running this on a 64bit host winappdbg may be having issues resolving the APIs, I vaguely remember having a similar problem. Probably the easiest way to troubleshoot is to add a print iat_ptrs statement on line 153 in pyiatrebuild.py then run the script again and use x32dbg to verify that the iat_ptrs addresses actually point to APIs. If they do then you know that winappdbg is broken somehow. If they don't then maybe there is a bug in our call_scan function. Troubleshooting blindly in KZbin comments leaves something to be desired : ) If you want just send us an email (link on our website) and I can follow up.
@OALABS
@OALABS 6 жыл бұрын
Oh also good point about turning off relocations. That won't cause the issue you are seeing here but it may be important for extracting other PE files (DLLs) in the future. This article explains the concept will.io/blog/2013/05/31/disable-aslr/ and you can achieve this quickly using something like pefile for python. pe = pefile.PE(data=pe_data, fast_load=True) IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE = 0x0040 pe.OPTIONAL_HEADER.DllCharacteristics &= ~IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE pe_data_fixed = str(pe.write())
@robinhellsten8903
@robinhellsten8903 6 жыл бұрын
Also got "Unable to find imports in code!" . Installing 32-bit version of python solved the issue.
@alifayyaz851
@alifayyaz851 2 жыл бұрын
I executed packed Malware, got the memory dump, extracted exe using procdump but the recovered exe was packed ! How I got it unpacked
@PumpiPie
@PumpiPie 5 жыл бұрын
Can you make a video on bypassing anti debug?
@OALABS
@OALABS 5 жыл бұрын
Hey saw your comment on our other tutorial, responded there. It's a good idea : ))
@PumpiPie
@PumpiPie 5 жыл бұрын
@@OALABS :) It had been very nice :D
@badactors6299
@badactors6299 5 жыл бұрын
Are you serious? You are clearly trying to make malware. Why else would you want to bypass anti debug? "Scammer alert"
@cherifaly6757
@cherifaly6757 6 жыл бұрын
This is a very deep and serious reverse engineering video.. I would really love to know.. how did you know all this stuff? , what classes did you attend? or what book did you read? Am really curious!!! Thank you!
@OALABS
@OALABS 6 жыл бұрын
Thank you very much, it's always great to hear when folks find our tutorials interesting : )) As for our backgrounds I've replied to a few questions about this and maybe we will make an "about us" video in the future but there is nothing really exciting about our backgrounds. Personally I was a developer first, and I am just very curious about how things work, always have been. So that progressed into more and more reverse engineering. It's still fascinating to me to explore how applications are designed and figure out what makes modern systems work. As for the resources I used to learn how to reverse engineer, the simple answer is everything I could find on the Internet. Back when I was first learning there wasn't a ton of information like there is today... it was mostly the cracking community and some forums so that is where I spent my time. Things are really different today, there are tons of free online resources. If you are motivated and you have the time all the info is there ... anything from very formal training opensecuritytraining.info/IntroductionToReverseEngineering.html all the way to the videos that we produce here. A big part of why we make these videos is because these are the types of tutorials that we wish had been around when we were first learning. The same for the amazing tutorials from Hasherezade kzbin.info/door/NWVswPNgn5kutPNa5sprkg, Karsten kzbin.info/door/VFXrUwuWxNlm6UNZtBLJ-A, Todd kzbin.info/door/SLlgiYtOXZnYPba_W4bHqQ, Colin kzbin.info/door/ND1KVdVt8A580SjdaS4cZg, and LiveOverflow kzbin.info/door/lcE-kVhqyiHCcjYwcpfj9w. If you have questions about specific topics you want to learn let us know and we will cover them in a video. Anything to do with reversing really... except maybe how to unpack themida ; ) Just let us know!
@chenerlich6596
@chenerlich6596 6 жыл бұрын
Awesome stuff man!! Quick question: When you aligned the sections, why didn't you copy the virtual size to the raw size, as you did with the addresses?
@OALABS
@OALABS 6 жыл бұрын
This is a great point! You may have seen me doing this in other videos where I alter both the virtual address size and the raw address size to fill the entire space between the current section start and the next section start. I don't think you need to do this as the original sizes will still accurately represent the size of the actual data that matters in each section, and most tools (and the windows loader) will be unaffected by the size not accurately reflecting what is in the file. However, I usually do adjust the size because I feel it is more accurate, I just didn't in this case because I was lazy or forgot : ) So in short, you don't need to adjust that size but usually I do.
@cherifaly6757
@cherifaly6757 6 жыл бұрын
I put a break point on createprocessinternalw, and hit run, but the program terminated.. What might be the problem?🤔
@OALABS
@OALABS 6 жыл бұрын
Interesting... when you look in the "Breakpoints" tab is the breakpoint listed there as enabled? If it's enabled there I'm not sure what else to suggest without more info go on?
@cherifaly6757
@cherifaly6757 6 жыл бұрын
OALabs yes I can see the breakpoint in the breakpoint section as enabled .. But still not sure why it terminated. I also have another question, how can I turn the dumbed '.bin' file to a working '.exe' file?
@TheEndoplazmik
@TheEndoplazmik 6 жыл бұрын
Hi, I know that is too late but I also got the same problem. I had a Win10 virtual machine and program terminated. After that I think that there may be a virtual machine protection on that sample. I simply followed oalabs malware lab reference and installed win7. Now it works fine and I can follow video instructions.
@DmytriE
@DmytriE 6 жыл бұрын
How do you know if an injected file has a well defined file which inserted it?
@OALABS
@OALABS 6 жыл бұрын
That's a good question, but unfortunately it really just comes down to searching in memory after each hit on your breakpoints. There are ways to speed this up and even automate it that we may cover in later videos. But if you are doing it manually it's just the same process we show here.
@debnathmriganka2010
@debnathmriganka2010 4 ай бұрын
Hello can you help me one thing sir, i got a massage fro Detect it easy : Packer: Packer detected(Heuristic)[Imports like eXPressor (v1.4.5.X) + Strange overlay], can you best way to unpack this exe file using x64dbg or any automatic unpacker. Please help me sir.
@simpleman8556
@simpleman8556 6 жыл бұрын
Thank you for the great video :-).
@moxo5092
@moxo5092 6 жыл бұрын
can you pls share the url to download the sample? thx!
@OALABS
@OALABS 6 жыл бұрын
Hi Marc, the link to the sample is in the description of the video. You will need to sign up for a free account with malshare and they will give you an API key. You can then go to the "pull sample" page and submit the hash with your new API key and pull the sample. P.S. I'm a huge fan of the work you do, it's awesome to know that you watch our videos thanks : )))
@OALABS
@OALABS 6 жыл бұрын
Oops in the description of the video I mixed up the unpacked sample hash with the packed sample. It's fixed now... sorry about that : (
@thecatfromrio
@thecatfromrio 5 жыл бұрын
This is great but... how the hell do we get rid/prevent this infection? Can I kindly ask that you posted something about that? I'm dealing with this infection right now and I don't know how to get rid of it. Thank you.
@OALABS
@OALABS 5 жыл бұрын
Unfortunately we cannot provide support for removing malware or dealing with malware infections in our comment section. We only cover reverse engineering on this channel. However I can point you to the BleepingComputer forum where they will be more than happy to help www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-help/ Good luck!
@danijassm1399
@danijassm1399 3 жыл бұрын
How Unpacking Obsidium v1.5.4.x
@gwnbw
@gwnbw 5 жыл бұрын
Doesnt work in w10, it doesnt create a child process and skips the CreateInternalProcessW breakpoint
@OALABS
@OALABS 5 жыл бұрын
Hey this might not be the answer you are looking for but we highly recommend debugging using a Win7 VM, and Win7 x86 if the malware PE is 32bit. The later versions of Windows introduced a lot of junk that you need to disable/configure before you have a decent debugging VM. We even have some instructions on how to get a free copy etc. oalabs.openanalysis.net/2018/07/16/oalabs_malware_analysis_virtual_machine/
@benjaminb1337
@benjaminb1337 5 жыл бұрын
renaming it to fun fun wont do anything when we want anti we search for the window name not the executable title
@OALABS
@OALABS 5 жыл бұрын
Lol very true. The better anti-analysis packers enumerate the windows names instead of just the process list but they are less common so this usually works. I guess we could patch out the binary if we really needed to but in my experience it's rare. Great point though! Definitely something to be aware of : )
@rick.prime137
@rick.prime137 Жыл бұрын
thx
@rm8582
@rm8582 6 жыл бұрын
Great vid, really liked the way you explain things. Can't wait to see your next vid. Btw do you analyse .NET files too? Specially confuserEx packed ones.
@OALABS
@OALABS 6 жыл бұрын
Thanks : ) We will keep an eye out for an interesting .NET sample to analyze but in the mean time I would recommend the tutorial videos over at the MalwareAnalysisForHedgehogs channel. I've personally learned a ton from from the ones on .NET kzbin.info/www/bejne/hWS2XoBoo6Z-o6c kzbin.info/www/bejne/ZnW5YpWeo9OCr68
@scavenger4813
@scavenger4813 5 жыл бұрын
Your intro music is joss
@0xfrijolito
@0xfrijolito 3 жыл бұрын
rip emotet
@OALABS
@OALABS 3 жыл бұрын
👊👊👊💯
@PumpiPie
@PumpiPie 5 жыл бұрын
Unpacking Bokbot / IcedID Malware - Part 1
15:58
OALabs
Рет қаралды 12 М.
1% vs 100% #beatbox #tiktok
01:10
BeatboxJCOP
Рет қаралды 67 МЛН
Don’t Choose The Wrong Box 😱
00:41
Topper Guild
Рет қаралды 62 МЛН
IL'HAN - Qalqam | Official Music Video
03:17
Ilhan Ihsanov
Рет қаралды 700 М.
Three and a half ways to unpack malware using Ollydbg
14:21
cybercdh
Рет қаралды 30 М.
How to Crack Software (Reverse Engineering)
16:16
Eric Parker
Рет қаралды 815 М.
Reversing Malicious Office Document (Macro) Emotet(?)
23:25
Working with UPX - Manual Unpacking with IDA Pro, x32dbg and Scylla
19:57
Dr Josh Stroschein - The Cyber Yeti
Рет қаралды 11 М.
The King Of Malware is Back
19:27
John Hammond
Рет қаралды 192 М.
1% vs 100% #beatbox #tiktok
01:10
BeatboxJCOP
Рет қаралды 67 МЛН