Unpacking Gootkit Malware With IDA Pro and X64dbg - Subscriber Request
Update: 2018-03-04
Description
Open Analysis Live! We use IDA Pro and x64dbg to unpack a recently packed Gootkit malware (stage1). This was a subscriber request asking us to determine how this was packed. Video bookmarks to skip ahead...
- Deobfuscating strings with IDA Python 5:15
- Identify anti-analysis tricks after string deobfuscation 9:03
- Mutex trick 14:40
- CreateFile ShareMode trick 17:33
- Fully unpacking with x64dbg 20:25
- Searching for PE in memory using x64dbg 23:24
- Carving PE files from a memory dump with a hex editor 26:24
- Final overview of the whole process 27:59
Packed sample:
Sha256:
38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
https://malshare.com/sample.php?action=detail&hash=e561ae3cedb6f9fc0ecff559c62788b0
Unpacked Gootkit (stage 1):
Sha256: e61082d8f711d775b5c427af649c64ab50fac695f334720dca467598c5817b7a
https://malshare.com/sample.php?action=detail&hash=691c71e5b3d72835730b2db5e60b28cc
x64dbg:
https://x64dbg.com/#start
IDA:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
Packer string decryption script (IDAPython):
https://gist.github.com/herrcore/473133aa1387ed0b08a67d1a221b5b09
Tutorial examining the CreateFile share anti-analysis trick:
https://www.youtube.com/watch?v=ScBB-Hi7NxQ&t=9m22s
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
- Deobfuscating strings with IDA Python 5:15
- Identify anti-analysis tricks after string deobfuscation 9:03
- Mutex trick 14:40
- CreateFile ShareMode trick 17:33
- Fully unpacking with x64dbg 20:25
- Searching for PE in memory using x64dbg 23:24
- Carving PE files from a memory dump with a hex editor 26:24
- Final overview of the whole process 27:59
Packed sample:
Sha256:
38933984f5ff8b71c054d1c1155e308ac02377b89315ef17cea859178a30dbab
https://malshare.com/sample.php?action=detail&hash=e561ae3cedb6f9fc0ecff559c62788b0
Unpacked Gootkit (stage 1):
Sha256: e61082d8f711d775b5c427af649c64ab50fac695f334720dca467598c5817b7a
https://malshare.com/sample.php?action=detail&hash=691c71e5b3d72835730b2db5e60b28cc
x64dbg:
https://x64dbg.com/#start
IDA:
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
Packer string decryption script (IDAPython):
https://gist.github.com/herrcore/473133aa1387ed0b08a67d1a221b5b09
Tutorial examining the CreateFile share anti-analysis trick:
https://www.youtube.com/watch?v=ScBB-Hi7NxQ&t=9m22s
Feedback, questions, and suggestions are always welcome : )
Sergei https://twitter.com/herrcore
Sean https://twitter.com/seanmw
As always check out our tools, tutorials, and more content over at http://www.openanalysis.net
Comments
In Channel
Download from Google Play
Download from App Store
United States00:00
00:00
1.0x
