Funtastic Packers And Where To Find Them

What's Inside?

Get2Downloader

Get2: First Allocated Memory
Get2: Second Allocated Memory
Get2: First Allocated Memory being written
Get2: First Allocated Memory obfuscated content
Get2: M8Z string written
Get2: decryption loop ends
Get2: Second stage decryption function
Get2: Second Allocated Memory Being Written
Get2: Second Allocated Memory Packed With UPX
Get2: Final unpacked payload

Qbot

Qbot: VirtualAllocEx allocated memory
Qbot: Data Written In The Allocated Memory
Qbot: Obfuscated Data Written In The Allocated Memory
Qbot: Static analysis — obfuscated content
Qbot: Data being Overwritten In The Allocated Memory
Qbot: Signs Of Obfuscated PE
Qbot: GetProcAddress Stack-Strings
Qbot: VirtualAlloc Stack-Strings
  1. Calling GetProcAddress (the string resides in EBP-4) and request VirtualAlloc.
  2. GetProcAddress returns the address of VirtualAlloc (which is stored in EAX), and move it to EBP-8.
  3. VirtualAlloc being called with Read-Write-Execute permissions.
Qbot: Call For VirtualAlloc Steps
Qbot: Newly Allocated Memory
Qbot: Data Copied From First To Second Allocated Memory
Qbot: Data Copied From First To Second Allocated Memory
Qbot: Second Allocated Memory Deobfuscated
Qbot: Unpacked PE
Qbot: Qbot’s Second Stage Payload At The Resource Section

IcedID

IcedID: Shellcode
IcedID: Call To VirtualAlloc
IcedID: Data Copied To The Allocated Memory
IcedID: Data Comparison ESI vs EDI (Identical)
IcedID: Data being decrypted
IcedID: Data being decrypted
IcedID: Data Copied And Decrypted In The Upper Part Of The Memory
IcedID: Clean PE File
IcedID: Unpacking Diagram
IcedID: Unpacked PE In Pestudio

Conclusion

  • Traditionally, packers tend to start with reading an obfuscated data embedded in the PE, and writing it to a newly allocated memory.
  • Writing to, or reading from newly allocated memory will most likely happen inside a loop. So loops can be a good starting point when we search for decryption routines.
  • Most of the time, data will be copied or modified byte by byte. Therefore, it is important to pay attention to moves of one byte (mov byte ptr)
  • Some opcodes such as xor,rol,ror,shl,shr are likely to be found in the decryption loop.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store