Tuesday, 23 July 2013

Red October [Unpacking "msmx21.exe"]


51edea56c1e83bcbc9f873168e2370af (Original File)
2719a0e95075802e22008f7530ea8f99 (Dropper "msmx21.exe" - Packed)

This post will walk through the unpacking of the dropper msmx21.exe. Analysis of the binary reveal that the file "2719a0e95075802e22008f7530ea8f99" is likely to be packed. To quickly unpack the dropper, we set break points at VirtualAlloc and start off debugging from there.

Shell Codes
The first memory allocation is a VirtualAlloc of size 0xA34. Here you will find that shell codes are written to that memory location that will be responsible for unpacking the stage 1 dropper.

Memory allocation for shell codes that will perform unpacking of the stage 1 dropper.

Observe the memory region created by the memory allocation for the shell codes.

Shell codes responsible for unpacking the stage 1 dropper are written to 0x30000.

Unpacking of the Stage 1 Dropper, msmx21.exe
Observe the next memory allocation, VirtualAlloc of size 0x6100. Analysis will surface that the shell codes shown above unpack msmx21.exe and write it to the memory location 0x40630.

Observe the memory allocation meant for the unpacked msmx21.exe.

Observe the memory region allocated for the unpacked stage 1 dropper msmx21.exe.

Offset 0x308ca is where the shell codes start to unpack msmx21.exe.

Notice the offset 0x40630, which is the start of the stage 1 dropper msmx21.exe.

Dumping msmx21.exe
The stage 1 dropper msmx21.exe is dumped from memory.

Interesting to note that it was compiled in March 2011.

A peek at the OEP.

Next >> Analysis of the dropper msmx21.exe

No comments:

Post a Comment