UPX compressed Malware (Part-1)
UPX compressed Malware was protected by password and the automated malware analysis report for this Del.exe will be positive. But during our manual malware analysis, we will be finding it as a malicious one.
Sample Analyzed:-
General Info:-
I am using Remnux Linux and windows 7 machine for the analysis, so our first step is to find out which type of malware it is using Peframe tool
Trigger the del.exe in a sandbox windows machine and keep the Wireshark and Procmon ready to analyze it in the background. But nothing has happened that malware asks the password for executing.
Using this Pestudio method you can get few hints to crack malware password
Using this Psetudio you can get UPX as a hint, UPX is nothing but It gives compression and decompression operation is using this UPX tool
Installed UPX in windows sandbox using UPX Decompress for del.exe and create a new EXE file
Here you can see the difference between the old.exe and new.exe, as you see changes of the signature can be identified
In this new.exe file strings we can see the name of Mark Adler and using this as a hint we have found out this Zlib inflated
Using this Pestudio you can get the rcdata which is having high entropy value, after which you can use the cyber chief tool to extract the data
Using the Zlib inflate method in the cyber chief tool we can get some hashes and commands, after analyzing the hash value we have concluded it as MD5
After decrypting the MD5 using an online tool we got the password as boris
After entering the password, malware executed and Procmon was ready to analyze it in the background. We analyze the processor id, tree structure, modified file path, files dropped, etc.
The rest of the analysis will be continued in the part-2 of this blog, please click on the below link to continue.
https://nandakumaranismart.medium.com/upx-compressed-malware-part-2-6c2062775197
