More Related Content Similar to Intro to Reversing Malware (20) Intro to Reversing Malware1. BERLIN • NEW YORK • SAN FRANCISCO • SÃO PAULO • PARIS • LONDON • MOSCOW • ISTANBUL SEOUL •
SHANGHAI • BEIJING • TOKYO • MUMBAI • SINGAPORE
2. 2
About Me
‣ Security Analyst
‣ Former Software Engineer
‣ Part of Adjust’s Fraud Team
‣ RiverBird.co
‣ @cheese0x2
17. What we know
- An encrypted POST request to brb.3dtuts.by
- Not a single call to WinInet is weird
- No reference to brb.3dtuts.by
- No sign of cryptography functions
- Too much noise in `./strings` output
- The use of TLS
22. Theory
Theory #1: Binary will use VirtualProtect to dump
a packed binary?
Theory #2: CryptEncrypt will be used
somewhere?
27. Theory #1 was correct
Theory #1: Binary will use VirtualProtect to
dump a packed binary? YES
Theory #2: CryptEncrypt will be used
somewhere?
33. Theory #2 was correct
Theory #1: Binary will use VirtualProtect to
dump a packed binary? YES
Theory #2: CryptEncrypt will be used
somewhere? YES