i found this interesting EXE from some Downloader.
first step is UPX -d ;
it just crashes at start on XP.. looks like damaged infection??
ooo, but try find correct way to execute & unpack THIS!


in rar is my unpack.. passworded..

I have that variant as well in my older system,have fun!

yu mean: clean EXE?
sad::

upload it.. i will look

No I didn't unpack it,its in my trash bin :P,I might take a look at what you upload here if I have time

Hey evaluator,

Nothing wrong with the malware,crashes winxp and it reboots in vmware when executing the malware,telling you hardware error ,even if its not unpacked using upx -d

Shazbot! That's impressive code

A lot of tracing through obfuscated code, but interesting nonetheless. PEB_LDR_DATA.InInitializationOrderModuleList is used to find BaseAddress of kernel32, etc.

Watch out for the several RDTSC checks near the end once the real PE comes to light (modify EAX after each pair of rdtsc calls to < 100000 (but not 0!) and you're safe tracing till the next pair).

I was about to make a dump, somewhere in the final steps after the code returns to the 400000 range in the "real" PE, and damned if I didn't get careless and got caught in an SEH trap! Oh well, if I've got a few more hours to spare I'll make a real dump, if not, I've seen what it does and am somewhat satisfied for now

One interesting tidbit - the original code requires that the file was executed through kernel32!BaseProcessStart, that stack return value is used in the code, else it hits that ExitThread call you see in the disassembly. So if you happen to use a loader that doesn't directly execute the PE through the normal BaseProcessStart loading sequence, then the code will fail from the start. I got caught in that bugaboo for quite a while since I use a custom Softice loader. Straight Olly should be OK.

upx -d doesn't always work too well, i encountered an exe that had a tls callback which checked for the upx and adjusted the jmp <true entrypoint> part of the code, and another patched the entrypoint address in the pe header before upx kicked in.. the tls callback code had a simple check for 0xCC for the initial entrypoint (which is what olly does when you load the exe), and a mini debug check too, debugger detected -> adjust the entrypoint to an invalid address / some other code that behaved 'differently', otherwise continue as normal..relatively simple, but very easy to overlook

thanks evlncrn8 for info!
but.. TLS are not here.]


crash happens, bcoz in SEH hendler, code expects some valid addr in eax,
while in XP eax=0 here.
it looks like mlwr written for Vista. (code=6 in GetVersionEx)
codepage=419h was amazing..

NOD32 reports tfile.exe as - Win32/TrojanDownloader.Small.NZM trojan

A little further information on the BaseProcessStart effect I mentioned above:

http://www.woodmann.com/forum/showthread.php?t=12213

i read that; do you mean, crash can not happen??

btw, upload you unpacked target & then we can continue to step 2: reconstructing main code from mangled ImpCalls

Just a quick question from an ignorant fellow:
When you guys go about unpacking Malware, do you do it in VMWare? Or do you ghost your hardrive, run the malware not caring if you get infected, and then analyze it?

I suppose 95% of the ppl from RE uses vmware.Its has functions you can clone or snapshot your work and you can easily restore the "orginal" os and time saving for reinstalling your os ,its much more convenient than using another system to have fun with it.
Just my 2 cents

but on other hand, there are tricks on VMachines detection, so not so easy is world.

FuNdastiec Kompet1t10n i Was Sayed N0w griEt Eval

i don't understand about "poison", but you failed for tfile unpacking!
you should continue unpacking after de-UPXed.. ok!? that is contest 1st step. (only unpack)

well the poison was appair in my tmp..not know if are from there or not..but if not are thats..i will remove thats.., maybe can be other program thats was in my pc..

i will remove too the upx unpacked..the idea is the unpack contest....
well i was to share the info in previus deleted post..
only was to edit to dates, for some interesting..or 2nd contest maybe

i think thats this can not be malware if not run in the victim..
well
will wait some time, to see this or self delete..

apuromafo! read First post: there i said > malware fails to run becouse of errors happens, but you can continue in debugger,
if you will find correct way to continue. OK!? try!

well some ways can continue, but always is broken..close..stack overflow, or others..
some dumps was done, and realtime images..but always is closed..
and the file that was see in internet, is broken..
is unpacking way..and not have the unpacked..maybe other can continue with the same information..

sorry for my bad english..

catch same malware not-UPXed & changed loader-code;
i think this malware is created for Vista sistem & it's Kernel32 code,
where other opcodes meets & calc-ed_SEH_address will good;
(bcoz crashes on XP, other calculation)

aha

this variant go to http://iframr.com//plist.php?uid=dff0462796ec7f4839cbd043a5590a35 base 64 say 1_537 http://www.datingnoon.com/vshost.exe vshost.exe yes is similar to other..but this file exist!:.. Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c81f61f Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x404d2b Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x402349 Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x401353 Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x5dc2e53

as xsmas-gift, i found working loader of this kind code for XP;
however, malware-inside is other just UPX-ed