Packing techniques in the realm of malware can be likened to a digital camouflage for malicious code, making it more challenging to detect and analyze. Think of them as a set of clever tricks used by cybercriminals to hide their nefarious intentions. These packers compress and encrypt malware, creating multiple layers of obfuscation that security tool s have a hard time unraveling.
We will be using a “PIK-GROUP” Ransomware
SHA256
026E8C1BB6FDA0BD89DD2D87EF95A8920DF5BA331B74C604223F75E597069DED
Tools we will be using to understand are the following
- Detect It Easy
- pestudio
- PE-Bear
- strings (available on FLAREVM) im sure there's other apps or scripts that do the same if you don't have it
- Ghidra (or IDA Free)
- CFF Explorer VIII
Common packer things to look out for
- High Entropy
> High entropy equates to increased randomness, such that of a compressor/packer - jmps or calls in assembly
- low amount of strings
- large virtual size
- no imports, or little imports
Lets begin by using Detect It Easy
This sample shows that it was using a popular packer called UPX (Ultimate Packer for Exectuables) using a algorithm NRV. Brute is possibly the reference to the type of configuration the packer was running in.
Pestudio shows us similar results, but with additional analsysis. Again it shows us its using a UPX packer and an entropy of 7,966. Entropy is the degree of randomess in this packed sample. Pestudio does a range from 0 to 8 with 8 meaning it has the highest degree of randomness.
I would also recommend to understand more about entropy to visit binvis.io , there you can drop a executable and visually see a graph and the randomness by how the blocks are structured.
Lets run PE-Bear another Portable Executable analysis tool.
Presence of VirtualProtect may indicate a higher likelihood of the file being packed or obfuscated, it is not a conclusive indicator on its own. Other factors such as suspicious behavior, additional packing-related characteristics, or the use of known packer signatures would provide stronger evidence of file packing.
Additionally, typically there are section headers such as .text, .data, .rsrc and .reloc however here we have a different set of section headers that show its been obfuscated as UPX0 and UPX1
Virtual size (“BCD000”) is larger than the raw size (“BCCE00”). The virtual size represents the size of the section when it is loaded into memory during runtime, whereas the raw size indicates the size of the section as it is stored on disk. This is a sign that the exectuable has been packed.
Included in FLAREVM a virtual machine for detonating and analyzing malware is a program called “strings” when you right click a file you can run.
As you can see isn’t much comprehendible information, lack of actual words and mostly random characters. Further solidifying that it is packed.
To unpack this file you can use CFF Explorer VIII and go to the UPX utility and choose Unpack, this will unpack the file and allow you to view its contents more easily.
Viewing its properties I can see that the size of the file increased but also the Sections in PE-Bear now show more results and strings that I can further analyze!
