Lab-Project 4: Unpacking

What You Need for This Project

● A virtual machine with Windows 10. Remember to turn off any antivirus
and isolate this machine from other necessary machines/networks.

Purpose

1. Practicing how to use UPX to unpack.

Malware Samples

2. We are using sample files from the Textbook Labs.

Examining the Strings in Lab01-02.exe with BinText

3. Examine the strings in Lab01-02.exe with BinText.

4. There are only a few strings, and they call only a few ordinary Windows API
commands, as shown below.
5. These strings aren't from the malware - they are from the UPX packer, as we
will show below.
Examining the File with PEiD

6. Run PEiD on the file. It shows that the file is packed with UPX, as shown in
the EP Section below.

Examining the File with PEview

7. Run PEview on the file. The file has sections labeled UPX0, UPX1, and
UPX2, as shown below.
8. These are section names produced by the UPX packer.
Unpacking the File with UPX

9. Go to https://github.com/upx/upx/releases/tag/v3.96 and download the latest

version of UPX (for me it was upx-3.96-win64.zip).
10. Unzip the downloaded file.
11. Add the location you unzipped the downloaded file to the environment
variable PATH.
12. Run Command Prompt as Administrator. Navigate to the location you
have the sample file Lab01-02.exe.
13. Execute the following command:
upx -d -o Lab01-02-unpacked.exe Lab01-02.exe
dir
14. The unpacked file is much larger than the original file, as shown below:

15. Analyze the unpacked file with PEiD. It now is recognized as a Microsoft
Visual C++ 6.0 file, as shown below.
Finding the Entrypoint

16. Find the Entrypoint which is covered by a green box in the image above.

Saving a screen image

17. Make sure the Entrypoint is visible.

18. Press Alt + PrintScrn. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL
CREDIT!
19. Open Paint and paste in the image.
20. Save the image with the filename Lab-Proj4a-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Imports

21. Open the unpacked file in Dependency Walker.

22. The imports from KERNEL32.DLL, ADVAPI32.DLL, and
MSVCRT.DLL are uninformative generic functions used by almost every
program.
23. However, the WININET.DLL imports are InternetOpenUrlA and
InternetOpenA, as shown below. This indicates that the malware connects
to a URL.
Strings

24. Find the strings in the unpacked file. You should see the API names
InternetOpenURLA and InternetOpenA, and the Command-and-Control
URL http://www.malwareanalysisbook.com, as shown below.
25. These suggest that infected machines will connect to
http://www.malwareanalysisbook.com. The name of the running service,
MalService, is also visible.
Saving a screen image

26. Make sure the strings covered by the green box in the image above are
visible.
27. Press Alt + PrintScrn. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL
CREDIT!
28. Open Paint and paste in the image.
29. Save the image with the filename Lab-Proj4b-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Finding the Packer

30. Find the packer used for sample Lab01-03.exe. Ignore everything except
the primary packer name, which consists of three capital letters.

Saving a screen image

31. Make sure the packer name is visible, as shown above.

32. Press Alt + PrintScrn. That will copy the whole desktop to the clipboard.
YOU MUST SUBMIT A FULL-SCREEN IMAGE TO GET FULL
CREDIT!
33. Open Paint and paste in the image.
34. Save the image with the filename Lab-Proj4c-YOURNAME.png. Use your
real name, not the literal text YOURNAME.

Turning in your Project

35. Submit the images, you save in the steps Saving a Screen Image,
to: cms with a subject line of Lab-Proj4-YOURNAME, replacing
YOURNAME with your own first and last name.