Today, we will try to unpack a cryptocurrency miner one section by one section. And actually here is a very good tutorial. I almost follow its instructions.

First, set breakpoint on WriteProcessMemory.
When the first “WriteProcessMemory” hit, dump the PE in the memory.

You have to delete the trash before the “MZ” to make it a legitimate PE format. Then run again, dump the PE in memory to see if there is any difference between the 1st and 2nd edition. Actually they are just the same file.

So run again, dump again.

This time, the 2nd and 3rd PE file are different in the .text section. So let’s save that .text section aside. Run again and dump the 4th edition.

This time, we can see that the .text section is actually filled with 00 in 4th one. And its .rdata section is different with the 3rd one while the other two sections are the same. So just save the .rdata section.
Run again.

This time the .data section changed. So save that section. The last one changed the .reloc section.

So we have the 6th edition. Because the malware only write one section a time. So for the 6th editon, it only has a valid section which is the .reloc section. Remember we save some sections before? Yeah, all you need to do is to substitute other sections in 6th edition with those sections we saved before.

Then you get an unpacked PE. Just save that.
Ok, the malware might use process injection and typically might be process hollowing to start a child process of its own and replace that. You can have a check with my post about this.

So here we can use the Scylla to dump that child process out.
But to be honest, I dumped that child process and compare it with the one that we filled with each section. They are different. The one I dumped is different and there must be something wrong with my dump method. I just don’t know why after many hours’ trying.

Yeah, that’s it.

Any question, please contact me at xudong_shao@hotmail.com