So today we will be unpacking a Magniber ransomware with PE-sieve. This tool is developed by hasherezade. She actually did a very good tutorial here.

The tool can find the hooks and dump the payload at that point. Also it can be used to dump process hollowing. Actually you can check the comments below that video and you will see me posted some questions there and hasherezade replied me and instructed me with great generosity. So today’s post will mainly repeat the work she did in that video.

Here we just unpack it with upx. Then open that with Ollydbg.
You have to change a bit in the setting of debugging option to make it stop at the entry point of new modules. Then Press F9 until you find that the sample create a new child process.

And yeah, right now, use the pe-sieve to dump the payload. So why should we dump it at this specific point, that’s because the malware will use cmd to delete itself right now and it has already install the hook.

Yeah, now we are done here! If you try to open the sample.exe which is running right now in the HxD, you will find exactly the same binary with the file we dumped.

Well, hasherezade helped me with unpacking a process hollowing malware. Her video is here.

And I tried using her way and compared it with the thing that I dumped with my original way here.

Malware analysis: Dridex and process hollowing

The results are nearly the same. Only few bits different here and the rest is identical. This seems reasonable to me.

Any question, please contact me at xudong_shao@hotmail.com