How to Unpack Ramnit Dropper - Malware Unpacking Tutorial 2
0Defeating Commercial Packers Like a Pro - VMProtect, ASPack, PECompact, FlawedAmmyy, Ramnit Dropper and more. Learn how to unpack 5 different packers & malware samples in this malware analysis & unpacking tutorial series. Playlist = https://www.youtube.com/watch?v=D1-O19AwW8U&list=PLt9cUwGw6CYGfoSL9PUlpKi23z0_R2gz-
Zero2Auto 10% Coupon Code = "GUIDEDHACKING"
https://courses.zero2auto.com/?coupon=GUIDEDHACKING
^Automatically applied with the link above^
In this malware analysis tutorial you will learn how to unpack the Ramnit Dropper, which downloads the secondary Ramnit malware payload. Ramnit is a large family of malware, that dates back to 2010 which was the initial release of this malware strain. Nowadays it's mainly a banking trojan but it has capabilities to steal credentials & much more. The Ramnit malware in the past was just a simple virus but now it's a large botnet of computers infected with the malware. In 2015 the Ramnit botnet was taken down, but the malware continues to evolve has moved passed this stage of development, at any time there are 10,000-100,000 infected machines. Most interestingly it was combined with an sLoad powershell loader and targetting banking customers in the UK and Italy. You can read more about that @ https://vk-intel.org/2018/08/05/lets-learn-diving-into-the-latest-ramnit-banker-malware-via-sload-powershell/.
But let's talk about the Ramnit Dropper in this malware unpacking tutorial. It uses it's own custom packer but is relatively easy to unpack, this tutorial will teach you how to do it in less than seven minutes. IDA Analysis quickly shows a jump to a data section that is not code, that is because it is currently encrypted and needs to be unpacked first. Once the debugger is attached to the Ramnit dropper with x64dbg we put a breakpoint on VirtualAlloc so we can see any memory allocations where the decrypted code might be placed. In addition, any time you're unpacking something you want to log or breakpoint CreateFile to see what files it opens or creates. CreateProceessInternalW is also a good function to check but in this case the Ramnit dropper will add the file to the computers autoruns causing it to load at startup with no reason to call CreateProcess. Once rebooted, ramnit will spawn a svchost.exe process and perform process hollowing. Once that is completed, you can dump svchost to the get the unpacked file.
This was originally a 1 hour unpacking tutorial but we broke it down into smaller parts for easier viewing in our How to Unpack Malware tutorial series. Subscribe to get notified of the next videos. The videos in this series are:
-How to dump FlawedAmmyy ( Ammyy Admin )
-How to dump Ramnit Dropper
-How to unpack VMProtect (no virtualization)
-How to dumpPECompact
-How to unpack ASPack
Complete Playlist: https://www.youtube.com/playlist?list=PLt9cUwGw6CYGfoSL9PUlpKi23z0_R2gz-
A packer is a piece of software which obfuscates the original binary on disk, they started as very simple programs which just did a simple xor against the original bytes. The original code would be replaced with a stub, and the stub would xor the original binary, map it into memory and then execute the original code. In this way, static analysis is impossible. But in this How to Unpack tutorial series you will learn the ins and outs of unpacking binaries, including malware samples. Unpacking malware is something as a malware analyst you would have to do quite frequently, as almost all malware uses packers to evade antivirus detection. While packers have become increasing complicated over the years, unpacking them still follows the same steps and has the same goal. The point of unpacking a binary is to enable static analysis, once you have dumped the original binary to disk, you can begin to reverse engineer it..
Malware Hashes (MD5 - all on VirusBay):
Ammyy: 7fb83e646cbabc50bec4b33c8130b5ae
ASPack: 9cc1b039aa8e4a98da3c390fdacc414c
PECompact: ad8cd029b32568830c8304f6075bb805
Ramnit: 6ee3d4e6b9cec67165e90f7ee7c9c33b
VMProtect: a39b4f74b5108a2b9f1a33b2feb22cc5
Discussion: https://guidedhacking.com/threads/how-to-unpack-ramnit-dropper-malware.16682/
Support us on Patreon: http://bit.ly/38mnveC
Donate on our Forum : http://bit.ly/2HkOco9
Support us on Patreon : http://bit.ly/38mnveC
Follow us on Facebook : http://bit.ly/2vvHfhk
Follow us on Twitter : http://bit.ly/3bC7J1i
Follow us on Twitch : http://bit.ly/39ywOZ2
Follow us on Reddit : http://bit.ly/3bvOB57
Follow us on GitHub : http://bit.ly/2HoNXIS
Follow us on Instagram : http://bit.ly/2SoDOlu
#MalwareAnalysis #HowToUnpack #malware