Skip to main content

Intro To Malware Analsys

Hi Folks, here I will analyze a malware which is possible packed with nspack. Details are below:

SHA256:

5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4

File name:

5df0b1b07143c880c76d6e82253a20192981c83c3ea68bf86ffede6b17c01da4

First, we will do static analysis of the file.

Using string utility:

we see following things. most of the strings are obfuscated or encrypted content.


we saw the strings like. nsp0 .nsp1. .nsp2.if  we google it we can know that it is a packer which based on NS packer.

VirusTotal Analysis:

Upon analysis using virus Total we saw detection 49 out of 55 which is a malicious in nature



so we should unpack the malware because without unpacking the malware looks obfuscated and it is not possible to debug the instruction.it looks like below in IDA

As we saw above we saw custom sections like ns0 ns1 ns2 and OEP starts with PUSHF PUSHA which is indication of a packer.we can confirm it by PEID

As we can see above there is a comparison between the ESI and 1.if it success then it will jumps to a section like