My Journey Learning Malware Analysis

In the malware family, ransomware is like a flashy cousin who gets all the attention. The immediate impact and psychological terror of ransomware bring it an incredible amount of recognition and visibility. Today we will take a look at 2 ransomware: Jigsaw and TurkStatik 1. Jigsaw Sample :  76e0c8cd82dba5a880125070e43cbd9d505c39b22858cd86ff6253181b5f193c From looking as the Import, Jigsaw appears to be a .Net application which is great news. Instead of IDA, you can use any commercial  .Net decompilers to get the accurate C# codes. I highly recommend  dnSpy  . It's FREE while also having debugging functionality. Opened in dnSpy, this sample is unpacked and non-obfuscated. First. we start our analysis by looking at the Resources section There are 3 pieces of information stored here: an array of "supported" extensions, the JigsawImage , and the crypto wallet address. Next, we move on to the code section inside each module. Conveniently, Main->

This is the second part of the 3 parts series attempt to teach beginners the fundamental concepts and basic techniques for unpacking. Since I am a beginner myself, I hope my way of thinking would be more relatable to others out there. For  Part#1 , in order to recognize and unpack UPX, we learned a little bit about PE Structure, RVA, IAT, run-time linking, software breakpoint vs hardware breakpoint, tail jump, and using Scylla to rebuild IAT . We also learn the trick of setting hardware-breakpoint on the stack when encountering pusha/pushad so that the execution will stop at the corresponding  popa/popad . Sadly, as far as I know, this trick won't work on more complicated packers. However, today we will learn a technique that can apply to the majority of packers: setting breakpoints on Windows API, or some people call it: API hooking 1. Introduction In order to interact with Windows OS, every software has to call Windows APIs. Tho, not all APIs are created equally. Choosing t