Unpacking a cryptocurrency miner (from NSIS-based cryptor)

This malware is a cryptocurrency miner packed by yet another variant of NSIS-based cryptor. Let’s have a brief look… I am loading it under ImmunityDbg We can see some NSIS-related strings… Let’s confirm that the debugger is set to pause on every newly loaded module. The System.dll is a part of the NSIS package (nothing interesting for us). This new DLL is also the part of the package (not our payload). The real payload will be loaded by overwriting another PE in the memory, using WriteProcessMemory. Let’s set a breakpoint and observe it. We can see some new PE file revealed – is it our payload? Let’s remove redundant data from the beginning of the dumped memory area. The PE headers are correct, but the code looks invalid… The same problem is with other elements – imports, etc… Let’s see what happens on other writes… There is again a PE file loaded, is it valid this time? Hmm, no, it is the same… But is it loading something more? It seem this time the content of the .text section has changed (probably filled with valid content) I am dumping it again to check. In the old buffer the .text sections was filled with rubbish, now it is overwritten by the valid data. I dumped the valid content of the .text section to save it aside. Now it should reveal another missing section… And yes, it revealed a new section (.rdata), but at the same time it erased the previously filled .text section… I am saving it aside and we will put them all together later.

3 thoughts on “Unpacking a cryptocurrency miner (from NSIS-based cryptor)”

  1. Hey, thanks for the sample. I want to take a look too.

    I really like the work you did with Petya. I actually had fun debugging it .

  2. Hi, thanks for your video. It great. After hours trying, I found that I got the same result using your method. But for that dump file using scylla, mine is always different with the file we dumped section by section. It do has the same .text section. But other sections are different. And I made it sure that I dump that child process. I just don't know why…. Pls.

Leave a Reply

Your email address will not be published. Required fields are marked *