A forum for reverse engineering, OS internals and malware analysis
Searched query: mpress
I am testing a tool to detect images compressed with MPRESS and need many samples specifically compressed with MPRESS to validate the tool.
Does someone knowns a URL where I could find this specific kind of samples?
Last stage mpress with not fixed iat, doesn't matter, resources and other crap readable. 2stage.exe_bin - TDL3 style injector with 3 stage in .inst section encrypted 3stage.exe_bin - decrypted .inst executable, next dropper with ...
... Name of malware + C&C as I understand. 3. Next stage dropper written in C++, purpose - decrypt 4 stage malware body 4. MPRESS compressed actual FakeAV body. Maybe I missed something, just did quick looking. If you need any layers from this crap let me know.
Third - actual malware running from MPRESS allocated region (again different from the original imagebase). Here all AntiVM tricks being executed. Itself this is Backdoor:Win32/Caphaw.D In attach MPRESS binary extracted from 1st layer. Decompress ...
... 0x00B80000 region), trace after call with ERW flags, it will dexor (whatever) container in @ContainerAddress and then call second stage. Second - MPRESS v2.18 running from @ContainerAddress. Unpacking MPRESS is somehow similar to unpacking previous one. Result = allocated memory region with ERW ...
... layers. The top one is some custom cryptor which executes several anti emulation tricks such as calling rare API functions and decrypting the MPress packed executable to its own memory. After unpacking this inner MPress packer, we finally get the malicious code." I guess I should be dumping ...
... sections to the created process and resume thread). It works as long as no packing to my custom executable is applied. When i pack my exe with upx/mpress then forked instance (code running in windows svchost.exe) can not catch c++ exceptions. Throwing exception results in termination of application. ...
... Trojan downloader Phokace with AntiVM. Payload hxxp://www.allezdax.com/images/m.exe (crypted and packed by MPRESS Worm:Win32/Phorpiex.B ) decrypted downloader, payload + decrypted in attach Windows Live Messenger spam templates ICQ Conversations - MiniUserProfileDlg ...
@freyr The TDL packer is nothing special. As NOP already said you can retrieve all sensitive data (drv loader, cmd.dll (UPX), cmd64.dll (MPRESS) except cfg.ini because it constructs by cmd.dll in runtime) by simple dumping to disk whole allocated region. However unpacking each TDL sample is ...