Quick and Dirty way to unpacking SManager Chinese APT tool.
This blog is my last blog in series of Analysis of SManager. I had planned to write more blogs on unpacking for our infosec. community. Hope you like this one.
If you haven’t read my previous blogs on SManager Chinese APT Tool then go head and read them. I’m mentioning them in here.
It’s SManager Loader analysis:
Reversing APT Tool : SManager
Static and Dynamic Analysis of Chinese APT Backdoor
It’s SManager analysis:
Reversing APT Tool : SManager (Unpacked)
Reversing highly sophisticated espionage tool from Chinese APT group.
Here we go for unpacking SManager Tool.
Here look carefully, Entropy is high around 6.727. Its the 32bit malware loader which we have to hammer down to SManager executable.
Fire Up x32dbg & settling down it for debugging.
Uncheck the System BreakPoints in Settings by going into the Options -> Preferences and save it.
Setting Up Breakpoints
Type in the command palate at the bottom of x32dbg for setting up breakpoints.
Format of typing will be like:
Example: bp VirtualAlloc .
Some for the process injection and some for the self injection.
Click on “Run to User Code” from the tool icons present in just below of Menu Bar.
After that hit at the Run from this same tool bar shown above.
It will hit x32dbg at the “CreateProcessInternalW”.
Hit Run again after that. And now you will be see that “ResumeThread” will be hit.
Hit the Run again & this time also x32dbg will also be hit at the CreateProcessInternalW.
This hit is useful. See Carefully and focus.
We got the SManager unpacked binary location on disk.
Checking Up the Proper Executable
Fire Up PE Studio.
Fire Up PE Bear.
Reference for Tools:
x32dbg , PEStudio, PEBear.