Uncovering APT29 tool: Trojan PolyGlot Duke — (unpacking)

Unpacking, Static and Dynamic Analysis of PolyGlot Duke.

Image for post
Image for post

Unpacking

It’s a 64-bit malware. Which is basically a packed.

Image for post
Image for post
PE Studio View of packed APT29 Malware.
Image for post
Image for post
Loading packed malware in x64dbg.

Setting Up Breakpoints for unpacking while debugging:

Some for the process injection and some for the self injection.

….:- VirtualAlloc

…..:- VirtualProtect

…..:- ResumeThread

…..:- CreateProcessInternalW

…..:- WriteProcessMemory

Hitting Breakpoints

Firstly the breakpoint hits at the EntryPoint.

Image for post
Image for post
x64dbg view hitting at the entrypoint.

Running the debugger again , hits at the VirtualAlloc.

Image for post
Image for post
x64dbg view hitting at the VirtualAlloc.

Following several hits at VirtualAlloc and returns hits , debugger hits at the VirtualProtect and it’s return hits.

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
x64dbg view hitting at the VirtualAlloc and its returns.

Now something hits differ in debugger VirtualProtect.

Image for post
Image for post
x64dbg view hitting at the VirtualProtect.

Hitting the run , x64dbg hits at the return.

Image for post
Image for post
x64dbg view hitting at the return of VirtualProtect.

Again x64dbg hitting at the VirtualProtect at next run and it’s return.

Image for post
Image for post
x64dbg view hitting at the VirtualProtect.

Now scrolling a bit in window right to hexdump window you will found “PE” string mentioned

Image for post
Image for post
“PE” string we can found in window right to hexdump.

Now following it in the hexdump and scrolling of bit up we will get MZ (magic header) header. As we get the MZ header we will follow it in the Memory Map.

Image for post
Image for post
Following the MZ header in the Memory Map.

Highlighted line in the memory map is the executable for us to analyse. Right click ,dump and save it.

Image for post
Image for post
Following View of Memory Map from HexDump we get to the executable.

Opening up the dumped file in the PE Studio.

Image for post
Image for post
PE Studio View of mapped file.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
PE Bear view of mapped file.

Replace all the raw and base addresses with the Virtual Address and Virtual Size respectively.

Image for post
Image for post
PE Bear mapped file.
Image for post
Image for post
PE Bear unmapped and fixed file.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
PE Bear with fixed file information.

Sample from Report:

From Abuse[.]ch:

Thanks for reading.

aka Nikhil Rathor | Honey. Malware Analyst. I write blogs related to threat intelligence , malware analysis, APTs , network intrusions and incident responding.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store