Unpacking APT29's Polyglot Duke

Introduction :- Tonight in this blog, we’ll looking at the unpacking of sample from Russian Foreign Intelligence Unit “APT29” aka “Cozy Bear” / “The Dukes”.

Dropping Polyglot Duke in PE Studio shows that information.

Setting Up for Unpacking :-

Without wasting time seeing the information on sample in PE Studio , let’s drop the file in x64-dbg which is great tool for unpacking & debugging malware for exploring it’s internals dynamically.

Goto Options -> Preferences and Uncheck “System Breakpoint”.
x64-dbg in action before executable is being loaded.
x64-dbg in action after executable is being loaded.
command palette in x64-dbg.
  1. VirtualProtect
After setting breakpoints in x64-dbg.

Unpacking :-

Now just hit run button present just above the disassembler window in x64-dbg.

dbg stops at breakpoint VirtualAlloc.
following up RAX register in hexdump shows that.
On pressing return we’ll goto VirtualAlloc return.
dbg hits at the VirtualProtect breakpoint on further debugging.
following MZ header in the hexdump(dump-1).
from here we gonna dump unpacked memory of final payload after following it from hexdump “4D”.

Getting the final payload :-

After dumping the memory of final payload we have to just fix the raw/virtual address/size just by making the similar values in raw size with the virtual size and likewise for the raw/virtual addresses values in PE Bear.

Before fixing the raw/virtual size/address in PE Bear.
After fixing raw/virtual sizes and addresses respectively.
Address of final unpacked payload from x64-dbg.
Copying the address in the Image Base.
Hop towards the unpacked_payload and save as executable.

<==: Confirming payload in Analyze Intezer :==>

Analyze Intezer Online Sandbox confirms that payload is from APT29.

Thanks for reading & giving your precious time for my research blog.

Programmer. Hacker. Reverse Engineer. Malware Analyst. Threat Intel Analyst. Gamer. Streamer. Twitch: twitch.tv/0xthreatintel #BlackLivesMatter #LGBTQ