{"id":7021,"date":"2017-03-17T08:10:33","date_gmt":"2017-03-17T16:10:33","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-812\/"},"modified":"2017-03-17T08:10:33","modified_gmt":"2017-03-17T16:10:33","slug":"news-812","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/17\/news-812\/","title":{"rendered":"Diamond Fox &#8211; part 1: introduction and unpacking"},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 17 Mar 2017 15:00:41 +0000<\/strong><\/p>\n<p>Diamond Fox (also known as Gorynch) is a stealer written in Visual Basic that has been present on the black market for\u00a0several years. Some time ago, builders of its older versions (i.e. 4.2.0.650) were cracked and <a href=\"http:\/\/www.freetrojanbotnet.com\/\" target=\"_blank\">leaked online<\/a> &#8211; thanks to this we could have a closer view at\u00a0the full package that is being sold by the authors to other criminals.<\/p>\n<p>In 2016 the malware was almost completely rewritten &#8211; its recent version, called &#8220;Crystal&#8221; was described some months ago by Dr. Peter Stephenson from SC Media (<a href=\"https:\/\/www.scmagazine.com\/inside-diamondfox\/article\/578478\/\" target=\"_blank\">read more<\/a>).<\/p>\n<p>In this short series of posts, we will take a deep dive in a sample of Diamond Fox delivered by the Nebula Exploit Kit (described <a href=\"http:\/\/malware-traffic-analysis.net\/2017\/03\/02\/index.html\" target=\"_blank\">here<\/a>). We will also make a brief comparison with the old, leaked version, in order to show the evolution of this product.<\/p>\n<p>In this first part, we will take a look at Diamond Fox&#8217;s behavior in the system, but the main focus will be about\u00a0unpacking the sample and turning it into a\u00a0form that can be decompiled by a <a href=\"https:\/\/www.vb-decompiler.org\/\" target=\"_blank\">Visual Basic Decompiler<\/a>.<\/p>\n<h3>Analyzed samples<\/h3>\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/6764f98ba6509b3351ad2f960dcc47c27d0dc00d53d7e0ae132a7c1d15067f4a\/analysis\/\" target=\"_blank\">92d098a9f2adb0e4c524edd82a81c894<\/a> &#8211; original sample\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/81af849b00fdaa2e504a750e028dba24dbd2f9db3f53ff8df851ec5ea46f0c2a\/analysis\/1489424846\/\" target=\"_blank\">05ce32843c7271464b48283fe8f179cc<\/a> &#8211; unpacked stage 1\n<ul>\n<li><a href=\"https:\/\/www.virustotal.com\/en\/file\/92b449d5932fd42a5040b26e2a849aea3deb04ae0c4e400e6ddf13acd12a94e3\/analysis\/1489424899\/\" target=\"_blank\">988e9fa903cc2fbb80e7221072fb2221<\/a> &#8211; unpacked (final VB payload)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h3>Behavioral analysis<\/h3>\n<p>After being deployed, Diamond Fox runs silently, however, we can notice some symptoms of its presence in the system. First of all, the UAC (User Account Control) gets disabled and we can see an alert about it:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16839\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/uac.png\" alt=\"\" width=\"550\" height=\"93\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/uac.png 550w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/uac-300x51.png 300w\" sizes=\"auto, (max-width: 550px) 100vw, 550px\" \/><\/p>\n<p>Another pop-up is asking the\u00a0user to restart the system\u00a0so that this change will take effect:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16840\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/restart_alert.png\" alt=\"\" width=\"365\" height=\"174\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/restart_alert.png 365w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/restart_alert-300x143.png 300w\" sizes=\"auto, (max-width: 365px) 100vw, 365px\" \/><\/p>\n<p>The initial executable is deleted and the malware re-runs itself from the copy installed in the %TEMP% folder. It drops two copies of itself &#8211; <em>dwn.exe<\/em> and <em>spoolsv.exe<\/em>. Viewing the process activity under Process Explorer, we can observe the spawned processes:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16799\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dfox.png\" alt=\"\" width=\"741\" height=\"73\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dfox.png 741w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dfox-300x30.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dfox-600x59.png 600w\" sizes=\"auto, (max-width: 741px) 100vw, 741px\" \/><\/p>\n<p>It also deploys <em>wscript.exe<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16831\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/deployed.png\" alt=\"\" width=\"750\" height=\"303\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/deployed.png 750w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/deployed-300x121.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/deployed-600x242.png 600w\" sizes=\"auto, (max-width: 750px) 100vw, 750px\" \/><\/p>\n<p>For persistence, Diamond Fox creates a new folder with a special name (<a href=\"http:\/\/windows.mercenie.com\/windows-xp\/create-folder-any-name\/\" target=\"_blank\">read more about this feature<\/a>): <em>%TEMP%lpt8.{20D04FE0-3AEA-1069-A2D8-08002B30309D}<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16827\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/installed_special.png\" alt=\"\" width=\"659\" height=\"147\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/installed_special.png 659w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/installed_special-300x67.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/installed_special-600x134.png 600w\" sizes=\"auto, (max-width: 659px) 100vw, 659px\" \/><\/p>\n<p>Thanks to this trick, the user cannot access the files dropped inside. Another copy (backup) is dropped in the\u00a0<em>Startup<\/em> folder.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16826\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/persist.png\" alt=\"\" width=\"939\" height=\"76\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/persist.png 939w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/persist-300x24.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/persist-600x49.png 600w\" sizes=\"auto, (max-width: 939px) 100vw, 939px\" \/><\/p>\n<p>While running, the malware creates some files with <em>.c<\/em> extensions in %APPDATA% folder:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16828\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_c.png\" alt=\"\" width=\"605\" height=\"242\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_c.png 605w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_c-300x120.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_c-600x240.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_c-604x242.png 604w\" sizes=\"auto, (max-width: 605px) 100vw, 605px\" \/><\/p>\n<p>Also, new files are created in the folder from which the sample was run:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16829\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_files-1.png\" alt=\"\" width=\"657\" height=\"68\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_files-1.png 657w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_files-1-300x31.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dropped_files-1-600x62.png 600w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/p>\n<p>The file<em> keys.c<\/em> contains an HTML formatted log about the captured user activities, i.e. keystrokes. Here&#8217;s an example of the report content (displayed as HTML):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16843\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/report.png\" alt=\"\" width=\"726\" height=\"544\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/report.png 726w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/report-300x225.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/report-600x450.png 600w\" sizes=\"auto, (max-width: 726px) 100vw, 726px\" \/><\/p>\n<p>The files <em>log.c<\/em> and <em>Off.c<\/em> are unreadable.<\/p>\n<p>Examining the content of the %TEMP% folder we can also find that the malware dropped downloaded payload inside:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16841\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/update.png\" alt=\"\" width=\"643\" height=\"386\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/update.png 643w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/update-300x180.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/update-600x360.png 600w\" sizes=\"auto, (max-width: 643px) 100vw, 643px\" \/><\/p>\n<p>It is a XOR encrypted PE file (key in the analyzed case is: 0x2), that turns out to be an update of the main Diamond Fox bot.<\/p>\n<h3>Network communication<\/h3>\n<p>Diamond Fox communicates with the CnC using an HTTP-based protocol. It beacons to\u00a0<em>gate.php<\/em><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16830\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/captured_f.png\" alt=\"\" width=\"669\" height=\"202\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/captured_f.png 669w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/captured_f-300x91.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/captured_f-600x181.png 600w\" sizes=\"auto, (max-width: 669px) 100vw, 669px\" \/><\/p>\n<p>Data from the bot is sent to the CnC in form of a POST request. Pattern:<\/p>\n<pre>13e=&lt;encoded content&gt;<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16833\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/beacon.png\" alt=\"\" width=\"692\" height=\"429\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/beacon.png 692w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/beacon-300x186.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/beacon-600x372.png 600w\" sizes=\"auto, (max-width: 692px) 100vw, 692px\" \/><\/p>\n<p>Responses from the CnC have the following pattern:<\/p>\n<pre>&lt;number of bytes in content&gt;  &lt;content&gt;  &lt;error code&gt;<\/pre>\n<p>We can observe the bot downloading in chunks some encrypted content (probably the payload\/bot update):<br \/> <img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16832\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/comm2.png\" alt=\"\" width=\"844\" height=\"697\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/comm2.png 844w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/comm2-300x248.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/comm2-600x495.png 600w\" sizes=\"auto, (max-width: 844px) 100vw, 844px\" \/><\/p>\n<p>It also periodically uploads the stolen data. In the\u00a0example below: sending the report about the logged user activities (content of the previously mentioned file <em>keys.c<\/em>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16844\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sending_report.png\" alt=\"\" width=\"966\" height=\"528\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sending_report.png 966w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sending_report-300x164.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sending_report-600x328.png 600w\" sizes=\"auto, (max-width: 966px) 100vw, 966px\" \/><\/p>\n<h3>Unpacking<\/h3>\n<p>Diamond Fox is distributed packed by various crypters, that require different approaches for unpacking. They are not specifically linked with this particular family of malware, that&#8217;s why this part is not going to be described here. However, if you are interested in seeing the complete process of unpacking the analyzed sample you can follow the video: <a href=\"https:\/\/www.youtube.com\/watch?v=OBAVHiX-j_A\" data-rel=\"lightbox-0\" title=\"\" target=\"_blank\">https:\/\/www.youtube.com\/watch?v=OBAVHiX-j_A<\/a>.<\/p>\n<p>After defeating the first layer of protection, we can see a new PE file. It is wrapped in another protective stub &#8211; this time typical for this version of Diamond Fox. The executable has three unnamed sections followed by a section named <em>L!NK<\/em>. The entry point of the program is atypical &#8211; set at the point 0.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16767\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/sections_ep0.png\" alt=\"\" width=\"208\" height=\"236\" \/><\/p>\n<p>It makes loading the application under common debuggers a bit problematic. However, under a disassembler (i.e. PE-bear) we can see, where this Entry Point really leads to:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16769\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_in_hdr.png\" alt=\"\" width=\"494\" height=\"189\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_in_hdr.png 494w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_in_hdr-300x115.png 300w\" sizes=\"auto, (max-width: 494px) 100vw, 494px\" \/><\/p>\n<p>The header of the application is interpreted as code and executed. Following the jump leads to the real Entry Point, that is in the second section of the executable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16770\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/real_ep.png\" alt=\"\" width=\"478\" height=\"136\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/real_ep.png 478w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/real_ep-300x85.png 300w\" sizes=\"auto, (max-width: 478px) 100vw, 478px\" \/><\/p>\n<p>I changed the the executable Entry Point and set it to the jump target (RVA 0xEDB0).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16771\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/change_ep.png\" alt=\"\" width=\"563\" height=\"136\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/change_ep.png 563w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/change_ep-300x72.png 300w\" sizes=\"auto, (max-width: 563px) 100vw, 563px\" \/><\/p>\n<p>Saved application could be loaded in typical debuggers (i.e. OllyDbg) without any issues, to follow next part of unpacking.<\/p>\n<p>The steps to perform at this level are just like in the\u00a0case of manual unpacking of UPX. The execution of the packer stub starts by pushing all registers on the stack (instruction PUSHAD). We need to find the point of execution where the registers are restored, because it is usually done when the unpacking of the core finished. For the purpose of finding it, after the PUSHAD instruction is executed, we follow the address of the stack (pointed by ESP). We set a hardware breakpoint on the access to the first DWORD.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16772\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/unpack_step1.png\" alt=\"\" width=\"610\" height=\"312\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/unpack_step1.png 610w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/unpack_step1-300x153.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/unpack_step1-600x307.png 600w\" sizes=\"auto, (max-width: 610px) 100vw, 610px\" \/><\/p>\n<p>We resume the execution. The application will stop on the hardware breakpoint just after the POPAD was executed restoring the previous state of the registers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16773\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/breakpoint_hit.png\" alt=\"\" width=\"516\" height=\"109\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/breakpoint_hit.png 516w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/breakpoint_hit-300x63.png 300w\" sizes=\"auto, (max-width: 516px) 100vw, 516px\" \/><\/p>\n<p>This block of code ends with a jump to the unpacked content. We need to follow it in order to see the real core of the application and be able to dump it. Following the jump leads to the Entry Point typical for Visual Basic applications. It is a good symptom\u00a0because we know that the core of Diamond Fox is a Visual Basic application.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16774\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_result.png\" alt=\"\" width=\"505\" height=\"80\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_result.png 505w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/jump_result-300x48.png 300w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><\/p>\n<p>Now we can copy the address of the real Entry Point (in the analyzed case it is 0x4012D4) and dump the unpacked executable for further analysis.<\/p>\n<p>I will use Scylla Dumper. Not closing OllyDbg, I attached Scylla to the running process of Diamond Fox (named <em>s_1.exe<\/em> in my case).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16775\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/attach.png\" alt=\"\" width=\"598\" height=\"649\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/attach.png 598w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/attach-276x300.png 276w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/attach-553x600.png 553w\" sizes=\"auto, (max-width: 598px) 100vw, 598px\" \/><\/p>\n<p>I set as the OEP (Original Entry Point) the found one, then I clicked <em>IAT Autosearch <\/em>and <em>Get Imports<\/em>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16776\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/set_oep.png\" alt=\"\" width=\"291\" height=\"96\" \/><\/p>\n<p>Scylla found several imports in the unpacked executable:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16777\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/iat_found.png\" alt=\"\" width=\"578\" height=\"355\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/iat_found.png 578w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/iat_found-300x184.png 300w\" sizes=\"auto, (max-width: 578px) 100vw, 578px\" \/><\/p>\n<p>We can view the eventual invalid and suspected imports and remove them &#8211; however, in this case, it is not required. We can just dump the executable by pressing button <em>Dump<\/em>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16780\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dump.png\" alt=\"\" width=\"179\" height=\"106\" \/><\/p>\n<p>Then, it is very important to recover the found import table by clicking <em>Fix Dump<\/em> and pointing to the dumped file. As a result, we should get an executable named by Scylla in the following pattern: &lt;original name&gt;_dump_SCY.exe.<\/p>\n<p>Now, we got the unpacked file that we can load under the debugger again. But, most importantly, we can decompile it by a <a href=\"https:\/\/www.vb-decompiler.org\/\" target=\"_blank\">Visual Basic Decompiler<\/a> to see all the insights of the code.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16781\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/dec_structure.png\" alt=\"\" width=\"138\" height=\"89\" \/><\/p>\n<p>Example of the decompiled code &#8211; part responsible for communication with the CnC (click to enlarge):<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decompiled_example.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-16782\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decompiled_example.png\" alt=\"\" width=\"1373\" height=\"442\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decompiled_example.png 1373w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decompiled_example-300x97.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/decompiled_example-600x193.png 600w\" sizes=\"auto, (max-width: 1373px) 100vw, 1373px\" \/><\/a><\/p>\n<h3>Conclusion<\/h3>\n<p>Unpacking Diamond Fox is not difficult, provided\u00a0we know a few tricks that are typical for this malware family. Fortunately, the resulting code is no further obfuscated. The authors left some open strings that make functionality of particular blocks of code easy to guess. In the next post, we will have a walk through the decompiled code and see the features provided by the latest version of Diamond Fox.<\/p>\n<hr \/>\n<p class=\"p1\"><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. <\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community. <\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\">hasherezade<\/a> and her personal blog: <a href=\"https:\/\/hshrzd.wordpress.com\/\"><span class=\"s3\">https:\/\/hshrzd.wordpress.com<\/span><\/a>.<\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/diamond-fox\/\">Diamond Fox &#8211; part 1: introduction and unpacking<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/diamond-fox\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Fri, 17 Mar 2017 15:00:41 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/diamond-fox\/' title='Diamond Fox - part 1: introduction and unpacking'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/03\/photodune-5568473-diamond-xl.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>In this short series of posts, we will take a deep dive in a sample of Diamond Fox delivered by the Nebula Exploit Kit (described here). We will also make a brief comparison with the old, leaked version, in order to show the evolution of this product.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/malware-threat-analysis\/\" rel=\"category tag\">Malware<\/a><\/li>\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/threat-analysis\/\" rel=\"category tag\">Threat analysis<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/diamond-fox\/\" rel=\"tag\">Diamond Fox<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/gornych\/\" rel=\"tag\">Gornych<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/malware\/\" rel=\"tag\">malware<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/visual-basic\/\" rel=\"tag\">Visual Basic<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/visual-basic-decompiler\/\" rel=\"tag\">Visual Basic Decompiler<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/diamond-fox\/' title='Diamond Fox - part 1: introduction and unpacking'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/threat-analysis\/2017\/03\/diamond-fox\/\">Diamond Fox &#8211; part 1: introduction and unpacking<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[11664,11665,3764,10494,11666,11667],"class_list":["post-7021","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-diamond-fox","tag-gornych","tag-malware","tag-threat-analysis","tag-visual-basic","tag-visual-basic-decompiler"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7021","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=7021"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/7021\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=7021"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=7021"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=7021"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}