Malware Analysis Patterns (Part 4)
The next pattern is closely linked to packed and/or obfuscated code. We call it Pre-Obfuscation Residue. Depending on a level of obfuscation and/or packing some initial code and data structures and patterns including fragments of strings may leak in post-obfuscation data giving a clue to intended software behavior:
0:000> s-sa 00000000`00fd4000 L6000
[...]
00000000`00fd943d "o__"
00000000`00fd9449 "91!We"
00000000`00fd945d "H5!"
00000000`00fd94d2 "zQ@"
00000000`00fd94dd "ommandS"
00000000`00fd94f4 “IsDeb”
00000000`00fd94fd “uggerP”
00000000`00fd9507 “Enc”
00000000`00fd950c “v)3Po4t”
00000000`00fd9515 “DeXU”
00000000`00fd9520 “xFe”
00000000`00fd952a “5Eb”
00000000`00fd9533 “SI=l8kev”
00000000`00fd953e “Z_1m”
00000000`00fd9547 “@IF”
[…]
- Dmitry Vostokov @ DumpAnalysis.org + TraceAnalysis.org -