Unpacking a monero miner with HollowsHunter

In this short video I will show unpacking a monero miner with my new tool:HollowsHunter Let's start from having a fast look at the original sample. Seeing the sections layout we may suspect, that some content is hidden there… And this is the tool that I am gonna use for unpacking: HollowsHunter First I will run it on the clean system, just to show how it works in this case. It scanned all the processes, and detected 0 replaced PE images. Now is time to run the malware. I will be watching it's execution using ProcessExplorer. Ok, let's deploy the malware (make sure that you are doing it on Virtual Machine!) We can see that the malware have spawned some additional processes. Probably this is where the payloads got injected.

This time HollowsHunter detected some hollowed processes and dumped the replaced PE files. We can see the dumps in the appropriate folders. HollowsHunter created also JSON reports about where the replaced modules have been detected. I am viewing the dumped PE files in PE-bear. I noticed that one of them have erased imports. I should re-run HollowsHunter with option /imp to recover them. The dump was made again, this time with imports recovered. I can reload the view. Looking at the export table of the dumped payload, we can clearly identify the XMRIG Monero miner. So, the payloads are two: the Monero miner, and it's loader. I will open the loader in x64dbg to take a fast look. The loader is not further obfuscated, and we can easily follow it's flow and see some interesting strings…

Unpacking is done, now you can play with the payloads :).

You May Also Like