[Community-sigs] Signature for UPX packed file

Christopher Marczewski cmarczewski at sourcefire.com
Thu Mar 30 18:00:23 EDT 2017 

Hello Askar,

Looks like the sample is actually packed with UPX Protector (specifically,
UPX_Protector_v1_0x_2).

At this time, ClamAV does not include a proper PE sub-module for handling
UPX Protector.

On Thu, Mar 30, 2017 at 2:53 PM, Askar Dyussekeyev <dyussekeyev at yandex.kz>
wrote:

> Hello!
>
> I 'm trying to create signature for DotRansomware RaaS, but clamscan can't
> detect signature of UPX-packed file.
>
> Here is my problem's explanation, what I'm doing wrong?
>
>
> >upx.exe -t 1.bin
>                        Ultimate Packer for eXecutables
>                           Copyright (C) 1996 - 2017
> UPX 3.93w       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 29th
> 2017
>
> testing 1.bin [OK]
>
> Tested 1 file.
>
>
> >upx.exe -d -o 1_unpacked_.bin 1.bin
>                        Ultimate Packer for eXecutables
>                           Copyright (C) 1996 - 2017
> UPX 3.93w       Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 29th
> 2017
>
>         File size         Ratio      Format      Name
>    --------------------   ------   -----------   -----------
>    1041299 <-    549267   52.75%    win32/pe     1_unpacked_.bin
>
> Unpacked 1 file.
>
>
> >D:\soft\clamav\clamscan.exe --version
> ClamAV 0.99.2
>
> >D:\soft\clamav\clamscan.exe -d sig.ndb 1*
> .\1.bin: OK
> .\1_unpacked.bin: Win.Filecryptor.dotRansomware.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 1
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 2
> Infected files: 1
> Data scanned: 1.67 MB
> Data read: 1.52 MB (ratio 1.10:1)
> Time: 0.051 sec (0 m 0 s)
>
> Files:
> 1.bin - 002438064BAA3F4E2AB7E7A5128AB1E1 (DotRansomware RaaS sample)
> 1_unpacked.bin - 3732134580F6E646C7C9EAC2D26F4437 (unpacked sample)
> sig.ndb: Win.Filecryptor.dotRansomware:1:13223:
> 518D8D4CFFFFFF515353575353536880054E0050FFD6837DE8088B45D473
> 038D45D48D4DC0518D8D4CFFFFFF5153535753535368D0054E0050FFD683
> 7DE8088B45D473038D45D48D4DC0518D8D4CFFFFFF515353575353536830
> 064E0050FFD6536A018D4DD0E883080000536A018D4DA4E8C80700008B4D
> F45F5E64890D000000005BC9C3
>
>
> Best regards,
> Askar
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the Community-sigs mailing list