Previous posts in this series have demonstrated how unpack.py, when used on a CryptoLocker variant, extracts the malicious PE file injected in to explorer.exe, and how it can also be used to analyse the injected PE file. This post demonstrates how unpack.py can now be used to analyse our CryptoLocker variant’s network communications by dumping the cleartext traffic sent over its HTTPS connections.
My automated unpacking script (which really needs a sensible name!) is a few years old now, so I was interested to see how it would go with some malware that was developed after it was. That is, I wanted to answer the question ‘is my script still useful?’. It turns out it is still useful, and this post is the first of a few posts that aim to demonstrate why. Continue Reading