Unpacking Mystic Compressor used to pack Rogue Software

Today we will analyze a sample of a rogue security software that is packed by an unknown packer named Mystic Compressor, and that has been identified to be used mostly to pack rogue security software executables.

Steve has successfully unpacked the sample and this is his analysis:

Unpacking Mystic Compressor Screenshot 01

Call to VirtualProtect to make the data in the first section writable/decryptable. For some reason it spaces pushing the parameters for the call inbetween other API calls.

Unpacking Mystic Compressor Screenshot 02

Simple decryption loop and more pointless(?) API calls.

Unpacking Mystic Compressor Screenshot 03

Call to a Call which calls the second decrypter stub.

Unpacking Mystic Compressor Screenshot 04

Second stub, memory allocation and more decryption, nothing worth noting.

Unpacking Mystic Compressor Screenshot 05

Now at the JMP to the decrypted third stub, which was allocated at 0xA00000. In the hex dump you can clearly see the string “Mystic Compressor”.

Unpacking Mystic Compressor Screenshot 06

More memory allocation and yet more decryption, basically the same as before.

Unpacking Mystic Compressor Screenshot 07

Now at 0xA10000, the forth and final stub.

Unpacking Mystic Compressor Screenshot 08

Goes thru more decryption and finally lands on a RETN 4, which takes us to the OEP.

Unpacking Mystic Compressor Screenshot 09

OEP of the packed file.

Unpacking Mystic Compressor Screenshot 10

Conclusion:

Lack of anti debugging made this packer fairly easy to analyze. But, I have found 3 other samples on MDL in the last few days that were packed with it so it must be popular. One file I found was a packed version of MicroJoiner, which dropped 8 files which were also packed with Mystic.

From the unpacked files, we can extract very interesting data that can help us to statically know or understand for what can be used the single files from the malware.

Visit the following link to read the second part of this article where we conduct a static analysis of the malware, and explain how dangerous the effects of these infections can be: Welcome to the jungle: Zeus + Pinch + Rogues

Random Posts

Previous Posts