Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
We'll take a look at analysing a piece of Linux malware. This sample is an ELF file, containing a UPX packed binary, capable of port scanning, SSH bruteforcing, deploying XMRig, and self replicating.
Download the sample here; https://www.virustotal.com/gui/file/7f28b2791ad94a202eea5e4c91d47cdeadca4723723427af574519f8aedbf15e
We'll first look at the header of the file to see what it's identified as;
Using a hex editor, we can have a quick look at the header.
This indicates that this ELF binary contains UPX packed binary data. What is UPX?
UPX is a free, secure, portable, extendable, high-performance executable packer for several executable formats.
Ok, so we're going to have to unpack the file. We can use upx, which is already installed in Kali.
Ok, seems simple enough, let's unpack this UPX file.
Before we continue, let's have a look at this file (in its compressed form) using strings and IDA.
strings
Fairly useless, other than giving us an indication that the file is packed with UPX (confirming what we already identified above)
Loading the binary into IDA provides more of an indication that something isn't right. sp-analysis, red markers, lack of sub-routines, sometimes indicates that there's either not a whole lot happening (which we know isn't the case, given the nature of the sample) or that IDA can't decompile/reassemble these routines.
Back to our corrupt UPX archive. I came across this article which was helpful https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/
In summary; there are two sections in the original binary which we can use to repair the p_info header so that it isn't corrupt. We'll start with the footer, which we know is 8 bytes prior to the end of the file.
Then we go back to the top of the file, find the UPX! header. We notice that the section after the UPX! marker is empty.
8 bytes after the end of the UPX! header, we need to insert our file size value (F8 BF 7B 00) which we recovered above. We take that value, insert it twice, 8 bytes after the end of the UPX! marker.
Save this file and then use UPX to unpack it
Now we can open it in IDA (or ghidra). We can see there are a lot more unpacked functions, some with some interesting names, and there's obviously a lot of data here to analyse.
.. then you can go from there, analyse the file, understand what the file does, and maybe even write detection rules..
Last updated