.msi file Analysis



  • Hi All ,
    Kindly help

    I have an malicious .msi file that preten to legitimate file, But I m not understand how to debug or analysis the .msi file.
    Kindly help I m stuck in this .

    Thanks


  • administrators

    What’s the behavior of the file? Does it operate as a proper msi file does with an install of malicious payload? Have you examined in HxD or 010 Editor? Can you post us some screenshots?



  • Yes it operate properly like any other installer install, even it install that legitimate Software, and smoothly run Legitimate exe. But I m unable to find the real payload behind the scene.
    I tried what @Struppigel told me also, @Struppigel suggest me to extract it using 7zip to get exe format and I get but it’s hard to find the real payload.


  • administrators

    @Rohit_SecRes

    You should be able to find it by extracted as @Struppigel said and then using various tools - I’m not sure what you are using as you didn’t state it but what I would probably do is extract it and then run with ProcMon and Microsoft Network Monitor or Wireshark on and then find some of the malicious activity and look at the process tree in ProcMon using Ctrl+T. One thing you need to determine is whether the actual msi process is carrying out malicious behavior, or if it is spawning a child process and/or dropping a file to disk which is carrying out malicious behavior…

    Another tool you can use is Process Hacker and when you find the payload in memory, suspend it and then look at details by double-clicking it in memory in Process Hacker 2, dump it to disk, you can also take that info (strings, memory locations) and search for it inside of the exe on disk (either the one you extracted or the dumped file) using other tools like IDA Pro, hex editor, PE-Bear, etc…

    When I am cross-analyzing files like this, the first thing I do is open the file up in CFF Explorer, go to the PE header -> optional header -> DllCharacteristics and I disable ASLR and NX so that way the memory addresses of the mapped memory can be used to search using static tools like IDA Pro.

    This should allow you to further analyze it.



  • Thanks @moveax41h , and @Struppigel
    I’ll do , and any problem I will ask here.
    Thanks again u both


Log in to reply
 

Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.