Robust Automated Malware Unpacker
This repository is the home of RoAMer, the "Robust Automatic Malware Unpacker". RoAMer is a generic malware unpacker based on dynamic analysis.
It is a generic unpacker based on dynamic analysis. The paper has been presented on MALWARE 2019. Citation: Thorsten Jenke, Daniel Plohmann, and Elmar Padilla, "RoAMer: The Robust Automated Malware Unpacker," 2019 14th International Conference on Malicious and Unwanted Software (MALWARE), Nantucket, MA, USA, 2019, pp. 67-74.
This is still a very early version.
To run RoAMer you need to have a VirtualBox or KVM environment with a Windows Virtual Machine (VM) to unpack the malware on. So far, we have only tested RoAMer on Windows7 64Bit.
compile.bat
in Windows CMD, this will compile the python scripts into Windows executable filesPeHeaderWhitelister.exe C:\
in Windows CMD in the VM and copy the resulting pe_header_whitelist.json
file of this script to the current VM's users home directory (C:\Users\%username%\
)unpacker/dist/main.exe
from the VM to the host system into $Repository/roamer/bin
main.exe
is not stored at C:\Users\%username%\main.exe
(this path is already reserved for the unpacker main.exe
)main.exe
in the VM within a command line terminal (cmd.exe) as an administratorC:\Windows\notepad.exe
)init
Screenshot how the VM should look like at the end:
SNAPSHOT_NAME
(e.g. init
) and VM_NAME
(e.g. win7box
)host_ip
, host_port
, guest_ip
, guest_port
to the correct values of your setupMake sure that the following files are existent in your setup:
VM:
C:\Users\%username%\pe_header_whitelist.json
Host:
../RoAMer/roamer/bin/main.exe
config.py
The unpacker is performing mouse moving and click actions, that malware is less likely to detect that it is going to be unpacked. The actions are in the left upper screen area, moving icons away prevents from starting several useless programs.
This may occur when some broken exe files are located in you AppData or Windows Update directory, remove these corrupt files, then whitelister will run through.
In case you encounter a situation where the host is able to start up the virtual machine, transfer files and start the analysis, but no data is transferred back to the host, please ensure that your host does not have firewall settings that block incoming connections (like UFW on Ubuntu or similar).
RoAMer was originally developed to unpack on Windows 7 64Bit systems, we monitored some issues on Windows 10 that might or might not be critical for execution. We're currently working on resolving these issues.
RoAMer is doing a really bad job at conveying information on why it was not able to unpack a given sample. We can offer, that you send us the sample and we check, why RoAMer was not able to unpack the malware. Maybe this leads us to the discovery of some bugs.
RoAMer was mentioned in TA505's Box of Chocolate - On Hidden Gems packed with the TA505 Packer by Thomas Barabosch.