Unpacking Pykspa Malware With Python and IDA Pro - Subscriber Request Part 1

Поділитися
Вставка
  • Опубліковано 8 гру 2024
  • Open Analysis Live! We use IDA Pro and Python scripts to removed obfuscated code and statically unpack malware. This is Part 1 of a two part subscriber request asking us to determine why this malware would not run in their sandbox. In Part 1 we use Python scripts to unpack the sample so that we can further analyze it.
    -----
    OALABS DISCORD
    / discord
    OALABS PATREON
    / oalabs
    OALABS TIP JAR
    ko-fi.com/oalabs
    OALABS GITHUB
    github.com/OALabs
    UNPACME - AUTOMATED MALWARE UNPACKING
    www.unpac.me/#/
    -----
    In Part 2 we analyze the unpacked payload and determine why it wouldn't run in the sandbox. Watch it here: • Reverse Engineering An...
    Packed sample:
    Sha256: 16540597E03AC70BEA055AA72BF83A7DC3276CF6A64CD6CAFDB09E05EBCC198B
    malshare.com/s...
    Junk hide script:
    gist.github.co...
    Memdump script:
    gist.github.co...
    Blob 2 (encrypted):
    malshare.com/s...
    Blob 2 (decrypted) *payload*:
    malshare.com/s...
    Alex's IDA Python book:
    leanpub.com/ID...
    Feedback, questions, and suggestions are always welcome : )
    Sergei / herrcore
    Sean / seanmw
    As always check out our tools, tutorials, and more content over at www.openanalysi...

КОМЕНТАРІ • 17

  • @MalwareAnalysisForHedgehogs
    @MalwareAnalysisForHedgehogs 6 років тому +5

    Awesome that you are going to produce more videos this year! I tried weekly publishing too but found it hard to keep up with all the other stuff going on in life. So I just decided to be more flexible and relaxed with that.
    The IDAPython book is a good advice. I haven't done IDA scripting before although I intended to.
    It's fun to watch you when you are amused about stuff like the shortcut R actually turning the character into "r". X)

    • @OALABS
      @OALABS  6 років тому

      Thanks so much : )
      Yeh producing one video a week is pretty demanding but there are two of us so we can share the work, I couldn't imagine trying to do this by myself. Alex's book is great! I can't recommend it enough... he has taught me so much about scripting. We are really working hard to do an episode with him. Thanks again for the support : ))

  • @EnduranceT
    @EnduranceT 7 років тому +2

    This is awesome! Thank you! It's very helpful and fun to watch how you use Python to solve these issues.

  • @Kaplan0644
    @Kaplan0644 5 років тому +1

    Awesome video, I have seen ida scripting usage for the first time. Thank you

  • @TheBekabe
    @TheBekabe 7 років тому +1

    My request. Thanks so much.
    I always waiting for next part.

    • @OALABS
      @OALABS  7 років тому +1

      Thanks for the interesting sample! Part 2 drops next week!

  • @Ivo--
    @Ivo-- 6 років тому +4

    I was screaming at the screen when you looked at data instead of out the first time (when you had implemented the algo without the sub of the counter).

    • @OALABS
      @OALABS  6 років тому

      haha! I know right! I had to leave that in there in the final cut : ))

  • @Nickerian91
    @Nickerian91 5 років тому +1

    cant you just run the debugger past the decryption function and dump the memory afterwards and it will be the decrypted file ready to run?

    • @OALABS
      @OALABS  5 років тому +1

      Yes for sure (see our recent video on lazy string decryption) but we wanted to show how to introduce some scripting into your analysis. In many cases you may have an unpacked dump that cannot be debugged and you will have to do it statically... then this tutorial would be useful : )

  • @gas142
    @gas142 5 років тому +1

    Hi I'm trying to get the sample of this malware from the link above.
    I know it's probably old, but anyway... there is any chance to get this malware ?

    • @OALABS
      @OALABS  5 років тому

      Links to download the samples are always provided in the description of the video. You need to expand the description to see them. We use malshare which is a free malware sharing platform for researchers. You will need to register for a free account then you can download the sample from the links provided.

  • @axelsamik
    @axelsamik 6 років тому

    Thanks for the great videos!
    I'll converted the script to BinaryNinja: github.com/Tomasuh/various/blob/master/BinaryNinja-scripts/nop-it.py

    • @OALABS
      @OALABS  6 років тому

      Awesome! I'm not really familiar with BinaryNinja but I find your comment super interesting: "BinaryNinja does not support collapsing parts of the code which is why we NOP and then look at the code in IL view which optimizes the NOPs away."
      I think this is a really cool tip for those who are using BinaryNinja as their primary analysis tool.