There are plenty of tutorials out there on how to do this process, I’m just writing it here for my own reference so I can come to a single place to find these notes.

Windows exe

Use this:

Linux ELF

$ pip install pydecipher

Then take your executable and do:

$ pydecipher path_to_elf

If you get no output, try 7zip to extract the ELF sections for us:

$ 7z x path_to_elf

This may produce several files, for the different sections and hopefully one called pydata. We can now try pydecipher on that:

$ pydecipher pydata

Now .pyc files are extracted and decompiled for us, ready for analysis.

Hash: ceeaf45fbb91df67d5b9f1ca1905301ce63314152fb50ed7c6c31365d06ec86d

String encryption

Most of the strings the malware will use are encrypted with several layers of XOR encoding, so using traditional brute force decryptors won’t work. The decryption itself is performed in the function at 0x00401A50, which in turn calls another 2 functions to perform the decoding. The returned strings…

Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:

Today we are analyzing an injector generated by the njRAT malware. This injector is often referred to as Bladabindi by AV engines. These are the hashes of the sample used.

MD5: 6a8e751dda2523f26223f2ae2bd55487
SHA-1: f6c1afc9ebe1ccba5bbaa8da4d1186b8c41b8f60
SHA-256: 36ef054942195766acc955222f3f4396f47bdc76fc18f24c08f586717ed461d6

Summary

  • DotNet based RAT, probably written in Visual Basic. Targets .net framework 2.0
  • Out of…

Shimasakisan

@shimasakisan_

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store