There are plenty of tutorials out there on how to do this process, I’m just writing it here for my own reference so I can come to a single place to find these notes.

Windows exe

Use this:

Linux ELF

$ pip install pydecipher

Then take your executable and do:

$ pydecipher path_to_elf

If you get no output, try 7zip to extract the ELF sections for us:

$ 7z x path_to_elf

This may produce several files, for the different sections and hopefully one called pydata. We can now try pydecipher on that:

$ pydecipher pydata

Now .pyc files are extracted and decompiled for us, ready for analysis.

--

--

Continuing with the sample of WastedLocker apparently involved in the recent Garmin attack (July 2020), now we are looking at some tricks the malware uses to look like a more normal app.

Sample hashes:
MD5: 2cc4534b0dd0e1c8d5b89644274a10c1
SHA-1: 735ee2c15c0b7172f65d39f0fd33b9186ee69653
SHA-256: 905ea119ad8d3e54cd228c458a1b5681abc1f35df782977a23812ec4efa0288a

It does several things to divert attention. It will call empty funcions that do nothing:

It also simulates some legit action calling Windows standard APIs, but it’s really doing nothing with them:

--

--